Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Pre-pen testing code review

by tachyon-II (Chaplain)
on Apr 17, 2014 at 16:01 UTC ( #1082658=perlquestion: print w/replies, xml ) Need Help??
tachyon-II has asked for the wisdom of the Perl Monks concerning the following question:

We have a reasonably well organised Catalyst MVC app that is about to undergo a code available pen test.

I'm looking to get someone with an interest in the area to do a pre-pen test code review and would like any pointers the community has about good places to look, or specific people to ask.

As well as the perl there is quite a bit of AJAX as well as iOS and Android apps that interfaces with the perl core.

Replies are listed 'Best First'.
Re: Pre-pen testing code review
by Anonymous Monk on Apr 17, 2014 at 17:48 UTC
    I suggest that you need to let the pen-test happen, then evaluate the results, because those results are going to be what needs to drive your further investigations.
      But having a competent, conscientious pre-test might avoid the downsides of failing the real thing. I can't guess if that's a consideration here; far less, whether it should be, but, IMO, it deserves consideration.


      Check Ln42!

        No, honestly, I would let the software fail the pen-test if it is going to.   If the pen-tester is competent, this will yield far more results than you ever expected to see, and only then will you be in the proper position to evaluate them all and to create an appropriate remediation plan.

        The way that I encourage clients to look at this sort of thing is ... “Look, those defects are out there.   The most important thing is to discover them, not to bemoan the fact that they exist.   In any and in every piece of software, they do exist.”   There is no room for ‘politics’ here, nor for pride.   Discover them, fix them, prove they’re gone and that they stay gone.”

        Budget for at least two pen-tests.

Re: Pre-pen testing code review
by zachhilbert (Initiate) on Apr 17, 2014 at 20:14 UTC
    I would be willing to take a look at your app, depending on your timeline. I have a decent background in security, specifically web application pentesting and security auditing.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1082658]
Approved by GotToBTru
Front-paged by GotToBTru
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (2)
As of 2017-08-20 04:26 GMT
Find Nodes?
    Voting Booth?
    Who is your favorite scientist and why?

    Results (313 votes). Check out past polls.