Thou shalt have no other gods before the ANSI C standard 1624

Trevor L. Jackson, III

Afterthought:

I neglected to pay enough attention to the term security review. IME this can mean one of two radically distinct processes. One is retrospective and brings to bear the knowledge and skill of a person with a lot of experience in analyzing previous security violations. Thus it is principally retrospective and (if AI were generally available) could be described as a context sensitive checklist.

A security review can also be conducted from the point of view of prevention by attempting to rule out (or minimize) the effect that external manipulation can have upon the internal state of the system. This approach requires a far deeper level of analysis of the software. Where the checklist analysis might use grep as the principle investigative tool, prevention requires that the reviewers essentially mount an attack on each module of the system looking for places where an adversary might gain an undesirable advantage. But this level of effort is hardly a "review". It is more properly described as an adversarial form of test, even if only gedanken.

Almost all of my experience is with the latter. Which did you mean?

tj3