This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Review V2 Table of Contents"
From OWASP
Damien Moran (talk | contribs) m (Can review drafts.) |
|||
| Line 14: | Line 14: | ||
=== What is source code review and Static Analysis === | === What is source code review and Static Analysis === | ||
=== What is Code Review === | === What is Code Review === | ||
| − | # Author - Zyad Mghazli | + | # Author - Zyad Mghazli, Eoin Keary |
# New Section | # New Section | ||
''' [[CRV2_WhatIsCodeReview|Content here]]''' | ''' [[CRV2_WhatIsCodeReview|Content here]]''' | ||
=== Manual Review - Pros and Cons === | === Manual Review - Pros and Cons === | ||
| − | # Author - | + | # Author - Zyad Mghazli, Eoin Keary,Gary David Robinson |
# New Section | # New Section | ||
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli | # Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli | ||
| Line 35: | Line 35: | ||
=== We can't hack ourselves secure === | === We can't hack ourselves secure === | ||
| − | # Author - | + | # Author - Eoin Keary |
# New Section | # New Section | ||
# [[CRV2_CantHackSecure|Put content here]] | # [[CRV2_CantHackSecure|Put content here]] | ||
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | === 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | ||
| − | # Author - | + | # Author - Open |
# New Section | # New Section | ||
# [[CRV2_360Review|Put content here]] | # [[CRV2_360Review|Put content here]] | ||
| Line 51: | Line 51: | ||
=Methodology= | =Methodology= | ||
===The code review approach=== | ===The code review approach=== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_CodeReviewApproach|Put content here]] | # [[CRV2_CodeReviewApproach|Put content here]] | ||
| Line 60: | Line 60: | ||
====Application Threat Modeling==== | ====Application Threat Modeling==== | ||
| − | #Author - | + | #Author - Open |
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]] | # Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]] | ||
# [[CRV2_AppThreatModeling|Put content here]] | # [[CRV2_AppThreatModeling|Put content here]] | ||
====Understanding Code layout/Design/Architecture==== | ====Understanding Code layout/Design/Architecture==== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_CodeLayoutDesignArch|Put content here]] | # [[CRV2_CodeLayoutDesignArch|Put content here]] | ||
===SDLC Integration=== | ===SDLC Integration=== | ||
| − | #Author - | + | #Author - Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]] | ||
# [[CRV2_SDLCInt|Put content here]] | # [[CRV2_SDLCInt|Put content here]] | ||
| Line 75: | Line 75: | ||
====Deployment Models==== | ====Deployment Models==== | ||
=====Secure deployment configurations===== | =====Secure deployment configurations===== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_SecDepConfig|Put content here]] | # [[CRV2_SecDepConfig|Put content here]] | ||
# New Section | # New Section | ||
=====Metrics and code review===== | =====Metrics and code review===== | ||
| − | #Author - | + | #Author - Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]] | ||
# [[CRV2_MetricsCodeRev|Put content here]] | # [[CRV2_MetricsCodeRev|Put content here]] | ||
=====Source and sink reviews===== | =====Source and sink reviews===== | ||
| − | #Author - | + | #Author - Open |
# New Section | # New Section | ||
# [[CRV2_SourceSinkRev|Put content here]] | # [[CRV2_SourceSinkRev|Put content here]] | ||
| Line 103: | Line 103: | ||
=====A Risk based approach to code review===== | =====A Risk based approach to code review===== | ||
| − | #Author - | + | #Author - Open |
#New Section | #New Section | ||
*"Doing things right or doing the right things..." | *"Doing things right or doing the right things..." | ||
| Line 110: | Line 110: | ||
====Crawling code==== | ====Crawling code==== | ||
| − | #Author - | + | #Author - Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]] | ||
*API of Interest: | *API of Interest: | ||
| Line 129: | Line 129: | ||
====Code reviews and Compliance==== | ====Code reviews and Compliance==== | ||
| − | #Author - | + | #Author -Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]] | ||
# [[CRV2_CodeRevCompliance|Put content here]] | # [[CRV2_CodeRevCompliance|Put content here]] | ||
| Line 135: | Line 135: | ||
=Reviewing by Technical Control= | =Reviewing by Technical Control= | ||
===Reviewing code for Authentication controls=== | ===Reviewing code for Authentication controls=== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_AuthControls|Put content here]] | # [[CRV2_AuthControls|Put content here]] | ||
| Line 143: | Line 143: | ||
====Authentication==== | ====Authentication==== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_Authentication|Put content here]] | # [[CRV2_Authentication|Put content here]] | ||
| Line 156: | Line 156: | ||
===Reviewing code Authorization weakness=== | ===Reviewing code Authorization weakness=== | ||
| − | #Author | + | #Author Eoin Keary .NET MVC added |
# [[CRV2_AuthorizationWeaknesses|Put content here]] | # [[CRV2_AuthorizationWeaknesses|Put content here]] | ||
====Checking authz upon every request==== | ====Checking authz upon every request==== | ||
| − | #Author - Abbas Naderi | + | #Author - Abbas Naderi |
# [[CRV2_CheckAuthzEachRequest|Put content here]] | # [[CRV2_CheckAuthzEachRequest|Put content here]] | ||
====Reducing the attack surface==== | ====Reducing the attack surface==== | ||
| − | #Author | + | #Author Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | ||
# [[CRV2_ReducingAttSurf|Put content here]] | # [[CRV2_ReducingAttSurf|Put content here]] | ||
| Line 173: | Line 173: | ||
====Reviewing code for Session handling==== | ====Reviewing code for Session handling==== | ||
| − | #Author - | + | #Author - Abbas Naderi |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]] | ||
# [[CRV2_SessionHandling|Put content here]] | # [[CRV2_SessionHandling|Put content here]] | ||
| Line 198: | Line 198: | ||
=====HTML 5?===== | =====HTML 5?===== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_ClientSideCodeHTML5|Put content here]] | # [[CRV2_ClientSideCodeHTML5|Put content here]] | ||
| Line 212: | Line 212: | ||
=====Regex Gotchas===== | =====Regex Gotchas===== | ||
| − | #Author - | + | #Author - Open |
#New Section | #New Section | ||
# [[CRV2_InputValRegexGotchas|Put content here]] | # [[CRV2_InputValRegexGotchas|Put content here]] | ||
=====ESAPI===== | =====ESAPI===== | ||
| − | #Author - | + | #Author - Open |
#New Section | #New Section | ||
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | # Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | ||
| Line 233: | Line 233: | ||
=====Javascript Parameters===== | =====Javascript Parameters===== | ||
| − | #Author - | + | #Author - Eoin Keary |
# [[CRV2_ContextEncJscriptParams|Put content here]] | # [[CRV2_ContextEncJscriptParams|Put content here]] | ||
=====JQuery===== | =====JQuery===== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_ContextEncJQuery|Put content here]] | # [[CRV2_ContextEncJQuery|Put content here]] | ||
| Line 245: | Line 245: | ||
====Resource Exhaustion - error handling==== | ====Resource Exhaustion - error handling==== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_ResourceExhaustionErrHandling|Put content here]] | # [[CRV2_ResourceExhaustionErrHandling|Put content here]] | ||
=====native calls===== | =====native calls===== | ||
| − | #Author | + | #Author Open |
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]] | # [[CRV2_ResourceExhaustionNativeCalls|Put content here]] | ||
====Reviewing Logging code - Detective Security==== | ====Reviewing Logging code - Detective Security==== | ||
| − | #Author - | + | #Author - Open |
* Where to Log | * Where to Log | ||
* What to log | * What to log | ||
| Line 275: | Line 275: | ||
====Reviewing Secure Storage==== | ====Reviewing Secure Storage==== | ||
| − | #Author - | + | #Author - Open source |
# New Section | # New Section | ||
# [[CRV2_SecureStorage|Put content here]] | # [[CRV2_SecureStorage|Put content here]] | ||
| Line 289: | Line 289: | ||
=Reviewing by Vulnerability= | =Reviewing by Vulnerability= | ||
===Review Code for XSS=== | ===Review Code for XSS=== | ||
| − | #Author | + | #Author Examples added by Eoin Keary |
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]] | ||
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao | # In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao | ||
| Line 295: | Line 295: | ||
===Persistent - The Anti pattern=== | ===Persistent - The Anti pattern=== | ||
| − | #Author | + | #Author |
