Latest revision as of 01:27, 8 January 2016

1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide Introduction
2 Methodology
- 2.1 The code review approach
- 2.2 SDLC Integration
3 Reviewing by Technical Control
- 3.1 Reviewing code for Authentication controls
- 3.2 Reviewing code Authorization weakness
4 Reviewing by Vulnerability
5 Security code review for Agile development
6 Code Review for Backdoors
7 Code Review Tools

OWASP Code Review Guide v2.0:

Forward

Author - Eoin Keary
Previous version to be updated:[[1]]

Content here

Code Review Guide Introduction

Author - Eoin Keary
Previous version to be updated:[[2]]

Content here

What is source code review and Static Analysis

What is Code Review

Author - Zyad Mghazli, Eoin Keary
New Section

Content here

Manual Review - Pros and Cons

Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
New Section
Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
Put content here

Advantages of Code Review to Development Practices

Author - Gary David Robinson
New Section
Put content here

Why code review

Scope and Objective of secure code review

Author - Ashish Rao
Put content here

We can't hack ourselves secure

Author - Eoin Keary
New Section
Put content here

360 Review: Coupling source code review and Testing / Hybrid Reviews

Author - eoin Keary
New Section
Put content here

Can static code analyzers do it all?

Author - Ashish Rao
New Section
Put content here

Methodology

The code review approach

Author - Johanna Curiel
Put content here

Preparation and context

Author - Gary David Robinson
Previous version to be updated: [[3]]
Put content here

Application Threat Modeling

Author - Larry Conklin
Previous version to be updated: [[4]]
Put content here

Understanding Code layout/Design/Architecture

Author - Open
Put content here

Understanding Business Logic

Put content here

SDLC Integration

Author - Larry Conklin
Previous version to be updated: [[5]]
Put content here

Deployment Models

Secure deployment configurations

Author -
Put content here

New Section

Metrics and code review

Author [email protected]
Previous version to be updated: [[6]]
Put content here

Source and sink reviews

Author - Open
New Section
Put content here

Code review Coverage

Author - Open
Previous version to be updated: [[7]]
Put content here

Design Reviews

Author - Ashish Rao

Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws

Put content here

A Risk based approach to code review

Author - Gary David Robinson
New Section

"Doing things right or doing the right things..."
- "Not all bugs are equal

Put content here

Crawling code

Author - Open
Previous version to be updated: [[8]]

API of Interest:
- Java
- .NET
- PHP
- RUBY
Frameworks:
- Spring
- .NET MVC
- Struts
- Zend

New Section

Searching for code in C/C++

Author - Gary David Robinson

Put content here

Code reviews and Compliance

Author -Open
Previous version to be updated: [[9]]
Put content here

Reviewing by Technical Control

Reviewing code for Authentication controls

Author - Gary Robinson
Put content here

Forgot password

Author Abbas Naderi, Larry Conklin
Put content here

CAPTCHA

Author Larry Conklin, Joan Renchie

Content here

Out of Band considerations

Author - Gary Robinson
Previous version to be updated: [[10]]
Put content here

Reviewing code Authorization weakness

Author Eoin Keary .NET MVC added
Put content here

Checking authz upon every request

Author - Abbas Naderi
Put content here

Reducing the attack surface

Author Gary Robinson
Previous version to be updated: [[11]]
Put content here

SSL/TLS Implementations

Author - Eoin Keary
Put content here

Reviewing code for Session handling

Author - Abbas Naderi
Previous version to be updated: [[12]]
Put content here

Reviewing client side code

New Section
Put content here

Javascript

Author - Abbas Naderi
Put content here

JSON

Author - Open
Put content here

Content Security Policy

Author - Open
Put content here

"Jacking"/Framing

Author - Eoin Keary
Put content here

HTML 5?

Author - Open
Put content here

Browser Defenses

Author - Open
Put content here

etc...

