How to Do a Security Code Review
This session is a hand-on exercise in Java code review that will cover both manual and automated techniques. If you envision code review as a line-by-line slog through thousands of programs, you will be surprised to learn some effective techniques that reduce the tedium and increase your enjoyment of this activity (well, maybe not the enjoyment part). Familiar methods such as pair programming and peer reviews are a great place to start and will immediately increase the security of your code base.
Other approaches will also be examined, ranging from the use of IDE-integrated tools to formal code review exercises and everything in between. In particular, threat modeling is presented as a means to identify sections of the code that have the highest security risks. Enforcing a code review policy is the last (and most contentious) topic that will be covered in this session.
About Dean H. Saxe
Dean H. Saxe is a Managing Consultant at Foundstone, A Division of McAfee, where he is responsible for conducting web application penetration testing, threat modeling, code reviews, secure software development lifecycle (S-SDLC) design and implementation, and project management. Prior to joining Foundstone, Dean spent more than 8 years developing web application in Java and ColdFusion in a variety of industries. While working in the banking sector, Dean's interest in application security was sparked and has grown steadily over the past five years. Dean also provides client education services as a lead instructor of these Foundstone courses: Building Secure Software, Writing Secure Code: Java/J2EE, and Writing Secure Code: ColdFusion. Dean holds the CISSP and Certified Ethical Hacker designations.
When not working, Dean enjoying hiking, cooking, homebrewing and traveling the world.
More About Dean H. »