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]] | # [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]] | ||
====.NET==== | ====.NET==== | ||
| − | #Author Johanna Curiel, | + | #Author Johanna Curiel, Eoin Keary |
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]] | # [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]] | ||
====.Java==== | ====.Java==== | ||
| − | #Author | + | #Author Johanna Curiel |
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]] | # [[CRV2_RevCodePersistentAntiPatternJava|Put content here]] | ||
====PHP==== | ====PHP==== | ||
| − | #Author | + | #Author Abbas Naderi |
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]] | # [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]] | ||
====Ruby==== | ====Ruby==== | ||
| − | #Author | + | #Author OPen |
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]] | # [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]] | ||
| Line 318: | Line 318: | ||
====.NET==== | ====.NET==== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]] | # [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]] | ||
====.Java==== | ====.Java==== | ||
| − | #Author | + | #Author Johanna Curiel |
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]] | # [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]] | ||
====PHP==== | ====PHP==== | ||
| − | #Author | + | #Author Abbas Naderi |
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]] | # [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]] | ||
| Line 338: | Line 338: | ||
====.NET==== | ====.NET==== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]] | # [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]] | ||
====.Java==== | ====.Java==== | ||
| − | #Author | + | #Author Johanna Curiel |
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]] | # [[CRV2_RevCodeStoredAntiPatternJava|Put content here]] | ||
====PHP==== | ====PHP==== | ||
| − | #Author | + | #Author Abbas Naderi |
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]] | # [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]] | ||
| Line 358: | Line 358: | ||
===JQuery mistakes=== | ===JQuery mistakes=== | ||
| − | #Author | + | #Author |
# [[CRV2_JQueryMistakes|Put content here]] | # [[CRV2_JQueryMistakes|Put content here]] | ||
===Reviewing code for SQL Injection=== | ===Reviewing code for SQL Injection=== | ||
| − | #Author | + | #Author Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]] | ||
# [[CRV2_RevCodeSQLInjection|Put content here]] | # [[CRV2_RevCodeSQLInjection|Put content here]] | ||
| Line 375: | Line 375: | ||
====.NET==== | ====.NET==== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_SQLInjdotNET|Put content here]] | # [[CRV2_SQLInjdotNET|Put content here]] | ||
| Line 387: | Line 387: | ||
https://www.owasp.org/index.php/CRV2_AntiPattern | https://www.owasp.org/index.php/CRV2_AntiPattern | ||
====PHP==== | ====PHP==== | ||
| − | #Author - | + | #Author - |
# [[CRV2_AntiPatternPHP|Put content here]] | # [[CRV2_AntiPatternPHP|Put content here]] | ||
====Java==== | ====Java==== | ||
| − | #Author - | + | #Author - |
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,... | #=> Searching for traditional SQL,JPA,JPSQL,Criteria,... | ||
# [[CRV2_AntiPatternJava|Put content here]] | # [[CRV2_AntiPatternJava|Put content here]] | ||
====.NET==== | ====.NET==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_AntiPatterndotNet|Put content here]] | # [[CRV2_AntiPatterndotNet|Put content here]] | ||
| Line 408: | Line 408: | ||
===Reviewing code for CSRF Issues=== | ===Reviewing code for CSRF Issues=== | ||
| − | #Author | + | #Author Abbas Naderi |
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]] | ||
# [[CRV2_CSRFIssues|Put content here]] | # [[CRV2_CSRFIssues|Put content here]] | ||
| Line 417: | Line 417: | ||
===Reviewing code for poor logic /Business logic/Complex authorization=== | ===Reviewing code for poor logic /Business logic/Complex authorization=== | ||
| − | #Author - | + | #Author - Open |
# [[CRV2_PoorLogic|Put content here]] | # [[CRV2_PoorLogic|Put content here]] | ||
| Line 430: | Line 430: | ||
====HTTP Headers==== | ====HTTP Headers==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_SecCommsHTTPHdrs|Put content here]] | # [[CRV2_SecCommsHTTPHdrs|Put content here]] | ||
