Slightly Off-Topic: Code Reviews

Previous page
Table of content
Next page

Slightly Off-Topic: Code Reviews

This chapter is about testing secure code, but testing does not and will not find all security bugs in any application. Another useful technique is to perform regular code reviews, which can often help you find bugs in rarely exercised code paths. If you re a tester who can read code, you should consider poring over new code that is, new since the last review looking for the issues discussed in this book.

Although not a replacement for formal code inspection, such as Fagan-style code inspection, you can get a lot of mileage out of searching the application code for the dangerous APIs described in Appendix A, Dangerous APIs, and verifying that the function calls are safe. Then review the code based on the contents of this book. For example, are sockets used well? Do the server Web pages correctly parse input? Are random numbers random? Are you using RC4 correctly? Do you store secrets securely? Do you have secrets embedded in code? And so on. In my experience, this small amount of work can help you find much of the low-hanging fruit.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Metrics and Models in Software Quality Engineering (2nd Edition)
Competency-Based Human Resource Management
The Java Tutorial: A Short Course on the Basics, 4th Edition
Programming Microsoft ASP.NET 3.5
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy