Questions tagged [manual-review]

12 questions
18
votes
6 answers

Automated tools vs. Manual reviews

What are the advantages of using automated tools, as opposed to manual review? What are the disadvantages? This applies both to external blackbox vulnerability scanning, and to static code analysis. From the original Area51 proposal
AviD
  • 72,138
  • 22
  • 136
  • 218
10
votes
5 answers

Code Review Strategies

As per my information, there is no hard and fast rule for doing a security code review but we all develop our own strategy for the same. I was wondering if we all can share the different strategies involved or used in security code review.
p_upadhyay
  • 1,121
  • 3
  • 14
  • 31
8
votes
3 answers

SPAM Email Analysis

What are the steps you would follow in order to identify in an email is a SPAM/SCAM/Phishing attempt? The reason I am asking this question is that sometimes very well crafted junk emails manage to bypass the automated AntiSpam tools, so further…
lisa17
  • 1,958
  • 7
  • 21
  • 43
8
votes
4 answers

Scripting a search through php files for dangerous calls for manual review

I'm automating a script which searches through all php files on a big site for dangerous commands. The files which are found will be manually code reviewed. Does anyone have any recommendations for my script? Is there anything I've forgotten to…
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
6
votes
3 answers

How to use and create attack graphs

I am trying to learn more about attack graphs and how they can be used. I have read a little bit about them from some simple Google searches and believe that they could be a useful tool for work. I would like to know how one could go about creating…
John
  • 1,009
  • 3
  • 11
  • 16
5
votes
2 answers

What are good free opensource tools for helping in manual source code reviews?

I know tools that help in identifying security vulnerabilities in source code (static analysis tools), like Findbugs for Java or Pixy for PHP, but I would like to know good free opensource tools that help in the task of documenting and following…
kinunt
  • 2,759
  • 2
  • 23
  • 30
5
votes
1 answer

What security implications should I consider in relation to mcollective?

The use of PuppetLab's mcollective is being planned by my company's SysOps team. I will be reviewing their use of the tool and implementation of the system. At this point I don't have a lot of knowledge regarding how mcollective works and would…
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
3
votes
3 answers

Basic security checklist for using an open-source library

I've recently started working with web applications, and the ones developed by our team seem to use a lot of external components for different minor functionality (e.g. a scrolling slider bar, a markdown editor ...) The only "security" mechanism…
Jedi
  • 3,906
  • 2
  • 24
  • 42
1
vote
1 answer

Security server log review

We have a Kiwi Syslog server for Centralized logging purposes. Currently, our focus is only on monitoring, reviewing and reporting User Account/Password Violations. We already used the necessary filters based on the event ID in this link -…
Boy
  • 11
  • 2
0
votes
1 answer

Applications security review

When a company wants to buy a new application, the security aspects must be reviewed (access rights, privileges, logs, data integrity ... etc). Is there a standard for applications security reviews? In other words, a checklist that must be followed…
Optimus Prime
  • 298
  • 3
  • 12
0
votes
1 answer

How to Perform a Security Review of Apps from Mac App Store

As part of our software procurement process, we're evaluating the security of applications, e.g. by checking if there are non-addressed vulnerability reports and if the vendor embedded secure requirements into their software development lifecycle…
T. B.
  • 1
-1
votes
1 answer

What is the difference between "secure code review" and "secure static code analysis"?

What are the subtle differences in both - as one could say that both are almost the same... Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is…