=====CSP===== | =====CSP===== | ||
| − | #Author | + | #Author Open |
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]] | # [[CRV2_SecCommsHTTPHdrsCSP|Put content here]] | ||
=====HSTS===== | =====HSTS===== | ||
| − | #Author | + | #Author Open |
# [[CRV2_SecCommsHTTPHSTS|Put content here]] | # [[CRV2_SecCommsHTTPHSTS|Put content here]] | ||
===Tech-Stack pitfalls=== | ===Tech-Stack pitfalls=== | ||
| − | #Author | + | #Author Open |
# [[CRV2_TechStackPitfalls|Put content here]] | # [[CRV2_TechStackPitfalls|Put content here]] | ||
| Line 455: | Line 455: | ||
====Drupal==== | ====Drupal==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]] | # [[CRV2_FrameworkSpecIssuesDurpal|Put content here]] | ||
| Line 463: | Line 463: | ||
====Django==== | ====Django==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]] | # [[CRV2_FrameworkSpecIssuesDjango|Put content here]] | ||
====.NET Security / MVC==== | ====.NET Security / MVC==== | ||
| − | #Author Johanna Curiel, | + | #Author Johanna Curiel, Eoin Keary |
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]] | # [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]] | ||
====Security in ASP.NET applications==== | ====Security in ASP.NET applications==== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNet|Put content here]] | ||
=====Strongly Named Assemblies===== | =====Strongly Named Assemblies===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel, Larry Conklin |
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]] | ||
| Line 484: | Line 484: | ||
======How to prevent Round tripping====== | ======How to prevent Round tripping====== | ||
# Author - Open | # Author - Open | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]] | ||
=====Setting the right Configurations===== | =====Setting the right Configurations===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]] | ||
=====Authentication Options===== | =====Authentication Options===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]] | ||
=====Code Review for Managed Code - .Net 1.0 and up===== | =====Code Review for Managed Code - .Net 1.0 and up===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]] | ||
=====Using OWASP Top 10 as your guideline===== | =====Using OWASP Top 10 as your guideline===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]] | ||
=====Code review for Unsafe Code (C#)===== | =====Code review for Unsafe Code (C#)===== | ||
| − | #Author Johanna Curiel | + | #Author Johanna Curiel |
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]] | # [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]] | ||
====PHP Specific Issues==== | ====PHP Specific Issues==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]] | # [[CRV2_FrameworkSpecIssuesPHP|Put content here]] | ||
| Line 516: | Line 516: | ||
====C#==== | ====C#==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]] | # [[CRV2_FrameworkSpecIssuesCsharp|Put content here]] | ||
====C/C++==== | ====C/C++==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]] | # [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]] | ||
| Line 528: | Line 528: | ||
====Java==== | ====Java==== | ||
| − | #Author | + | #Author Open |
# [[CRV2_FrameworkSpecIssuesJava|Put content here]] | # [[CRV2_FrameworkSpecIssuesJava|Put content here]] | ||
| Line 541: | Line 541: | ||
====CodeIgniter==== | ====CodeIgniter==== | ||
| − | # Author | + | # Author Open |
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]] | # [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]] | ||
| Line 550: | Line 550: | ||
=Code Review Tools= | =Code Review Tools= | ||
https://www.owasp.org/index.php/CRV2_CodeReviewTools | https://www.owasp.org/index.php/CRV2_CodeReviewTools | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 16:33, 20 November 2013
- 1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide Introduction
- 1.2.1 What is source code review and Static Analysis
- 1.2.2 What is Code Review
- 1.2.3 Manual Review - Pros and Cons
- 1.2.4 Advantages of Code Review to Development Practices
- 1.2.5 Why code review
- 1.2.6 We can't hack ourselves secure
- 1.2.7 360 Review: Coupling source code review and Testing / Hybrid Reviews
- 1.2.8 Can static code analyzers do it all?