Review code for input validation

Author - Open
Put content here

Regex Gotchas

Author - Open
New Section
Put content here

ESAPI

Author - Open
New Section
Internal Link: [[13]]
Put content here

Microsoft Web Protection Library

Author - Michael Hidalgo
New Section
Internal Link: [[14]]
Put content here

Reviewing code for contextual encoding

Overall approach to content encoding and anti XSS

HTML Attribute

Author - Eoin Keary
Put content here

HTML Entity

Author - Eoin Keary
Put content here

Javascript Parameters

Author - Eoin Keary
Put content here

Reviewing Logging code - Detective Security

Author - Gary Robinson

Where to Log
What to log
What not to log
How to log

Internal link: [[15]]
Put content here

Reviewing Error handling and Error messages

Author - Gary David Robinson
Previous version to be updated: [[16]]
Put content here

Reviewing Security alerts

Author - Gary Robinson
Put content here

Review for active defense

Author - Colin Watson
Put content here

Reviewing Secure Storage

Author - Open source
New Section
Put content here

Hashing & Salting - When, How and Where

Encryption

.NET

Author Larry Conklin, Joan Renchie
Previous version to be updated: [[17]]

Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Content here

Reviewing by Vulnerability

Review Code for XSS

Author Examples added by Eoin Keary
Previous version to be updated: [[18]]
In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
Put content here

Persistent - The Anti pattern

Author
Put content here

.NET

Author Johanna Curiel, Eoin Keary
Put content here

.Java

Author Johanna Curiel
Put content here

PHP

Author Abbas Naderi
Put content here

Ruby

Author Open
Put content here

Reflected - The Anti pattern

Put content here

.NET

Author Johanna Curiel
Put content here

.Java

Author Johanna Curiel
Put content here

PHP

Author Abbas Naderi
Put content here

Ruby

Author - Open
Put content here

Stored - The Anti pattern

Author - Johanna Curiel
Put content here

.NET

Author Johanna Curiel
Put content here

.Java

Author Johanna Curiel
Put content here

PHP

Author Johanna Curiel
Put content here

Ruby

Author - Johanna Curiel
Put content here

DOM XSS

Author Larry Conklin
Put content here

JQuery mistakes

Author
Put content here

Reviewing code for SQL Injection

Author Gary Robinson
Previous version to be updated: [[19]]
Put content here

PHP

Author - Mennouchi Islam Azeddine
Put content here

Java

Author - Johanna Curiel
Put content here

.NET

Author - Open
Put content here

HQL

Author - Open
Put content here

The Anti pattern

Author Larry Conklin
Content here

https://www.owasp.org/index.php/CRV2_AntiPattern

PHP

Author -
Put content here

Java

Author -
=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
Put content here

.NET

Author Open
Put content here

Ruby

Author - Open
Put content here

Cold Fusion

Author - Open
Put content here

Reviewing code for CSRF Issues

Author Abbas Naderi
Previous version to be updated: [[20]]
This page needs to be deleted. Put content here

(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions

Put content here

Reviewing code for poor logic /Business logic/Complex authorization

Author - Open
Put content here

Reviewing Secure Communications

.NET Config

Author Johanna Curiel, Renchie Joan
Put content here

Spring Config

Author - Open
Put content here

HTTP Headers

Author Gary Robinson
Put content here

Tech-Stack pitfalls

Author Open
Put content here

Framework specific Issues

Spring

Author - Open
Put content here

Struts

Author - Open
Put content here

Drupal

Author Open
Put content here

Ruby on Rails

Author - Open
Put content here

Django

Author Open
Put content here

.NET Security / MVC

Author Johanna Curiel, Eoin Keary
Put content here

Security in ASP.NET applications

Author Johanna Curiel
Put content here

Strongly Named Assemblies

Author Johanna Curiel, Larry Conklin
Put content here

Round Tripping

Author - Open
Put content here

How to prevent Round tripping

Author - Open
Author Johanna Curiel
Put content here

Setting the right Configurations

Author Johanna Curiel
Put content here

Authentication Options

Author Johanna Curiel
Put content here

Code Review for Managed Code - .Net 1.0 and up

Author Johanna Curiel
Put content here

Using OWASP Top 10 as your guideline

Author Johanna Curiel
Put content here

Code review for Unsafe Code (C#)

Author Johanna Curiel
Put content here

PHP Specific Issues

Author Open
Put content here

Classic ASP

Author Johanna Curiel
Put content here

C#

Author Open
Put content here

C/C++

Author Open
Put content here

Objective C

Author Open
Put content here

Java

Author Open
Put content here

Android

Author Open
Put content here

Coldfusion

Author Open
Put content here

CodeIgniter

Author Open
Put content here

Security code review for Agile development

Author Carlos Pantelides
Put content here

Code Review for Backdoors

Author Yiannis Pavlosoglou

The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.

