Saturday, October 19, 2013

Ultimate Adversarial Code Review

Some people hate day-to-day code reviews. I tend to welcome them, and miss them on engagements where I am going it alone. Yes, there is a certain sense of freedom, but some things I miss.

  • I will almost undoubtedly learn something
  • You can identify people you want to work with (reviewing the reviewer)
  • They can save me from an embarrassing 'burning tree' scenario
Sometime politics enters the picture. That is never pleasant, unless you are a politician. I can do politics, but I tend to add fees when dealing with adversarial, politically-charged environments. In short, it is a complete pain in the ass, and I charge more if I have to deal with it on a daily basis.  

That brings up an interesting question. In the limit, what might an engagement that is *all about* an adversarial relationship look like? I have limited (but not zero) exposure to this environment. For instance, it's possible to invisibly (to the user) pre-load objects via Javascript which will then appear in the user's browser cache.

In the context of something like a patent fight, I have an excellent idea of what tools I might need, and how to employ them, but no experience. On the other hand, I know of someone who does. Avi Rubin has a security track record dating back many years, as USENIX members know. His credentials are available at http://avi-rubin.blogspot.com/. Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University, and it goes back from there...

Avi has spun up another company that specializes in this sort of thing, and has a practical guide on how to procede: http://harborlabs.com/codereview.pdf. This is highly recommended reading.

No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.