- 2 Methodology
- 3 Reviewing by Technical Control
- 3.1 Reviewing code for Authentication controls
- 3.2 Reviewing code Authorization weakness
- 3.2.1 Checking authz upon every request
- 3.2.2 Reducing the attack surface
- 3.2.3 SSL/TLS Implementations
- 3.2.4 Reviewing code for Session handling
- 3.2.5 Reviewing client side code
- 3.2.6 Review code for input validation
- 3.2.7 Reviewing code for contextual encoding
- 3.2.8 Reviewing file and resource handling code
- 3.2.9 Resource Exhaustion - error handling
- 3.2.10 Reviewing Logging code - Detective Security
- 3.2.11 Reviewing Error handling and Error messages
- 3.2.12 Reviewing Security alerts
- 3.2.13 Review for active defense
- 3.2.14 Reviewing Secure Storage
- 3.2.15 Hashing & Salting - When, How and Where
- 4 Reviewing by Vulnerability
- 4.1 Review Code for XSS
- 4.2 Persistent - The Anti pattern
- 4.3 Reflected - The Anti pattern
- 4.4 Stored - The Anti pattern
- 4.5 DOM XSS
- 4.6 JQuery mistakes
- 4.7 Reviewing code for SQL Injection
- 4.8 The Anti pattern
- 4.9 Reviewing code for CSRF Issues
- 4.10 Transactional logic / Non idempotent functions / State Changing Functions
- 4.11 Reviewing code for poor logic /Business logic/Complex authorization
- 4.12 Reviewing Secure Communications
- 4.13 Tech-Stack pitfalls
- 4.14 Framework specific Issues
- 4.14.1 Spring
- 4.14.2 Structs
- 4.14.3 Drupal
- 4.14.4 Ruby on Rails
- 4.14.5 Django
- 4.14.6 .NET Security / MVC
- 4.14.7 Security in ASP.NET applications
- 4.14.8 PHP Specific Issues
- 4.14.9 Classic ASP
- 4.14.10 C#
- 4.14.11 C/C++
- 4.14.12 Objective C
- 4.14.13 Java
- 4.14.14 Android
- 4.14.15 Coldfusion
- 4.14.16 CodeIgniter
- 5 Security code review for Agile development
- 6 Code Review Tools
OWASP Code Review Guide v2.0:
Forward
- Author - Eoin Keary
- Previous version to be updated:[[1]]
Code Review Guide Introduction
- Author - Eoin Keary
- Previous version to be updated:[[2]]
What is source code review and Static Analysis
What is Code Review
- Author - Zyad Mghazli, Eoin Keary
- New Section
Manual Review - Pros and Cons
- Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
- New Section
- Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
- Put content here
Advantages of Code Review to Development Practices
- Author - Gary David Robinson
- New Section
- Put content here
Why code review
Scope and Objective of secure code review
- Author - Ashish Rao
- Put content here
We can't hack ourselves secure
- Author - Eoin Keary
- New Section
- Put content here
360 Review: Coupling source code review and Testing / Hybrid Reviews
- Author - Open
- New Section
- Put content here
Can static code analyzers do it all?
