360 Reviews - outside-in & inside-out
The term 360 degree reivews some from coupling source code review and dynamic testing.
Dynamic testing is in effect runtime penetration testing. It can also be ferered to as hybrid testing.
As mentioned in previous sections source code review can assess an application of issues which may otherwise be difficult to assess.
Issues such as information leakage, logging of sensitive data, privacy and other items in relation to general good-health of an application may have significant impact in terms of regulatory compliance.
Assessing the cryptographic controls is suited well for sourec code review but testing authentication functionality is easier to deliver via dynamic testing.
When perfroming a penetration test it is very valueable if one can map a discovered vulnerability or parameter to a class file or script in the application source code.
such mapping assists the developer in both understanding and addressing the issue.
Pen Testing Pros
- Requires less specialized expertise
- Easier setup
- Easier to perform
- Exercises the entire app infrastructure
- Proves vulnerabilities
Code Review Pros
- Assess all the content
- Discover all instances of certain types of flaws
- Verify controls are correct (Positive Security)
- Verify controls are used in all the required places (Positive Security
Combining them together gives a better overall view of the security posture of the application.