Code Review Guide Foreword - Revision history

Thomas Herlea: Updated label to match the tabe of contents

2010-09-09T14:06:26Z

Updated label to match the tabe of contents

Thomas Herlea: Added navigation to facilitate sequential reading online

2010-09-09T11:43:06Z

Added navigation to facilitate sequential reading online

KirstenS: /* Why Security Code Review? */

2009-01-08T16:04:14Z

‎Why Security Code Review?

KirstenS at 16:02, 8 January 2009

2009-01-08T16:02:17Z

KirstenS: /* OWASP Guides */

2008-08-31T12:21:00Z

‎OWASP Guides

KirstenS: /* OWASP Guides */

2008-08-31T12:20:05Z

‎OWASP Guides

Jeff Williams at 16:04, 23 November 2007

2007-11-23T16:04:14Z

Jlaliberte at 17:10, 19 November 2007

2007-11-19T17:10:29Z

Jeff Williams at 01:31, 18 October 2007

2007-10-18T01:31:27Z

EoinKeary: New page: ==Foreword by Jeff Williams, OWASP Chair== NOTOC Category:OWASP Code Review Project

2007-08-02T16:06:24Z

New page: ==Foreword by Jeff Williams, OWASP Chair== __NOTOC__ Category:OWASP Code Review Project

New page

==Foreword by [[User:Jeff Williams|Jeff Williams]], OWASP Chair==

__NOTOC__

[[Category:OWASP Code Review Project]]

@@ Line 2: / Line 2: @@
    | useprev=PrevLink | prev=OWASP Code Review Guide Table of Contents | lblprev=Table of Contents
    | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
-   | usenext=NextLink | next=Code Review Guide Frontispiece | lblnext=Frontispiece
+   | usenext=NextLink | next=Code Review Guide Frontispiece | lblnext=About the OWASP Code Review Project
 }}
@@ Line 42: / Line 42: @@
    | useprev=PrevLink | prev=OWASP Code Review Guide Table of Contents | lblprev=Table of Contents
    | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
-   | usenext=NextLink | next=Code Review Guide Frontispiece | lblnext=Frontispiece
+   | usenext=NextLink | next=Code Review Guide Frontispiece | lblnext=About the OWASP Code Review Project
 }}

@@ Line 9: / Line 9: @@
 Security moves too fast for traditional books to be of much use. But OWASP's collaborative environment allows us to keep up to date. There are hundreds of contributors to the OWASP Guides, and we make over a thousand updates to our materials every month. We're committed to making high quality application security materials available to everyone. It's the only way we'll ever make any real progress on application security as a software community.
-==Why Security Code Review?==
+==Why Code Review?==
 I've been performing security code reviews (along with the other techniques) since 1998, and I've found thousands of serious vulnerabilities. In my experience, design documentation, code comments, and even developers themselves are often misleading.  The code doesn't lie.  Actually, the code is your only advantage over the hackers.  Don't give up this advantage and rely only on external penetration testing.  Use the code.
@@ Line 15: / Line 15: @@
 Despite the many claims that code review is too expensive or time consuming, there is no question that it is the '''fastest''' and '''most accurate''' way to find and diagnose many security problems.  There are also dozens of serious security problems that simply can't be found any other way.  I can't emphasize the cost-effectiveness of security code review enough.  Consider which of the approaches will identify the largest amount of the '''most significant''' security issues in your application, and security code review quickly becomes the obvious choice.  This applies no matter what amount of money you can apply to the challenge.
-Every application is different, that's why I believe it's important to to empower the individuals verifying security to use the most cost-effective techniques available.  One common pattern is to use security code review to find a problem and penetration testing to prove that it is exploitable.  Another pattern is finding a potential issue with penetration testing, and then verifying the issue by finding and examining the code. I strongly believe that the "combined" approach is the best choice for most applications.
+Every application is different; that's why I believe it's important to to empower the individuals verifying security to use the most cost-effective techniques available.  One common pattern is to use security code review to find a problem and penetration testing to prove that it is exploitable.  Another pattern is finding a potential issue with penetration testing, and then verifying the issue by finding and examining the code. I strongly believe that the "combined" approach is the best choice for most applications.
 ==Getting Started==

