Difference between revisions of "CRV2 360Review"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
 
When perfroming a penetration test it is very valueable if one can map a discovered vulnerability or parameter to a class file or script in the application source code.<br>
 
When perfroming a penetration test it is very valueable if one can map a discovered vulnerability or parameter to a class file or script in the application source code.<br>
 
such mapping assists the developer in both understanding and addressing the issue.<br>
 
such mapping assists the developer in both understanding and addressing the issue.<br>
 +
 +
'''Pen Testing Pros'''
 +
 +
*Requires less specialized expertise
 +
*Easier setup
 +
*Easier to perform
 +
*Exercises the entire app infrastructure
 +
*Proves vulnerabilities
 +
 +
'''Code Review Pros'''
 +
 +
*Assess all the content
 +
*Discover all instances of certain types of flaws
 +
*Verify controls are correct (Positive Security)
 +
*Verify controls are used in all the required places (Positive Security
 +
 +
Combining them together gives a better overall view of the security posture of the application.

Revision as of 10:13, 12 December 2013

360 Reviews - outside-in & inside-out

The term 360 degree reivews some from coupling source code review and dynamic testing.
Dynamic testing is in effect runtime penetration testing. It can also be ferered to as hybrid testing.

As mentioned in previous sections source code review can assess an application of issues which may otherwise be difficult to assess.
Issues such as information leakage, logging of sensitive data, privacy and other items in relation to general good-health of an application may have significant impact in terms of regulatory compliance.
Assessing the cryptographic controls is suited well for sourec code review but testing authentication functionality is easier to deliver via dynamic testing.
When perfroming a penetration test it is very valueable if one can map a discovered vulnerability or parameter to a class file or script in the application source code.
such mapping assists the developer in both understanding and addressing the issue.

Pen Testing Pros

  • Requires less specialized expertise
  • Easier setup
  • Easier to perform
  • Exercises the entire app infrastructure
  • Proves vulnerabilities

Code Review Pros

  • Assess all the content
  • Discover all instances of certain types of flaws
  • Verify controls are correct (Positive Security)
  • Verify controls are used in all the required places (Positive Security

Combining them together gives a better overall view of the security posture of the application.