Wednesday, September 19, 2007

Security code reviews

Foundstone Security Frame
Hacme Casino
Foundstone CodeScout

Paros (web app security assessment)

Don't overanalyze. (Spending two hours determining if a strcpy is vulnerable. Takes two minutes to change)

Identify code review objectives (Insider backdoors, compliance with specific regulations)

Lots of discussion of tools. I think the point is, use available analysis tools before bothering with a code review - it's easier and cheaper

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.