This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code review V2 Project"
| Line 2: | Line 2: | ||
== Overview == | == Overview == | ||
| − | Welcome to the continuation of OWASP Code Review Guide Project! | + | Welcome to the continuation of OWASP Code Review Guide Project! The Code Review Guide Project 2.0 is to bring the successful OWASP Code Review Guide up to date. |
== Project Lead == | == Project Lead == | ||
| − | [mailto:[email protected] Eoin Keary] is continuing his successful leadership as the technical lead of the Code Review Guide Project. | + | [mailto:[email protected] Eoin Keary] is continuing his successful leadership as the technical lead of the Code Review Guide Project. |
| + | |||
| + | [mailto:larry.conklin@owasp Larry Conklin] is the project support person. | ||
| Line 63: | Line 65: | ||
== Project Meeting Notes == | == Project Meeting Notes == | ||
| + | ===March 8, 2013=== | ||
| + | Eoin audio was breaking up. Eoin mention having a working group email distro list for authors and reviewers. | ||
| + | |||
| + | Samantha sent out grant chat for review. Eoin is creating a template for Authors to us. | ||
| + | |||
| + | ===Friday, March 22, 13=== | ||
| + | Met with Johanna Curiel and Sherif Koussa. We met for a little under an hour. | ||
| + | I brought on the point that code review structure needs to include configuration/xml files besides actual code. OWASP top ten now includes security misconfigurations that are no longer just at the level of infrastructure level on an organization but can happen by the application programmer. | ||
| + | |||
| + | We talk about the current structure. Sherif made the suggestion that the code review structure should use a top down approach with top being more process oriented with a generic checklist to cover all programming platforms. This high level approach would follow the OWASP top ten list but be at a slightly lower level. | ||
| + | |||
| + | From that generic checklist we could subdivide it into sections for each language and specific techniques to help guide the code reviewer. | ||
| + | |||
| + | Johanna and I both thought we would still need the checklist (maybe at a subsection level) to be specific to a language platform. | ||
| + | |||
| + | Some sections would only need to be at a generic level such as session management. (???) | ||
| + | I think the current TOC actual might have this in mind but maybe it could be laid out with top levels talking about processes. | ||
| + | |||
| + | Sherif also brought up the point about where the code review process would take place in SDLC. Would it be for at the application level or at the code module level? Would we have a code review process that takes place in application design level so security would not be bolted on as an after thought. | ||
| + | |||
| + | ===Wednesday April 3, 2013=== | ||
| + | It was agreed that by 4/5/2013 we are going with the TOC as it is. Eoin is very open that during the project that if a subject matter that needs to be included it will be addresses at that time. | ||
| + | We are working on assigning dates to sections and authors. | ||
| + | |||
| + | Samantha is working on getting base line wiki pages created for the project so authors can add contributed text. | ||
| + | Eoin emphasized that all work submitted by each author needs to be original work. Authors do not need to put extra effort/work into diagrams. Eoin says will have all artwork touched up by a profession. We also need to make sure where necessary we have the proper references. | ||
| + | |||
| + | ===Friday April 20,2013=== | ||
| + | ===Friday May 3, 2013=== | ||
| + | ===Friday May 17,2013=== | ||
| + | |||
== Project Status == | == Project Status == | ||
Revision as of 03:23, 13 May 2013
Overview
Welcome to the continuation of OWASP Code Review Guide Project! The Code Review Guide Project 2.0 is to bring the successful OWASP Code Review Guide up to date.
Project Lead
Eoin Keary is continuing his successful leadership as the technical lead of the Code Review Guide Project.
Larry Conklin is the project support person.
Email List
You can sign up for the OWASP Code Review Guide Project email list at General Code Review Guide mailing
http://lists.owasp.org/mailman/listinfo/owasp-codereview http://lists.owasp.org/mailman/listinfo/owasp_code_review_guide_authors
Table of Contents for Code Review Guide
Authors and Reviewers use to TOC to take ownership of content you want to write about or review. Please attach your name here and put link to your content here.
Link to TOC [[1]]
Code Review Guide Authors and Reviewers
Please do not email authors or reviewers on matters outside of the Code Review Guide project. Authors and reviewers have allowed us to publish their email address to help promote collaboration between authors and or reviewers.
- Abbas Naderi: [email protected]
- [email protected]
- Anand Prakash [email protected]
- Andre Gironda [email protected]
- Andreas Athanasoulias [email protected]
- Ashish Rao [email protected]
- Avi Douglen [email protected]
- Azzeddine Ramrami: [email protected]
- [email protected]
- [email protected]
- Bob Wintemberg [email protected]
- Chris Berberich <[email protected]>
- [email protected]
- Greg Disney: [email protected]
- Hartl, Manuel <[email protected]>
- James Widener [email protected]
- Jason Karlin <[email protected]>
- [email protected]
- [email protected]
- Manuel Hartl [email protected]
- Mittal Mehta [email protected]
- Mohammed Damavandi [email protected]
- Neil Matatall [email protected]
- [email protected]
- [email protected]
- Renchie Joan Abraham: [email protected]
- Said Moftakhar [email protected]
- Shahryar Jahangir [email protected]
- Shenal Silva [email protected]
- Sherif Koussa [email protected]
- [email protected]
- Sravan Kumar [email protected]
- [email protected]
- Travis Risner [email protected]
Project Meetings
Project Meeting Notes
March 8, 2013
Eoin audio was breaking up. Eoin mention having a working group email distro list for authors and reviewers.
Samantha sent out grant chat for review. Eoin is creating a template for Authors to us.
Friday, March 22, 13
Met with Johanna Curiel and Sherif Koussa. We met for a little under an hour. I brought on the point that code review structure needs to include configuration/xml files besides actual code. OWASP top ten now includes security misconfigurations that are no longer just at the level of infrastructure level on an organization but can happen by the application programmer.
We talk about the current structure. Sherif made the suggestion that the code review structure should use a top down approach with top being more process oriented with a generic checklist to cover all programming platforms. This high level approach would follow the OWASP top ten list but be at a slightly lower level.
From that generic checklist we could subdivide it into sections for each language and specific techniques to help guide the code reviewer.
Johanna and I both thought we would still need the checklist (maybe at a subsection level) to be specific to a language platform.
Some sections would only need to be at a generic level such as session management. (???) I think the current TOC actual might have this in mind but maybe it could be laid out with top levels talking about processes.
Sherif also brought up the point about where the code review process would take place in SDLC. Would it be for at the application level or at the code module level? Would we have a code review process that takes place in application design level so security would not be bolted on as an after thought.
Wednesday April 3, 2013
It was agreed that by 4/5/2013 we are going with the TOC as it is. Eoin is very open that during the project that if a subject matter that needs to be included it will be addresses at that time. We are working on assigning dates to sections and authors.
Samantha is working on getting base line wiki pages created for the project so authors can add contributed text. Eoin emphasized that all work submitted by each author needs to be original work. Authors do not need to put extra effort/work into diagrams. Eoin says will have all artwork touched up by a profession. We also need to make sure where necessary we have the proper references.
