> With security in mind what things other things should I be
> looking for in a code inspection? I can think of the following,
> but I'm sure there are others:
> - buffers that could be overflowed
> - ensuring all input is validated (checked to ensure it is of the proper
> type & format)
> - ensuring passwords & other encrypted date is not stored
> unencrypted in memory
> - ensuring strong encryption is used
> - ensuring no easter eggs / backdoors are left in the code
> - ???
I would say that the final list of objectives should be business driven, in turn this translates to application functionality and business functions it provides. From there you will get a good perspective on architecture that would further drive creation of your checklist. You can also start from the other end and just take a look at some secure programming checklist that are already available, but keep in mind that while some of them are very comprehensive most of them will not necessary meet your business objectives right away. Another thing that is usually overlooked is a final execution environment for the code. You need to know how and where your code will be use to better address possible recommendations or new safeguard introduction.
Best Regards
Aleksander Czarnowski
AVET INS

[ reply ]