Hi Yvan
I'm a code autor as well. Usually a code audit is like bad news for developes
this is why they take this defensive posture. Is like "a who-knows guy will
tell me why I wrote my code in the bad way and how should I codify".
From my point of view, you have to "prepare the field" for the meetings and
get a list of good coding practices or good solutions in some modules, after
all is almost impossible the code was wrong in all ways and viceverza. So let
them know this and let them know they do some things good, BUT they did as
well some things bad that need their attention and correction.
Even doing this some people will still be pessimist/nasty (after all, that
"innecesary" code audit make them work after hours), but it will be dimished.
Just my two cents
-Juan C Calderon
-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com]
Sent: Lunes, 30 de Agosto de 2004 12:45 p.m.
To: secprog@securityfocus.org
Subject: "Selling" a code-audit.
One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity, however
on almost every single code audit I have participated in I have received
hostile responses from the development team. I have tried a variety of
approaches to develop a stronger rapport with the development team, however
in spite of my best efforts I find that going into a code audit I am already
fighting against preconceptions about why the code audit is being performed.
I understand that many people feel threatened when work they have done is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive. Any pointers?
Yvan Boily
