On Mon, Aug 30, 2004 at 12:45:27PM -0500, Yvan Boily wrote:
One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity, however
on almost every single code audit I have participated in I have received
hostile responses from the development team. I have tried a variety of
approaches to develop a stronger rapport with the development team, however
in spite of my best efforts I find that going into a code audit I am already
fighting against preconceptions about why the code audit is being performed.
I understand that many people feel threatened when work they have done is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive. Any pointers?
Yvan Boily
Make it clear ahead of time what you are looking for.
I've published (short) docs describing what the security code
review is going to look for, so developers can go through their code
before the review and fix it. The ideal case is when you find no security
problems because they have already been fixed. Try to make that
possible.
Make it a security review only. No criticism of coding style, no
pointing out better algorithms, etc unless they're security related.
Some other part of the process should have dealt with that.
If security is seen as being "forced" upon development by upper management,
the developers will hate you no matter what. This is a management
problem, not a security problem, but incompetent managers will
leave you to try to sell security to the development team anyhow.
If this is the case and you are not a super salesman, run away.
Eric
