CRV2 360Review

From OWASP
Revision as of 09:42, 12 December 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

360 Reviews - outsidein & inside out

The term 360 degree reivews some from coupling source code review and dynamic testing.
Dynamic testing is in effect runtime penetration testing. It can also be ferered to as hybrid testing.

As mentioned in previous sections source code review can assess an application of issues which may otherwise be difficult to assess.
Issues such as information leakage, logging of sensitive data, privacy and other items in relation to general good-health of an application may have significant impact in terms of regulatory compliance.
Assessing the cryptographic controls is suited well for sourec code review but testing authentication functionality is easier to deliver via dynamic testing.
When perfroming a penetration test it is very valueable if one can map a discovered vulnerability or parameter to a class file or script in the application source code.
such mapping assists the developer in both understanding and addressing the issue.