Java Reference
In-Depth Information
11.2.1.2 Code Overviews—During the Development Phase
It must be noted that code overview is not a code review. A code review is a more detailed
understanding and assessment of the code developed by the application developers. Code over-
views can be better termed as a roving view of the application code to understand the logic
and low of the code. Code overview is a process that an organization's information security
team, software quality team, or the application architects can perform to understand, at a high
level, the logic and low the application code. his exercise may be performed at all stages of
the development phase of the SDLC to ensure that the developers are not veering away from
the track set for them with reference particularly to that of the security of the Web application
in question. hese overviews can be performed as regular procedures by senior stakeholders in
charge of security and quality in the organization to add a level of assessment to the application
code being developed.
11.2.1.3 Code Reviews—During the Development Phase
Code reviews are the best kind of white-box security testing that can be done for Web applica-
tions. Code review is a process where an individual or a group of individuals go over the applica-
tion code in detail to look for improper and nonsecure coding practices. Code reviews aim at
identifying nonsecure coding practices—for instance, using SQL statements as opposed to SQL
PreparedStatement—and highlight the issues to the notice of the development team. his activity
is bolstered by the fact that the code overviews are performed by the architects or security experts,
and it will be easier in performing detailed code reviews of the Web application with the basic
knowledge of the application logic and low.
Code reviews may be performed at regular intervals during the development process. It must
be noted that code reviews must only be performed by individuals other than the application
developer(s). Code reviews are usually performed after the development of certain application
modules or completion of certain critical functionality of the Web application.
Several automated code review tools are present in the marketplace today. hese tools identify
instances of nonsecure coding practices to the line at which the instance is present and help code
reviewers in performing a comprehensive and efective code review of the Web application code.
11.2.1.4 Vulnerability Assessment and Penetration
Testing—During the Testing Phase
Vulnerability assessment and penetration testing are two complementary activities that form the
cornerstones of black-box security testing for Web applications. Vulnerabilities may be found in
the application itself; for instance, lack of input validation is a case of lawed coding practice,
thereby resulting in a vulnerable application. Vulnerabilities may also exist because of the under-
lying application platform elements like the Web server, the application server, or the database
and operating system. Vulnerability assessment aims at identifying all possible vulnerabilities
that exist within the Web application and its underlying platform elements. hese vulnerabilities
should then be ranked by severity and analyzed. Likewise, penetration testing aims at providing a
proof-of-concept of how an attacker can exploit certain vulnerabilities and gain access to sensitive
information contained within the application. Penetration testing is to be performed by skilled
personnel who are experienced at testing Web applications for security.
Search WWH ::
Custom Search