RE: "Selling" a code-audit.

> I understand that many people feel threatened when work they have done is
> criticized; what I need to know is how I can minimize this and coax the
> development teams into being more interactive than defensive.  
> Any pointers?

I guess every auditing team has it's own tricks of the trade. Our approach is 
based on being friendly and choosing strong, appropriate team leaders on both 
sides - this helps a lot. The rest depends on particular situation. 

For example if we see a simple SQL Injection issue that allows easy 
system/application penetration we set up a demo of it for the dev teams. After 
demonstrating them the true risk we propose that we will work out the problem 
together. If they will not remove the issue it's just a matter of time when 
somebody will discover the problem and exploit it. Usually dev people don't 
want this to happen so they will try to resolve the issue. If they see that the 
first thing you are doing is to understand their problems and limitations 
instead of immediately reporting to upper management how bad they are, you can 
count on better treatment from those guys. Another very important thing is 
before final reporting to setup a workshop for developers where you will 
discuss report content. Those people need to feel to be part of audit team - 
otherwise you will not be able to remove some bugs and at the end this means 
you'll loose one of project success factors: making clients application secured.

Cheers,
Aleksander Czarnowski
AVET INS