A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.

An excellent introduction into how to look for rootkits in the Java programming language can be found here. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.

Code Review Tools

https://www.owasp.org/index.php/CRV2_CodeReviewTools

@@ Line 14: / Line 14: @@
 === What is source code review and Static Analysis ===
 === What is Code Review ===
-# Author - Zyad Mghazli
+# Author - Zyad Mghazli, Eoin Keary
 # New Section
 ''' [[CRV2_WhatIsCodeReview|Content here]]'''
 === Manual Review - Pros and Cons ===
-# Author - Ashish Rao
+# Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
 # New Section
 # Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
@@ Line 35: / Line 35: @@
 === We can't hack ourselves secure ===
-# Author - Prathamesh Mhatre
+# Author - Eoin Keary
 # New Section
 # [[CRV2_CantHackSecure|Put content here]]
 === 360 Review: Coupling source code review and Testing / Hybrid Reviews===
-# Author - Ashish Rao
+# Author - eoin Keary
 # New Section
 # [[CRV2_360Review|Put content here]]
@@ Line 51: / Line 51: @@
 =Methodology=
 ===The code review approach===
-#Author -  Prathamesh Mhatre
+#Author -  Johanna Curiel
 # [[CRV2_CodeReviewApproach|Put content here]]
@@ Line 60: / Line 60: @@
 ====Application Threat Modeling====
-#Author - Andy, Renchie Joan
+#Author - Larry Conklin
 # Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
 # [[CRV2_AppThreatModeling|Put content here]]
 ====Understanding Code layout/Design/Architecture====
-#Author - Ashish Rao
+#Author - Open
 # [[CRV2_CodeLayoutDesignArch|Put content here]]
+====Understanding Business Logic====
+#[[CRV2_BusinessLogic|Put content here]]
 ===SDLC Integration===
-#Author - Andy, Ashish Rao
+#Author - Larry Conklin
 # Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
 # [[CRV2_SDLCInt|Put content here]]
@@ Line 75: / Line 77: @@
 ====Deployment Models====
 =====Secure deployment configurations=====
-#Author - Ashish Rao
+#Author -
 # [[CRV2_SecDepConfig|Put content here]]
 # New Section
 =====Metrics and code review=====
-#Author - Andy
+#Author -[email protected]
 # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
 # [[CRV2_MetricsCodeRev|Put content here]]
 =====Source and sink reviews=====
-#Author - Ashish Rao
+#Author - Open
 # New Section
 # [[CRV2_SourceSinkRev|Put content here]]
@@ Line 103: / Line 105: @@
 =====A Risk based approach to code review=====
-#Author - Renchie Joan
+#Author - Gary David Robinson
 #New Section
 *"Doing things right or doing the right things..."
@@ Line 110: / Line 112: @@
 ====Crawling code====
-#Author - Abbas Naderi
+#Author - Open
 # Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
 *API of Interest:
@@ Line 120: / Line 122: @@
 **Spring
 **.NET MVC
-**Structs
+**Struts
 **Zend
 #New Section
@@ Line 129: / Line 131: @@
 ====Code reviews and Compliance====
-#Author -Manual Harti
+#Author -Open
 # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 # [[CRV2_CodeRevCompliance|Put content here]]
@@ Line 135: / Line 137: @@
 =Reviewing by Technical Control=
 ===Reviewing code for Authentication controls===
-#Author - Anand Prakash, Joan Renchie
+#Author - Gary Robinson
 # [[CRV2_AuthControls|Put content here]]
@@ Line 141: / Line 143: @@
 #Author Abbas Naderi, Larry Conklin
 # [[CRV2_ForgotPassword|Put content here]]
-====Authentication====
-#Author - Anand Prakash, Joan Renchie
-# [[CRV2_Authentication|Put content here]]
 ====CAPTCHA====
@@ Line 151: / Line 149: @@
 ====Out of Band considerations====
-#Author - Open
+#Author - Gary Robinson
 # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
 # [[CRV2_OutofBand|Put content here]]
 ===Reviewing code Authorization weakness===
-#Author Ashish Rao (Eoin Keary .NET MVC added)
+#Author Eoin Keary .NET MVC added
 # [[CRV2_AuthorizationWeaknesses|Put content here]]
 ====Checking authz upon every request====
-#Author - Abbas Naderi, Joan Renchie
+#Author - Abbas Naderi
 # [[CRV2_CheckAuthzEachRequest|Put content here]]
 ====Reducing the attack surface====
-#Author Chris Berberich
+#Author Gary Robinson
 # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
 # [[CRV2_ReducingAttSurf|Put content here]]
@@ Line 173: / Line 171: @@
 ====Reviewing code for Session handling====
-#Author - Palak Gohil, Abbas Naderi
+#Author - Abbas Naderi
 # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
 # [[CRV2_SessionHandling|Put content here]]
@@ Line 198: / Line 196: @@
 =====HTML 5?=====
-#Author - Sebastien Gioria
+#Author - Open
 # [[CRV2_ClientSideCodeHTML5|Put content here]]
-=====Browser Defenses policy=====
+=====Browser Defenses=====
