|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=38 [º¹»ç]
Now, um.. For the past couple of years have been doing a code review for a lot of large code bases.
Áö³ ¸î ³â µ¿¾È ¹æ´ëÇÑ ¾çÀÇ ÄÚµåµé¿¡ ´ëÇÑ ÄÚµå ¸®ºä¸¦ ÇØ¿Ô½À´Ï´Ù.
And initially when I started uh.. doing code review
±×¸®°í Á¦°¡ óÀ½À¸·Î ÄÚµå ¸®ºä¸¦ Çϱ⠽ÃÀÛÇßÀ» ¶§
it was pretty difficult trying to figure out everything like I had 60,000 ~ 70,000 lines of code.
6¸¸~7¸¸ ÁÙÀÇ Äڵ带 ¸ðµÎ ºÐ¼®ÇÏ´Â °ÍÀÌ ²Ï³ª Èûµé¾ú½À´Ï´Ù.
I had to review that code, trying find defects and it's really difficult for any one person or single team to go
Àü ±× 6¸¸ÁÙÂ¥¸® Äڵ忡 ´ëÇÑ ¸®ºä¸¦ ÇؾßÇß°í, ÄÚµå ³»¿¡¼ °áÇÔÀ» ãÀ¸·Á°í ÇßÀ¸³ª.. ±×°ÍÀº ÇÑ »ç¶÷À̳ª ÆÀ¿¡°Ô ¸Å¿ì ¾î·Á¿î ÀÏÀ̾ú½À´Ï´Ù.
and review code without communicating and following through every sizngle step.
±×¸®°í ¼·Î°£ÀÇ ´ëÈ¿Í °øÀ¯ ¾øÀÌ ÄÚµå ÇÑÁÙ ÇÑÁÙÀ» µû¶ó´Ù´Ï¸ç ºÐ¼®À» Çß¾ú½À´Ï´Ù.
So, *** pass two years are so it ah... with help of few friends of mine with a my ex-company that I used to work for became up with some part of methodology.
2³âÀÌ Áö³ª°í.. ¿¹Àü¿¡ ÀÏÇß´ø ȸ»ç¿¡¼ ¸¸³ ¸î¸î Ä£±¸µéÀÇ µµ¿òÀ» ¹Þ¾Æ ¸î °¡Áö ¹æ¹ýµéÀ» ã¾Æ ³ª¼¹½À´Ï´Ù.
Later on... last year, I think a microsoft started pushing threat analysis quite a bit,
±× ÀÌÈÄ.. ÀÛ³â, Àü MS°¡ À§Çù ºÐ¼®¿¡ ´ëÇØ ²Ï ¸¹Àº Áö¿øÀ» ½ÃÀÛÇß´Ù°í »ý°¢ÇÕ´Ï´Ù.
I look into that and liked their ideas as well,
Àú´Â MSÀÇ ¹æ¹ý¿¡ ´ëÇØ Á¶»ç¸¦ Çß°í, ¾ÆÀ̵ð¾î°¡ ±¦Âú´Ù°í »ý°¢Çß½À´Ï´Ù.
so I try come up with a some more different techniques of reviewing large source code bases.
±×¸®°í Àú´Â ´ë·®ÀÇ ¼Ò½ºÄڵ带 ¸®ºäÇÒ ¼ö ÀÖ´Â Àú¸¸ÀÇ ´Ù¸¥ Å×Å©´ÐÀ» ¿¬±¸Çϱ⠽ÃÀÛÇß½À´Ï´Ù.
And today I'm going to try focus this stock on that particular topic.
±×¸®°í Àú´Â ¿À´Ã ÀÌ ÁÖÁ¦¿¡ ´ë¿¡ ÃÊÁ¡À» ¸ÂÃß·Á ÇÕ´Ï´Ù.
Basically, how do go about reviewing large code basis doing source code review and doing focus source code review to get most effective result.
