This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Tool Deployment Model"
From OWASP
m (Added navigation to facilitate sequential reading online) |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{LinkBar | ||
| + | | useprev=PrevLink | prev=Automated Code Review | lblprev= | ||
| + | | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents | ||
| + | | usenext=NextLink | next=Code Auditor Workbench Tool | lblnext= | ||
| + | }} | ||
| + | __TOC__ | ||
| + | |||
Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code. | Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code. | ||
| − | This methodology improves developer knowledge and | + | This methodology improves developer knowledge, and the security consultant can spend time looking for more abstract vulnerabilities. |
'''Developer adoption model''' | '''Developer adoption model''' | ||
| − | + | * Deploy automated tools to developers. | |
| − | + | * Control tool rule base. | |
| − | + | * Security review results and probe a little further. | |
'''Testing Department model''' | '''Testing Department model''' | ||
| − | + | * Test department includes automated review in functional test. | |
| − | + | * Security review results and probe a little further. | |
* Tool rule base is controlled by the security department and complies with internal secure application development policies. | * Tool rule base is controlled by the security department and complies with internal secure application development policies. | ||
'''Application security group model''' | '''Application security group model''' | ||
| − | + | * All code goes through application security group. | |
| − | + | * Group use manual and automated solutions. | |
| + | |||
| + | {{LinkBar | ||
| + | | useprev=PrevLink | prev=Automated Code Review | lblprev= | ||
| + | | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents | ||
| + | | usenext=NextLink | next=Code Auditor Workbench Tool | lblnext= | ||
| + | }} | ||
[[Category:OWASP Code Review Project]] | [[Category:OWASP Code Review Project]] | ||
Latest revision as of 16:57, 9 September 2010
Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.
This methodology improves developer knowledge, and the security consultant can spend time looking for more abstract vulnerabilities.
Developer adoption model
- Deploy automated tools to developers.
- Control tool rule base.
- Security review results and probe a little further.
Testing Department model
- Test department includes automated review in functional test.
- Security review results and probe a little further.
- Tool rule base is controlled by the security department and complies with internal secure application development policies.
Application security group model
- All code goes through application security group.
- Group use manual and automated solutions.