 #Author - Open
 # [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]
@@ Line 212: / Line 210: @@
 =====Regex Gotchas=====
-#Author - Abbas Naderi
+#Author - Open
 #New Section
 # [[CRV2_InputValRegexGotchas|Put content here]]
 =====ESAPI=====
-#Author - Abbas Naderi
+#Author - Open
 #New Section
 # Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 # [[CRV2_InputValESAPI|Put content here]]
+=====Microsoft Web Protection Library=====
+#Author - Michael Hidalgo
+#New Section
+# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
+# [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]]
 ====Reviewing code for contextual encoding====
+[[Overall approach to content encoding and anti XSS]]
 =====HTML Attribute=====
-#Author - Shenai Silva
+#Author - Eoin Keary
 # [[CRV2_ContextEncHTMLAttribute|Put content here]]
 =====HTML Entity=====
-#Author - Shenai Silva
+#Author - Eoin Keary
 # [[CRV2_ContextEncHTMLEntity|Put content here]]
 =====Javascript Parameters=====
-#Author - Open
+#Author - Eoin Keary
 # [[CRV2_ContextEncJscriptParams|Put content here]]
 =====JQuery=====
-#Author - Abbas Naderi
+#Author - Open
 # [[CRV2_ContextEncJQuery|Put content here]]
@@ Line 244: / Line 249: @@
 ====Resource Exhaustion - error handling====
-#Author - Abbas Naderi
+#Author - Open
 # [[CRV2_ResourceExhaustionErrHandling|Put content here]]
 =====native calls=====
-#Author Abbas Naderi
+#Author Open
 # [[CRV2_ResourceExhaustionNativeCalls|Put content here]]
 ====Reviewing Logging code - Detective Security====
-#Author - Palak Gohil
+#Author - Gary Robinson
 * Where to Log
 * What to log
@@ Line 266: / Line 271: @@
 ====Reviewing Security alerts====
-#Author - Open
+#Author - Gary Robinson
 # [[CRV2_SecurityAlerts|Put content here]]
@@ Line 274: / Line 279: @@
 ====Reviewing Secure Storage====
-#Author - Azzeddine Ramrami
+#Author - Open source
 # New Section
 # [[CRV2_SecureStorage|Put content here]]
 ====Hashing & Salting - When, How and Where====
-=====Encrpyption=====
+=====Encryption=====
 ======.NET======
 #Author Larry Conklin, Joan Renchie
@@ Line 288: / Line 293: @@
 =Reviewing by Vulnerability=
 ===Review Code for XSS===
-#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
+#Author Examples added by Eoin Keary
 # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
 # In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
@@ Line 294: / Line 299: @@
 ===Persistent - The Anti pattern===
-#Author Abbas Naderi
+#Author
 # [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]
 ====.NET====
-#Author Johanna Curiel, Renchie Joan, Larry Conklin
+#Author Johanna Curiel, Eoin Keary
 # [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]
 ====.Java====
-#Author Palak Gohil
+#Author Johanna Curiel
 # [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]
 ====PHP====
-#Author Mohammed Damavandi, Abbas Naderi
+#Author Abbas Naderi
 # [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]
 ====Ruby====
-#Author Chris Berberich
+#Author Open
 # [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]
@@ Line 317: / Line 322: @@
 ====.NET====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]
 ====.Java====
-#Author Palak Gohil
+#Author Johanna Curiel
 # [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]
 ====PHP====
-#Author Mohammed Damavandi, Abbas Naderi
+#Author Abbas Naderi
 # [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]
@@ Line 333: / Line 338: @@
 ===Stored - The Anti pattern===
-# Author - Open
+# Author - Johanna Curiel
 # [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]
 ====.NET====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]
 ====.Java====
-#Author Palak Gohil
+#Author Johanna Curiel
 # [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]
 ====PHP====
-#Author Mohammed Damavandi, Abbas Naderi
+#Author Johanna Curiel
 # [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]
 ====Ruby====
-#Author - Open
+#Author - Johanna Curiel
 # [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]
@@ Line 357: / Line 362: @@
 ===JQuery mistakes===
-#Author Shenal Silva
+#Author
 # [[CRV2_JQueryMistakes|Put content here]]
 ===Reviewing code for SQL Injection===
-#Author Palak Gohil, Renchie Joan
+#Author Gary Robinson
 # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
 # [[CRV2_RevCodeSQLInjection|Put content here]]
@@ Line 370: / Line 375: @@
 ====Java====
-#Author - Open
+#Author - Johanna Curiel
 # [[CRV2_SQLInjJava|Put content here]]
 ====.NET====
-#Author - Mennouchi Islam Azeddine
+#Author - Open
 # [[CRV2_SQLInjdotNET|Put content here]]
@@ Line 386: / Line 391: @@
 https://www.owasp.org/index.php/CRV2_AntiPattern