- Author - Ashish Rao
- New Section
- Put content here
Methodology
The code review approach
- Author - Open
- Put content here
Preparation and context
- Author - Gary David Robinson
- Previous version to be updated: [[3]]
- Put content here
Application Threat Modeling
- Author - Open
- Previous version to be updated: [[4]]
- Put content here
Understanding Code layout/Design/Architecture
- Author - Open
- Put content here
SDLC Integration
- Author - Open
- Previous version to be updated: [[5]]
- Put content here
Deployment Models
Secure deployment configurations
- Author - Open
- Put content here
- New Section
Metrics and code review
- Author - Open
- Previous version to be updated: [[6]]
- Put content here
Source and sink reviews
- Author - Open
- New Section
- Put content here
Code review Coverage
- Author - Open
- Previous version to be updated: [[7]]
- Put content here
Design Reviews
- Author - Ashish Rao
- Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws
A Risk based approach to code review
- Author - Open
- New Section
- "Doing things right or doing the right things..."
- "Not all bugs are equal
Crawling code
- Author - Open
- Previous version to be updated: [[8]]
- API of Interest:
- Java
- .NET
- PHP
- RUBY
- Frameworks:
- Spring
- .NET MVC
- Structs
- Zend
- New Section
- Searching for code in C/C++
- Author - Gary David Robinson
Code reviews and Compliance
- Author -Open
- Previous version to be updated: [[9]]
- Put content here
Reviewing by Technical Control
Reviewing code for Authentication controls
- Author - Open
- Put content here
Forgot password
- Author Abbas Naderi, Larry Conklin
- Put content here
Authentication
- Author - Open
- Put content here
CAPTCHA
- Author Larry Conklin, Joan Renchie
Out of Band considerations
- Author - Open
- Previous version to be updated: [[10]]
- Put content here
Reviewing code Authorization weakness
- Author Eoin Keary .NET MVC added
- Put content here
Checking authz upon every request
- Author - Abbas Naderi
- Put content here
Reducing the attack surface
- Author Open
- Previous version to be updated: [[11]]
- Put content here
SSL/TLS Implementations
- Author - Eoin Keary
- Put content here
Reviewing code for Session handling
- Author - Abbas Naderi
- Previous version to be updated: [[12]]
- Put content here
Reviewing client side code
- New Section
- Put content here
Javascript
- Author - Abbas Naderi
- Put content here
JSON
- Author - Open
- Put content here
Content Security Policy
- Author - Open
- Put content here
"Jacking"/Framing
- Author - Eoin Keary
- Put content here
HTML 5?
- Author - Open
- Put content here
Browser Defenses policy
- Author - Open
- Put content here
etc...
Review code for input validation
- Author - Open
- Put content here
Regex Gotchas
- Author - Open
- New Section
- Put content here
ESAPI
- Author - Open
- New Section
- Internal Link: [[13]]
- Put content here
Reviewing code for contextual encoding
Overall approach to content encoding and anti XSS
HTML Attribute
- Author - Eoin Keary
- Put content here
HTML Entity
- Author - Eoin Keary
- Put content here
Javascript Parameters
- Author - Eoin Keary
- Put content here
JQuery
- Author - Open
- Put content here
Reviewing file and resource handling code
- Author - Open
- Put content here
Resource Exhaustion - error handling
- Author - Open
- Put content here
native calls
- Author Open
- Put content here
Reviewing Logging code - Detective Security
- Author - Open
- Where to Log
- What to log
- What not to log
- How to log
- Internal link: [[14]]
- Put content here
Reviewing Error handling and Error messages
- Author - Gary David Robinson
- Previous version to be updated: [[15]]
- Put content here
Reviewing Security alerts
- Author - Open
- Put content here
Review for active defense
- Author - Colin Watson
- Put content here
Reviewing Secure Storage
- Author - Open source
- New Section
- Put content here
