Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "Selling" a code-audit.

from [Adam Shostack] Network Security [Permanent Link]
Subject: Re: "Selling" a code-audit.
Date: Wed, 1 Sep 2004 16:54:45 -0400 
On Mon, Aug 30, 2004 at 12:45:27PM -0500, Yvan Boily wrote:
| One of my primary responsibilities with my employer is performing code
| audits; so far I have been fairly effective in a technical capacity, however
| on almost every single code audit I have participated in I have received
| hostile responses from the development team.  I have tried a variety of
| approaches to develop a stronger rapport with the development team, however
| in spite of my best efforts I find that going into a code audit I am already
| fighting against preconceptions about why the code audit is being performed.
| 
| 
| I understand that many people feel threatened when work they have done is
| criticized; what I need to know is how I can minimize this and coax the
| development teams into being more interactive than defensive.  Any pointers?

Great question!

I think that you want to set a common goal, which is to avoid security
issues in the code you deploy/ship.  You need to ensure that getting
code reviewed is seen as a positive step, that their management gives
them time to fix issues that you find. 

Don't call it an audit.  Call it a review, a walk-through, or
something less agressive.  Do you know where the misconceptions come
from?  Can you spend a few minutes explaining the process and goals at
the start?

Fix some of the issues you find.  Offer to write libraries to fix
common issues.

Have you had issues that required a scramble response yet?

Adam
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "Selling" a code-audit., Eric Murray
Next by Date:  Re: "Selling" a code-audit., Warwick Molloy
Previous by Thread:  Re: "Selling" a code-audit., Eric Murray
Next by Thread:  Re: "Selling" a code-audit., Warwick Molloy
Indexes:  [Date] [Thread] [Top] [All Lists]