 ====PHP====
-#Author - Mohammad Damavandi, Abbas Naderi
+#Author -
 # [[CRV2_AntiPatternPHP|Put content here]]
 ====Java====
-#Author - Palak Gohil
+#Author -
 #=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
 # [[CRV2_AntiPatternJava|Put content here]]
 ====.NET====
-#Author Johanna Curiel, Renchie Joan,Larry Conklin
+#Author Open
 # [[CRV2_AntiPatterndotNet|Put content here]]
@@ Line 407: / Line 412: @@
 ===Reviewing code for CSRF Issues===
-#Author Palak Gohil,Anand Prakash, Abbas Naderi
+#Author Abbas Naderi
 # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
-# [[CRV2_CSRFIssues|Put content here]]
+# This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]]
-===Transactional logic / Non idempotent functions / State Changing Functions===
+===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions===
-#Author Abbas Naderi
 # [[CRV2_TransLogic|Put content here]]
 ===Reviewing code for poor logic /Business logic/Complex authorization===
-#Author - Sam Denard
+#Author - Open
 # [[CRV2_PoorLogic|Put content here]]
@@ Line 429: / Line 433: @@
 ====HTTP Headers====
-#Author Gregory Disney, Abbas Naderi
+#Author Gary Robinson
 # [[CRV2_SecCommsHTTPHdrs|Put content here]]
-=====CSP=====
-#Author Gregory Disney
-# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]
-=====HSTS=====
-#Author Abbas Naderi
-# [[CRV2_SecCommsHTTPHSTS|Put content here]]
 ===Tech-Stack pitfalls===
-#Author Gregory Disney
+#Author Open
 # [[CRV2_TechStackPitfalls|Put content here]]
@@ Line 449: / Line 445: @@
 # [[CRV2_FrameworkSpecIssuesSpring|Put content here]]
-====Structs====
+====Struts====
 #Author - Open
-# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]
+# [[CRV2_FrameworkSpecIssuesStruts|Put content here]]
 ====Drupal====
-#Author Gregory Disney
+#Author Open
-# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]
+# [[CRV2_FrameworkSpecIssuesDrupal|Put content here]]
 ====Ruby on Rails====
@@ Line 462: / Line 458: @@
 ====Django====
-#Author Gregory Disney
+#Author Open
 # [[CRV2_FrameworkSpecIssuesDjango|Put content here]]
 ====.NET Security / MVC====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel, Eoin Keary
 # [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]
 ====Security in ASP.NET applications====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]
 =====Strongly Named Assemblies=====
-#Author Johanna Curiel, Renchie Joan, Larry Conklin
+#Author Johanna Curiel, Larry Conklin
 # [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]
@@ Line 483: / Line 479: @@
 ======How to prevent Round tripping======
 # Author - Open
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]
 =====Setting the right Configurations=====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]
 =====Authentication Options=====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]
 =====Code Review for Managed Code - .Net 1.0 and up=====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]
 =====Using OWASP Top 10 as your guideline=====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]
 =====Code review for Unsafe Code (C#)=====
-#Author Johanna Curiel, Renchie Joan
+#Author Johanna Curiel
 # [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]
 ====PHP Specific Issues====
-#Author Mohammad Damavandi, Abbas Naderi
+#Author Open
 # [[CRV2_FrameworkSpecIssuesPHP|Put content here]]
@@ Line 515: / Line 511: @@
 ====C#====
-#Author Johanna Curiel, Renchie Joan
+#Author Open
 # [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]
 ====C/C++====
-#Author Gary David Robinson
+#Author Open
 # [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]
@@ Line 527: / Line 523: @@
 ====Java====
-#Author Palak Gohil
+#Author Open
 # [[CRV2_FrameworkSpecIssuesJava|Put content here]]
@@ Line 540: / Line 536: @@
 ====CodeIgniter====
-# Author [[User:Zakiakhmad]]
+# Author Open
 # [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]
@@ Line 547: / Line 543: @@
 # [[CRV2_CodeReviewAgile|Put content here]]
+=Code Review for Backdoors=
+#Author Yiannis Pavlosoglou
+The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.
+A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.
+Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.
+An excellent introduction into how to look for rootkits in the Java programming language can be found [https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf  here]. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.
 =Code Review Tools=
 https://www.owasp.org/index.php/CRV2_CodeReviewTools
-=Willing to review drafts=
-#Terry Nerpester
-#Larry Conklin
-#Gary David Robinson
-#Simon Whittaker
-#Jason Johnson
-#Carlos Pantelides