±âº»ÀûÀ¸·Î, ¹æ´ëÇÑ ¾çÀÇ ¼Ò½º Äڵ带 ±âÁØÀ¸·Î ºÐ¼®À» ÇÒ ¶§, Á¶±Ý ´õ È¿À²ÀûÀÎ °á°ú¸¦ ¾ò±âÀ§ÇØ ¾î¶»°Ô ÁýÁßÇÏ¸é µÉ±î¿ä?
um.. Defense in depth today
¿À´Ã³¯ÀÇ Ã¶ÀúÇÑ ¹æ¾î(º¸¾È)
We have firewalls, this is a big feature i guess,
¿ì¸®´Â ¹æȺ®À» »ç¿ëÇÏ°í, ÀÌ°Ç ¾ÆÁÖ Áß¿äÇÑ ±â´ÉÀÔ´Ï´Ù.
we have Firewalls, we have our DMZ, Host Assessment
¿ì¸®´Â ¹æȺ®À» »ç¿ëÇÏ°í, DMZ¿Í Host Assesmentµµ »ç¿ëÇÕ´Ï´Ù.
We have typical Hardened Builds, Vulnerability Scanning but now this Code Review is becoming more and more popular
¿ì¸®´Â ÀϹÝÀûÀ¸·Î hardened build¿Í Ãë¾àÁ¡ ½ºÄ³³Ê¸¦ °¡Áö°í ÀÖÁö¸¸, ¿äÁò¿£ ¼Ò½º ÄÚµå ¸®ºä°¡ Á¡Á¡ ´õ °¢±¤À» ¹Þ°í ÀÖ½À´Ï´Ù.
a lot of companies want you to not just come and do web pentest
Å« ȸ»çµéÀº ´ç½ÅÀÌ ±×³É ¿Í¼ À¥ÇØÅ·¸¸ ÁÖ±¸Àåâ ÇÏ´Ù °¡±â¸¦ ¿øÇÏÁö ¾Ê½À´Ï´Ù.
if there product company, not just do black box testing but also look at code review.
Á¦Ç°À» ÆǸÅÇϴ ȸ»ç¶ó¸é ºí·¢ ¹Ú½º Å×½ºÆðú ÄÚµå ¸®ºä±îÁö ÀüºÎ ´Ù ÇØÁֱ⸦ ¿øÇÒ °Ì´Ï´Ù.
and.. How do we go about doing that code review?
±×·¸´Ù¸é.. ÄÚµå °ËÅä´Â ¾î¶»°Ô ÇؾßÇÒ±î¿ä?
So this is the six points methodology
¿©±â¿¡ ³ª¿ÇÑ °ÍÀÌ, ÄÚµå °ËÅä ¹æ¹ýÀÇ 6°¡Áö ¹æ¹ý·ÐÀÔ´Ï´Ù.
Start with Threat Model we'll talk about Threat Modeling
À§Çù ¸ðµ¨ºÎÅÍ ¾ê±âÇÏ°Ú½À´Ï´Ù. À§Çù ¸ðµ¨¸µÀ» ¸»ÇÏ´Â °ÍÀÔ´Ï´Ù.
basically uh.. trying to get data flow diagram of the entire application,
±âº»ÀûÀ¸·Î´Â Àüü ÇÁ·Î±×·¥ È帧ÀÇ ´ÙÀ̾î±×·¥À» ¾ò¾î³»´Â °úÁ¤À» ¸»ÇÕ´Ï´Ù.
and trying to figure out all the major entry points,
±×¸®°í ¸ðµç entry point, Áï ÁøÀÔÁ¡µéÀ» ºÐ¼®ÇÕ´Ï´Ù.
are all the major warns for someone's going to access something,
´©±º°¡°¡ ¾îµò°¡¿¡ Á¢±ÙÇÏ°íÀÚÇÒ ¶§ Áß¿äÇÑ °æ°í¸¦ ÇÕ´Ï´Ù.
