|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=16 [º¹»ç]
¾î´À»õ ¹ø¿ª ³¯ÀÚ°¡ 10ÀÏ·Î ¹Ù²ãÁ®ÀÖ´ÂÁö;;
¹ø¿ªÀº ÇÏ°í ÀÖ´ÂÁßÀÌ°í¿ä, ¾Æ·¡ ³»¿ëÀº ½ºÅ©¸³Æ®ÀÔ´Ï´Ù.
°¡·Î ÃÄÁø ºÎºÐÀº Àû±ä ÇßÀ¸³ª È®½ÇÄ¡ ¾ÊÀº ºÎºÐÀ̸ç ***Àº ¸ð¸£´Â ºÎºÐÀÔ´Ï´Ù.
±×¸®°í Çؼ®À» ÇÏÁö ¾Ê¾Æ¼ ÀÏ´Ü ¸»ÀÌ À̾îÁö¸é ÇÑ ¹®ÀåÀ¸·Î ÇÏ¿´½À´Ï´Ù.
...
For the pass couple of years have been doing a code review for methodologya lot of large reallycode base.
¸î ³â µ¿¾È ¾ÆÁÖ ¸¹Àº ¶óÀÎÀ» °¡Áö°í ÀÖ´Â ÄÚµåµéÀ» °ËÅä ÇØ¿Ô½À´Ï´Ù.
And initially when I started doing code review it was pretty difficult trying (figure) all their everything by has 600,000 lines of code.
±×¸®°í Á¦°¡ óÀ½À¸·Î ÄÚµå °ËÅ並 Çϱ⠽ÃÀÛÇßÀ» ¶§ 600000 ¸¸ ÁÙÀÇ Äڵ带 (ºÐ¼®) ÇÏ´Â °Ô ²Ï³ª Èûµé¾ú½À´Ï´Ù.
I have to review that code, trying find µðÇȽº(ÆÐÄ¡Çϴ°ǵ¥..) and it's really difficult for anyone person are single team *** and review code without communicating and following tool every single step.
Á¦°¡ ±× 60¸¸ÁÙÂ¥¸® Äڵ忡¼ µðÇȽº¸¦ ãÀ¸·Á Çߴµ¥ Ä¿¹Â´ÏƼÀÇ µµ¿ò ¾øÀÌ ½Ì±Û ½ºÅÇ(Äڵ带 ÇÑ ÁÙ¾¿ ½ÇÇà) ÇÏ¸é¼ °ËÅäÇÏ´Â °ÍÀº È¥ÀÚ¼ Çϱ⿡´Â Á¤¸»·Î Èûµç °ÍÀ̾ú½À´Ï´Ù.
So, pass two years (are so it) ah... with help of few friends of mine with a they stop it used to work for became up with some part of methodology .
2³âÀÌ Áö³ª°í µµ¿òÀ» Áִ ģ±¸¿Í ÇÔ²² ¸î °¡Áö ¹æ¹ýµéÀ» ã°ï Çß½À´Ï´Ù.
Little on... last year, I think a microsoft started pushing threat analysis (go a bit) I look into that (in a like) there ideas as well, so I try come up with someone different technical previewing large sour code bases.
ÀÛ³â, Àü ¸¶ÀÌÅ©·Î¼ÒÇÁÆ®»ç(;ÀÌÇÏ ¸¶¼Ò)°¡ À§ÇèºÐ¼®¿¡ ´ëÇØ Áö¿øÀ» ½ÃÀÛÇß´Ù°í »ý°¢Çß½À´Ï´Ù. Àú´Â ¸¶¼Ò¿Í ±× À§ÇèºÐ¼® °³³ä¿¡ ´ëÇØ Á¶»çÇÏ¿´½À´Ï´Ù. ±×·¡¼ Àü ¸¹Àº ·®ÀÇ Äڵ带 (°ËÅä) ÇÏ´Â »ö´Ù¸¥ ±â¼úÀ» ã¾Æº¸¾Ò½À´Ï´Ù.
And today I'm going to try focus this *** on that particular topic.
±×¸®°í Àú´Â ¿À´Ã ÀÌ°Í(À§ÇèºÐ¼®)¿¡ ÃÊÁ¡À» ¸ÂÃß·Á ÇÕ´Ï´Ù.
Basically how do go about reviewing large code basis doing source code review and doing focus source code review to get most effective result.
Defense in depth today
We have firewalls, this is a big picture i guess, we have Firewalls, we have DMZ, Host Assessment We have difficult Hardened Builds, Vulnerability Scanning but now this Code Review is becoming more and more popular a lot of company want to do not just common do ****** test it there product company but black box testing but also look at code review.
How do we go going do that code review.
So this is the six point methodology started with Threat Model will talk about Threat Modeling basically trying to get (data flood *******) of entire application and trying to figure out all the major entry point are all the major *** someone else going to access something and trying to see if there *** could be trace I particularly point like for web application if like google the biggest *** search the search fill it self *** properly they would be no problems are something among those line so we will talk about every single major entry point what are they different technique (we can) *** doing that.
Second step *** Cursory Code Review.
The reason for that is that every single person in world in doing a code review should understand how *** (indial) application is written have common (please) where you have *** (store) have common please where you have *** common note (store) so that when initially your reviewing it you are understanding the (mind set of) programmer.
The goldest to think like wonder programer was trying to do all there.
You not going to go to depth you just see what exactly happening from *** ***.
Then you going to separation of code will talk about couple of (meter) (there's) stander (meter) that microsoft come up with and then there's (meter) ¿¥Ç÷ÎÆ÷¿ì¡ application architecture trying to be a value Åõµé *** (difference) seperations how do you give value to it how do you figure out what exactly would give you more benefit focus your (dying) to was.
Then we will talk about maintaining code notes with reviewer name.
This is very important simplely because reviewer *** bunch of code and he will understand it he puts notes down review is could also accessing same function he doesn't spend time trying to understand function code again.
so It is good idea to have reviewer note and reviewer names also little (they) what we (end up) doing giving customers just graph that particular name and *** you don't have to maintain multiple note
|
Hit : 1743 Date : 2011/05/10 10:09
|
97, 
1/4 