Difference between revisions of "OWASP Code Review V2 Table of Contents"

Latest revision as of 01:27, 8 January 2016

OWASP Code Review Guide v2.0:

Forward

Code Review Guide Introduction

What is source code review and Static Analysis

What is Code Review

Manual Review - Pros and Cons

Advantages of Code Review to Development Practices

Why code review

Scope and Objective of secure code review

We can't hack ourselves secure

360 Review: Coupling source code review and Testing / Hybrid Reviews

Can static code analyzers do it all?

Methodology

The code review approach

Preparation and context

Application Threat Modeling

Understanding Code layout/Design/Architecture

Understanding Business Logic

SDLC Integration

Deployment Models

Secure deployment configurations

Metrics and code review

Source and sink reviews

Code review Coverage

Design Reviews

A Risk based approach to code review

Crawling code

Code reviews and Compliance

Reviewing by Technical Control

Reviewing code for Authentication controls

Forgot password

CAPTCHA

Out of Band considerations

Reviewing code Authorization weakness

Checking authz upon every request

Reducing the attack surface

SSL/TLS Implementations

Reviewing code for Session handling

Reviewing client side code

Javascript

JSON

Content Security Policy

"Jacking"/Framing

HTML 5?

Browser Defenses

etc...

Review code for input validation

Regex Gotchas

ESAPI

Microsoft Web Protection Library

Reviewing code for contextual encoding

HTML Attribute

HTML Entity

Javascript Parameters

JQuery

Reviewing file and resource handling code

Resource Exhaustion - error handling

native calls

Reviewing Logging code - Detective Security

Reviewing Error handling and Error messages

Reviewing Security alerts

Review for active defense

Reviewing Secure Storage

Hashing & Salting - When, How and Where

Encryption

.NET

Reviewing by Vulnerability

Review Code for XSS

Persistent - The Anti pattern

.NET

.Java

PHP

Ruby

Reflected - The Anti pattern

.NET

.Java

PHP

Ruby