This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Review V2 Table of Contents"
From OWASP
| Line 108: | Line 108: | ||
#Author - Open | #Author - Open | ||
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]] | ## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]] | ||
| − | ===Reviewing code Authorisation weakness | + | ===Reviewing code Authorisation weakness=== |
#Author Ashish Rao | #Author Ashish Rao | ||
====Checking authz upon every request==== | ====Checking authz upon every request==== | ||
#Author - Abbas Naderi, Joan Renchie | #Author - Abbas Naderi, Joan Renchie | ||
====Reducing the attack surface==== | ====Reducing the attack surface==== | ||
| − | |||
#Author Chris Berberich | #Author Chris Berberich | ||
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | ## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | ||
| + | ====Reviewing code for Session handling==== | ||
| + | #Author - Palak Gohil, Abbas Naderi | ||
| + | ## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]] | ||
| + | ====Reviewing client side code==== | ||
| + | #New Section | ||
| + | =====Javascript===== | ||
| + | #Author - Abbas Naderi | ||
| + | =====JSON===== | ||
| + | #Author - Open | ||
| + | =====Content Security Policy===== | ||
| + | #Author - Open | ||
| + | ====="Jacking"/Framing | ||
| + | #Author - Abbas Naderi | ||
| + | =====HTML 5?===== | ||
| + | #Author - Sebastien Gioria | ||
| + | =====Browser Defenses policy===== | ||
| + | #Author - Open | ||
| + | =====etc...===== | ||
| + | ====Review code for input validation==== | ||
| + | =====Regex Gotchas===== | ||
| + | #Author - Abbas Naderi | ||
| + | ##New Section | ||
| + | =====ESAPI===== | ||
| + | #Author - Abbas Naderi | ||
| + | ##New Section | ||
| + | ## Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | ||
Revision as of 23:48, 18 April 2013
- 1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide History
- 1.3 Introduction
- 1.4 Methodology
- 1.5 Reviewing by Techincal Control
- 1.5.1 Forgot password
- 1.5.2 Authentication
- 1.5.3 CAPTHCA
- 1.5.4 Out of Band considerations
- 1.5.5 Reviewing code Authorisation weakness
OWASP Code Review Guide v2.0:
Forward
- Author - Eoin Keary
- Previous version to be updated:[[1]]
Code Review Guide History
- Author - Eoin Keary
- Previous version to be updated:[[2]]
Introduction
- Author - Eoin Keary
What is source code review and Static Analysis
- Author - Zyad Mghazli
- New Section
Manual Review - Pros and Cons
- Author - Ashish Rao
- New Section
- Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
- New Section
Why code review
Scope and Objective of secure code review
- Author - Ashish Rao
We can't hack ourselves secure
- Author - Prathamesh Mhatre
- New Section
360 Review: Coupling source code review and Testing / Hybrid Reviews
- Author - Ashish Rao
- New Section
Can static code analyzers do it all?
- Author - Ashish Rao
- New Section
Methodology
The code review approach
- Author - Prathamesh Mhatre
Preparation and context
- Author - Open
- Previous version to be updated: [[3]]
Application Threat Modeling
- Author - Andy, Renchie Joan
- Previous version to be updated: [[4]]
Understanding Code layout/Design/Architecture
- Author - Ashish Rao
SDLC Integration
- Author - Andy, Ashish Rao
- Previous version to be updated: [[5]]
Deployment Models
Secure deployment configurations
- Author - Ashish Rao
- New Section
Metrics and code review
- Author - Andy
- Previous version to be updated: [[6]]
Source and sink reviews
- Author - Ashish Rao
- New Section
Code review Coverage
- Author - Open
- Previous version to be updated: [[7]]
Design Reviews
- Author - Ashish Rao
- Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws
A Risk based approach to code review
- Author - Renchie Joan
- New Section
- "Doing things right or doing the right things..."
- "Not all bugs are equal
Crawling code
- Author - Abbas Naderi
- Previous version to be updated: [[8]]
- API of Interest:
- Java
- .NET
- PHP
- RUBY
- Java
- Frameworks:
- Spring
- .NET MVC
- Structs
- Zend
- New Section
- Searching for code in C/C++
- Author - Gaz Robinson
Code reviews and Compliance
- Author -Manual Harti
- Previous version to be updated: [[9]]
Reviewing by Techincal Control
===Reviewing code for Authentication controls
- Author - Anand Prakash, Joan Renchie
Forgot password
- Author Abbas Naderi
Authentication
- Author - Anand Prakash, Joan Renchie
CAPTHCA
- Author Larry Conklin, Joan Renchie
Out of Band considerations
- Author - Open
- Previous version to be updated: [[10]]
Reviewing code Authorisation weakness
- Author Ashish Rao
Checking authz upon every request
- Author - Abbas Naderi, Joan Renchie
Reducing the attack surface
- Author Chris Berberich
- Previous version to be updated: [[11]]
Reviewing code for Session handling
- Author - Palak Gohil, Abbas Naderi
- Previous version to be updated: [[12]]
Reviewing client side code
- New Section
Javascript
- Author - Abbas Naderi
JSON
- Author - Open
Content Security Policy
- Author - Open
====="Jacking"/Framing
- Author - Abbas Naderi
HTML 5?
- Author - Sebastien Gioria
Browser Defenses policy
- Author - Open
etc...
Review code for input validation
Regex Gotchas
- Author - Abbas Naderi
- New Section
ESAPI
- Author - Abbas Naderi
- New Section
- Internal Link: [[13]]
