Tool Deployment Model

Revision as of 16:49, 15 January 2009 by KirstenS (Talk | contribs)

Jump to: navigation, search

Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.

This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulnerabilities.

Developer adoption model

* Deploy automated tools to developers
* Control tool rule base
* Security review results and probe a little further.

Testing Department model

* Test department includes automated review in functional test.
* Security review results and probe a little further.
  • Tool rule base is controlled by the security department and complies with internal secure application development policies.

Application security group model

* All code goes through application security group
* Group use manual and automated solutions