and trying to see if there are vulnerabilities are that could be threat at a particularly point
ƯÁ¤ »óȲ¿¡¼ À§ÇùÀÌ µÉ ¼ö ÀÖÀ»¸¸ÇÑ Ãë¾àÁ¡ÀÌ ÀÖ´ÂÁö ã¾Æº¼ ¼ö ÀÖ½À´Ï´Ù.
like for web application, if like google the biggest threat point might be at the search, the search field itself
¿¹¸¦µé¾î À¥ applicationÀÇ °æ¿ì, À̸¦Å×¸é ±¸±ÛÀÇ °æ¿ì¿¡ °¡Àå Å« thread point´Â °Ë»ö ÇÊµå ±× ÀÚü°¡ µÉ ¼ö ÀÖ½À´Ï´Ù.
if there hardened *** put their set the filter properly there would be no problems.
¸¸¾à »ç¿ëÀÚ ÀԷ¿¡ ´ëÇÑ ÇÊÅ͸µ¸¦ ¿Ã¹Ù¸£°Ô ³Ö¾ú´Ù¸é À̺κп¡´Â ¹®Á¦°¡ ¾øÀ» °ÍÀÔ´Ï´Ù.
are something among those lines, so we will talk about every single major entry point
ÀÌ °ÍµéÀ» º¸¸é¼ °¢°¢ÀÇ ¸ðµç Áß¿äÇÑ ÁøÀÔÁ¡¿¡ ´ëÇØ ¼³¸íÇÏ°Ú½À´Ï´Ù.
what are the different techniques we can go about doing that.
¿ì¸®ÀÇ ¹æ½Ä¿¡ ¾î¶² Â÷ÀÌ°¡ ÀÖ´ÂÁöµµ ¼³¸íÇÏ°Ú½À´Ï´Ù.
uh.. The second step typically is do cursory Code Review.
ÀϹÝÀûÀÎ µÎ¹ø° ´Ü°è´Â °£´ÜÇÏ°Ô Çѹø Çغ¸´Â ÄÚµå ¸®ºäÀÔ´Ï´Ù.
The reason for that is that every single person in world in doing a code review
ÀÌ °ÍÀ» ÇÏ´Â ÀÌÀ¯´Â ¼¼»óÀÇ ¸ðµç »ç¶÷µéÀÌ ÄÚµå ¸®ºä¸¦ Çϱ⠶§¹®ÀÔ´Ï´Ù.
should understand how the entire application is written
ÀÌ °ÍÀ» ÅëÇØ Àüü ÇÁ·Î±×·¥ÀÌ ¾î¶»°Ô ÀÛ¼ºµÇ¾î ÀÖ´ÂÁö¸¦ ÀÌÇØÇá¾ß ÇÕ´Ï´Ù.
have common place where you have all your variable store
º¯¼ö´Â ¾îµð¿¡ ÀúÀåµÇ¾î ÀÖ´ÂÁö,
have common place where you have all your common note store
ÁÖ¼®Àº ¾î¶»°Ô ÀÛ¼ºµÇ¾î ÀÖ´ÂÁö,
so that when initially you're reviewing it you are understanding the mind set of programmer.
ÀÌó·³ ±âº»ÀûÀÎ ¼Ò½º ÄÚµå ¸®ºä¸¦ ÇÏ¸é¼ ÇÁ·Î±×·¡¸ÓÀÇ »ý°¢À» ÀÌÇØÇÒ ¼ö ÀÖ½À´Ï´Ù.
The goal is to think like what the programmer was trying to do over there.
ÃÖÁ¾ ¸ñÇ¥´Â ÇÁ·Î±×·¡¸Ó°¡ °í¹ÎÇß´ø °Íó·³ ¶È°°ÀÌ »ý°¢ÇÏ´Â °ÍÀÔ´Ï´Ù.
You're not going to go to depth you just see what exactly happening from variables' point of view in access.
