Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Security Assessment Techniques: Code Review v Pen Testing

Security Assessment Techniques: Code Review v Pen Testing

This item in japanese

Web application security testing and assessment should include both security code review and penetration testing techniques. Dave Wichers, an OWASP board member, spoke at the recent AppSec DC 2010 Conference about the pros and cons of code review and pen testing approaches in finding security vulnerabilities in web applications.

Dave said both code review and pen testing can leverage automated analysis tools to assist the security engineers in the process. The code review process should include checking all the custom developed code as well as any configuration files of the application, libraries, frameworks, and the server where the application has been deployed.

He compared the strengths and weaknesses of each approach. The strengths of pen testing are it requires less specialized expertise, easier to setup and perform, exercises the entire application infrastructure and it proves the vulnerabilities. On the other hand, code review approach has the advantages that it’s easier to find all the content, all instances of certain types of flaws, it verifies controls are correct and that the controls are used in all the required places.

Dave also showed how these two techniques stack up to the OWASP Top 10 list of security vulnerabilities. Code review is a better approach in finding vulnerabilities in the following categories:

  • Injection flaws
  • Cross-Site Scripting (XSS)
  • Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • URL Based Access Control
  • Crypto Storage
  • Redirect/Forward flaws

And penetration testing is the winner in finding security flaws in the following categories:

  • Configuration flaws
  • Transport Security flaws

Other issues like authentication vulnerabilities and finding authentication & session management flaws can be discovered using both the techniques. Both provide value in finding authentication related issues such as Account Lockout, Strong Credentials Requirement, Authentication Event Logging, Proper Invalidation of Sessions on Logout, and Sufficiently Random Session Tokens.

Security teams should use both techniques in their security testing efforts but the advantage of code review grows significantly with size of the application portfolio and the level of rigor of the assessment. Dave concluded the discussion saying it's a myth that code review is way more expensive. If you have people with the right skills, it's actually faster and more effective.

Rate this Article