We help IT Professionals succeed at work.

Application size parameters

pma111
pma111 used Ask the Experts™
on
As part of security vulnerability management our IT want to engage a security company to perform a code review of some of our apps. Looking around the code review goes on the “size of the application”. A couple of questions (bare in mind I am not a web dev – so if you could target your answers in management speak then great):

1)      What would you say determines the “size” of an application, can you provide examples
2)      What does the code review entail, i.e. is it every line in the source code, or if its based on security, can they discard some of the code and focus purely on security aspects – can you define what

a)      Could be discarded in security review
b)      Would be included in security review

Am I correct in thinking code review doesn’t try and break anything, it just looks for potential flaws, but doesn’t try and exploit them? Can you place reliance on that, i.e. could a code review find some potential issues that when it comes down to exploit weren’t really issues at all?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Actually you may want to check out SAMATE. There are few criterias for determining the right set of code scanner tool namely,

http://samate.nist.gov/Main_Page.html

a) detect source code weakness (reference common vulnerabilities and weaknesses
include the Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE) databases, maintained by the MITRE Corporation and
accessible at: http://cve.mitre.org/cve/ and http://cwe.mitre.org/

b) Code complexity (leading with language, construct, various enumeration or terms). This may include line of code. Vendor such as Coverity has also done testing on open source and placed them in ranks of criterias (stated also defects per KLOC) stated below link. The defects can be reference to above point as well

http://scan.coverity.com/all-projects.html
http://scan.coverity.com/ladder.html

Code review can be done by automated tools and by manual which is more for specialised codes like embedded h/w type and having the business logic which tool may not par better than human experienced developers. Nonetheless, this is always part of the whitebox testing in the full software development lifecycle esp the testing and evaluation phase.

Some may enforce this minimal check by tool before release of the software to close the low hanging gap and that is why even development environment has some built in tools for that...E.g. Microsoft has CAT.NET etc.

Overall, code scan is not really an enforcement unless the organisation are treating code as great IP asset and putting in all resource to safeguard it to being exploited .. and code review should not break but be careful it may not know the logic behind it and optimised the code which is undesired. This can be false positive esp if tool just based on pattern identification and replacement

But if we are looking at web scanner tool, this link has good info
http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html