³Ê¹« ±í°Ô µé¾î°¥ ÇÊ¿ä´Â ¾ø°í, ´ÜÁö Á¢±Ù °üÁ¡¿¡¼ Á¤È®È÷ ¹«¾ùÀÌ ÀϾ´ÂÁö¸¸ ¾Ë¸é µË´Ï´Ù.
Then you going to separation of code will talk about couple of meter
±× ´ÙÀ½¿£ Äڵ带 ºÐÇÒÇÕ´Ï´Ù.
there's stander meter that microsoft come up with
MS°¡ Á¦½ÃÇÑ Ç¥ÁØ meter°¡ ÀÖ½À´Ï´Ù.
and then there's meter that ¿¥Ç÷ÎÆ÷¿ì¡ application architecture trying to be a value Åõµé *** difference seperations how do you give value to it
¶Ç ´Ù¸¥ ±âÁØÀ¸·Î ³ª´©´Â ¹æ¹ý
how do you figure out what exactly would give you more benefit to focus your time to was.
°ú¿¬ ¾î¶² ¹æ¹ýÀÌ ¿©·¯ºÐ²² ´õ Å« À̵æÀ» ÁÙÁö ¾î¶»°Ô ¾Ë ¼ö ÀÖÀ»±î¿ä?
Then we will talk about maintaining code notes with reviewer name.
´ÙÀ½À¸·Î ¿ì¸®´Â ¸®ºä¾îÀÇ À̸§À» ÁÖ¼®À¸·Î ´Þ¾Æ °ü¸®¸¦ ÇÏ´Â °Í¿¡ ´ëÇØ ¾ê±âÇÕ´Ï´Ù.
This is very important
ÀÌ °ÍÀº ±²ÀåÈ÷ Áß¿äÇÕ´Ï´Ù.
simply because reviewer A might be reviewing a bunch of code
¿Ö³Ä¸é ¸¸¾à ¸®ºä¾î A°¡ ¾ó¸¶¸¸ÅÀÇ Äڵ带 ¸®ºäÇß´Ù°í Çغ¾½Ã´Ù.
and he will understand it he puts notes down
±×´Â Äڵ带 ÀÌÇØÇß°í, ÁÖ¼®À» ´Þ¾Æ ³õ½À´Ï´Ù.
uh.. reviewer B is could also accessing the same function
±× ´ÙÀ½¿¡ ¸®ºä¾î B°¡ °°Àº Äڵ忡 Á¢±ÙÇÏ°Ô µÉ ¼ö ÀÖ½À´Ï´Ù.
he doesn't have to *** spend time trying to understand function call again.
±×·³ ±×´Â ÇØ´ç Äڵ带 ÀÌÇØÇÏ·Á°í ½Ã°£À» ³¶ºñÇÏÁö ¾Ê¾Æµµ µË´Ï´Ù.
so It is good idea to have reviewer note and reviewer names
±×·¡¼ ¸®ºä¾î°¡ ÁÖ¼®°ú À̸§À» ³²±â´Â °ÍÀº ÁÁÀº ¾ÆÀ̵ð¾îÀÌ°í,
so also little they what we end up doing giving customers just graph for that particular name
ƯÁ¤ À̸§ÀÇ grath¸¦ °í°´¿¡°Ô ÁÖ´Â °ÍÀ¸·Î ¸¶¹«¸®¸¦ ÇÕ´Ï´Ù.
and *** you don't have to maintain multiple notes ***
¿©·¯°³ÀÇ ÁÖ¼®À» °ü¸®ÇÒ ÇÊ¿ä´Â ¾ø½À´Ï´Ù.
´õ ÀÌ»óÀÇ °³¼±»çÇ×ÀÌ ¾ø´Ù¸é ÀÌÁ¤µµ ¼±¿¡¼ Á¾·áÇÏ°Ú½À´Ï´Ù. ^.^
|
Hit : 1496 Date : 2011/05/16 04:58
|
97, 
3/4 
¸Û¸Û
