Code Reviewing Strategies presented at OWASP Appsec 2010

by Andrew Wilson (SpiderLabs @ Trustwave),

Tags: Security Compliance


Summary : Looking at the source of an application that's over 100k lines of code can be an overwhelming experience. With out having a practical plan of approach, it's easy to get lost and not provide a comprehensive review of the application.

This talk will outline a variety of strategies that help focus and guide the reviewer through the challenges faced in source code auditing. Specific topics will cover comprehensive code reviews, auditing for specific vulnerabilities, design review, hybrid approaches, and the OWASP code review guidelines.

Additionally, a new strategy for source code review will outlined to provide a practical means of focusing a code review effort.

Andrew Wilson : Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active in the developer and security community as a speaker, a trainer, and as a leader of the Phoenix OWASP & Azure user groups. Andrew is recognized as a Microsoft MVP in Windows Azure.