@@ Line 1: / Line 1: @@
 ==Foreword by [[User:Jeff Williams|Jeff Williams]], OWASP Chair==
-Many organizations have realized that their code is not as secure as they may have thought. Now they're starting the difficult work of verifying the security of their applications. There are four basic techniques for analyzing the security of a software application - automated scanning, manual penetration testing, static analysis, and manual code review. This OWASP Guide is focused on the last of these techniques. Of course, all of these techniques have their strengths, weaknesses, sweet spots, and blind spots.  Arguments about which technique is the best are like arguing whether a hammer or saw is more valuable when building a house. If you try to build a house with just a hammer, you'll do a terrible job.
+Many organizations have realized that their code is not as secure as they may have thought. Now they're starting the difficult work of verifying the security of their applications.
-==OWASP Guides==
+There are four basic techniques for analyzing the security of a software application - automated scanning, manual penetration testing, static analysis, and manual code review. This OWASP Guide is focused on the last of these techniques. Of course, all of these techniques have their strengths, weaknesses, sweet spots, and blind spots. Arguments about which technique is the best are like arguing whether a hammer or saw is more valuable when building a house. If you try to build a house with just a hammer, you'll do a terrible job.  More important than the tool is probably the person holding the hammer anyway.
-The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The [[:Category:OWASP Guide Project|Development Guide]] shows your project how to architect and build a secure application, this [[Code Review Guide]] tells you how to verify the security of your application's source code, and the [[Testing Guide]] shows you how to verify the security of your running application.
+The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The Development Guide shows your project how to architect and build a secure application, this Code Review Guide tells you how to verify the security of your application's source code, and the Testing Guide shows you how to verify the security of your running application.
-Security moves too fast for traditional books to be of much use. But OWASP's collaborative environment allows us to keep up to date. There are hundreds of contributors to the OWASP Guides and we make over a thousand updates to our materials every month. We're committed to making high quality application security materials available to everyone. It's the only way we'll ever make any real progress on application security as a software community.
+Security moves too fast for traditional books to be of much use. But OWASP's collaborative environment allows us to keep up to date. There are hundreds of contributors to the OWASP Guides, and we make over a thousand updates to our materials every month. We're committed to making high quality application security materials available to everyone. It's the only way we'll ever make any real progress on application security as a software community.
 ==Why Security Code Review?==

@@ Line 5: / Line 5: @@
 ==OWASP Guides==
-The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The [[Building Guide|Development Guide]] shows your project how to architect and build a secure application, this [[Code Review Guide]] tells you how to verify the security of your application's source code, and the [[Testing Guide]] shows you how to verify the security of your running application.
+The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The [[:Category:OWASP Guide Project|Development Guide]] shows your project how to architect and build a secure application, this [[Code Review Guide]] tells you how to verify the security of your application's source code, and the [[Testing Guide]] shows you how to verify the security of your running application.
 Security moves too fast for traditional books to be of much use. But OWASP's collaborative environment allows us to keep up to date. There are hundreds of contributors to the OWASP Guides and we make over a thousand updates to our materials every month. We're committed to making high quality application security materials available to everyone. It's the only way we'll ever make any real progress on application security as a software community.

@@ Line 5: / Line 5: @@
 ==OWASP Guides==
-The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The [[Building Guide]] shows your project how to architect and build a secure application, this [[Code Review Guide]] tells you how to verify the security of your application's source code, and the [[Testing Guide]] shows you how to verify the security of your running application.
+The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The [[Building Guide|Development Guide]] shows your project how to architect and build a secure application, this [[Code Review Guide]] tells you how to verify the security of your application's source code, and the [[Testing Guide]] shows you how to verify the security of your running application.
 Security moves too fast for traditional books to be of much use. But OWASP's collaborative environment allows us to keep up to date. There are hundreds of contributors to the OWASP Guides and we make over a thousand updates to our materials every month. We're committed to making high quality application security materials available to everyone. It's the only way we'll ever make any real progress on application security as a software community.

@@ Line 1: / Line 1: @@
 ==Foreword by [[User:Jeff Williams|Jeff Williams]], OWASP Chair==
@@ Line 32: / Line 38: @@
 -- [[User:Jeff Williams|Jeff Williams]], OWASP Chair, October 17, 2007
 __NOTOC__
 [[Category:OWASP Code Review Project]]

@@ Line 25: / Line 25: @@
 ==Call to Action==
-If you're building software, I strongly encourage you to get familiar with the securguidance in this document. If you find errors, please add a note to the discussion page or make the change yourself. You'll be helping thousands of others who use this guide.
+If you're building software, I strongly encourage you to get familiar with the security guidance in this document. If you find errors, please add a note to the discussion page or make the change yourself. You'll be helping thousands of others who use this guide.
 Please consider [[Membership|joining us]] as an individual or corporate member so that we can continue to produce materials like this code review guide and all the other great projects at OWASP.

Code Review Guide Foreword - Revision history

Thomas Herlea: Updated label to match the tabe of contents

Thomas Herlea: Added navigation to facilitate sequential reading online

KirstenS: /* Why Security Code Review? */

KirstenS at 16:02, 8 January 2009

KirstenS: /* OWASP Guides */

KirstenS: /* OWASP Guides */

Jeff Williams at 16:04, 23 November 2007

Jlaliberte at 17:10, 19 November 2007

Jeff Williams at 01:31, 18 October 2007

EoinKeary: New page: ==Foreword by Jeff Williams, OWASP Chair== __NOTOC__ Category:OWASP Code Review Project

EoinKeary: New page: ==Foreword by Jeff Williams, OWASP Chair== NOTOC Category:OWASP Code Review Project