Hashing & Salting - When, How and Where
Encrpyption
.NET
- Author Larry Conklin, Joan Renchie
- Previous version to be updated: [[16]]
- Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao
Reviewing by Vulnerability
Review Code for XSS
- Author Examples added by Eoin Keary
- Previous version to be updated: [[17]]
- In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
- Put content here
Persistent - The Anti pattern
- Author
- Put content here
.NET
- Author Johanna Curiel, Eoin Keary
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Abbas Naderi
- Put content here
Ruby
- Author OPen
- Put content here
Reflected - The Anti pattern
.NET
- Author Johanna Curiel
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Abbas Naderi
- Put content here
Ruby
- Author - Open
- Put content here
Stored - The Anti pattern
- Author - Open
- Put content here
.NET
- Author Johanna Curiel
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Abbas Naderi
- Put content here
Ruby
- Author - Open
- Put content here
DOM XSS
- Author Larry Conklin
- Put content here
JQuery mistakes
- Author
- Put content here
Reviewing code for SQL Injection
- Author Open
- Previous version to be updated: [[18]]
- Put content here
PHP
- Author - Mennouchi Islam Azeddine
- Put content here
Java
- Author - Johanna Curiel
- Put content here
.NET
- Author - Open
- Put content here
HQL
- Author - Open
- Put content here
The Anti pattern
- Author Larry Conklin
- Content here
https://www.owasp.org/index.php/CRV2_AntiPattern
PHP
- Author -
- Put content here
Java
- Author -
- => Searching for traditional SQL,JPA,JPSQL,Criteria,...
- Put content here
.NET
- Author Open
- Put content here
Ruby
- Author - Open
- Put content here
Cold Fusion
- Author - Open
- Put content here
Reviewing code for CSRF Issues
- Author Abbas Naderi
- Previous version to be updated: [[19]]
- Put content here
Transactional logic / Non idempotent functions / State Changing Functions
- Author Abbas Naderi
- Put content here
Reviewing code for poor logic /Business logic/Complex authorization
- Author - Open
- Put content here
Reviewing Secure Communications
.NET Config
- Author Johanna Curiel, Renchie Joan
- Put content here
Spring Config
- Author - Open
- Put content here
HTTP Headers
- Author Open
- Put content here
CSP
- Author Open
- Put content here
HSTS
- Author Open
- Put content here
Tech-Stack pitfalls
- Author Open
- Put content here
Framework specific Issues
Spring
- Author - Open
- Put content here
Structs
- Author - Open
- Put content here
Drupal
- Author Open
- Put content here
Ruby on Rails
- Author - Open
- Put content here
Django
- Author Open
- Put content here
.NET Security / MVC
- Author Johanna Curiel, Eoin Keary
- Put content here
Security in ASP.NET applications
- Author Johanna Curiel
- Put content here
Strongly Named Assemblies
- Author Johanna Curiel, Larry Conklin
- Put content here
Round Tripping
- Author - Open
- Put content here
How to prevent Round tripping
- Author - Open
- Author Johanna Curiel
- Put content here
Setting the right Configurations
- Author Johanna Curiel
- Put content here
Authentication Options
- Author Johanna Curiel
- Put content here
Code Review for Managed Code - .Net 1.0 and up
- Author Johanna Curiel
- Put content here
Using OWASP Top 10 as your guideline
- Author Johanna Curiel
- Put content here
Code review for Unsafe Code (C#)
- Author Johanna Curiel
- Put content here
PHP Specific Issues
- Author Open
- Put content here
Classic ASP
- Author Johanna Curiel
- Put content here
C#
- Author Open
- Put content here
C/C++
- Author Open
- Put content here
Objective C
- Author Open
- Put content here
Java
- Author Open
- Put content here
Android
- Author Open
- Put content here
Coldfusion
- Author Open
- Put content here
CodeIgniter
- Author Open
- Put content here
Security code review for Agile development
- Author Carlos Pantelides
- Put content here
