This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Code review V2 Project"

From OWASP
Jump to: navigation, search
 
(9 intermediate revisions by 2 users not shown)
Line 5: Line 5:
  
 
== Project Lead ==
 
== Project Lead ==
 +
[mailto:larry.conklin@owasp Larry Conklin] and [mailto:gary.robinson@owasp Gary Robinson] are the project leaders.
  
[mailto:[email protected] Eoin Keary] is continuing his successful leadership as the technical lead of the Code Review Guide Project.
+
== Past Project Leader/Project Founder ==
  
[mailto:larry.conklin@owasp Larry Conklin] is the co-leader and project support person.  
+
[mailto:eoin.keary@owasp.org Eoin Keary] Eoin is project originator/founder. Eoin lead the first Code Review Guide which was the first open source secure code review guide ever and a best seller with our publisher lulu.com.
  
  
Line 19: Line 20:
  
 
== Table of Contents for Code Review Guide ==
 
== Table of Contents for Code Review Guide ==
Authors and Reviewers use to TOC to take ownership of content you want to write about or review. Please attach your name here and put link to your content here.
+
Click Link to go to Table of Contents for Code Review Guide  [[https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents]]
 
 
Link to TOC [[https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents]]
 
  
 
== Content Template ==
 
== Content Template ==
Line 50: Line 49:
 
** If two or more authors have signed up for a particular section, those authors should contact each other to co-ordinate how the section should be written. (see e-mail addressed below).  
 
** If two or more authors have signed up for a particular section, those authors should contact each other to co-ordinate how the section should be written. (see e-mail addressed below).  
  
* '''Our Aim to have a full review draft of all sections by September 2013'''
 
 
** Reviewing the document sections will take time, and this important task cannot be left until the last minute.  If all sections are ready for review by September 14th then we will have around 2 months to perform reviews (and pick up any slack).
 
** Reviewing the document sections will take time, and this important task cannot be left until the last minute.  If all sections are ready for review by September 14th then we will have around 2 months to perform reviews (and pick up any slack).
  
Line 63: Line 61:
  
 
== Code Review Guide Authors and Reviewers ==
 
== Code Review Guide Authors and Reviewers ==
Please do not email authors or reviewers on matters outside of the Code Review Guide project. Authors and reviewers have allowed us to publish their email address to help promote collaboration between authors and or reviewers.
+
* Larry Conklin
 
+
* Johanna Curiel
* '' Abbas Naderi: [email protected]
+
* Eoin Keary
+
* Islam Azeddine Mennouchi
* '' Anand Prakash  [email protected]
+
* Abbas Naderi
* '' Andre Gironda [email protected]
+
* Carlos Pantelides
* '' Andreas Athanasoulias [email protected]
+
* Ashish Rao
* '' Ashish Rao [email protected]
+
* Gary David Robinson
* '' Avi Douglen [email protected]
+
* Colin Watson
* '' Azzeddine Ramrami: [email protected]
+
* Mghazli Zyad
 
 
* '' Bob Wintemberg [email protected]
 
* '' Chris Berberich <[email protected]>
 
 
* '' Gary David Robinson <[email protected]>
 
* '' Greg Disney: [email protected]
 
* '' Hartl, Manuel <[email protected]>
 
* '' James Widener [email protected]
 
* '' Jason Karlin <[email protected]>
 
 
 
* '' Manuel Hartl [email protected]
 
* '' Mittal Mehta [email protected]
 
* '' Mghazli Zyad <[email protected]>
 
* '' Mohammed Damavandi [email protected]
 
* '' Neil Matatall [email protected]
 
 
 
 
* '' Renchie Joan Abraham: [email protected]
 
* '' Said Moftakhar [email protected]
 
* '' Shahryar Jahangir [email protected]
 
* '' Shenal Silva [email protected]
 
* '' Sherif Koussa [email protected]
 
 
* '' Sravan Kumar [email protected]
 
 
* '' Travis Risner [email protected]
 
 
 
 
 
 
 
== Project Meetings ==
 
===Schedule meetings===
 
Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
 
 
 
United States: +1 (626) 521-0017
 
United States (toll-free): 1 877 309 2070
 
Audio PIN: Shown after joining the meeting
 
 
 
GoToMeeting®
 
Online Meetings Made Easy®
 
 
 
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app.
 
====Jun 28, 2013 at 6:00 AM CDT====
 
https://www3.gotomeeting.com/join/128837550
 
 
 
====Jul 12, 2013 at 6:00 AM CDT====
 
https://www3.gotomeeting.com/join/510366958
 
 
 
====Jul 26, 2013 at 6:00 AM CDT====
 
https://www3.gotomeeting.com/join/550177598
 
 
 
 
 
== Project Meeting Notes ==
 
===March 8, 2013===
 
Eoin audio was breaking up. Eoin mention having a working group email distro list for authors and reviewers.
 
 
 
Samantha sent out grant chat for review. Eoin is creating a template for Authors to us.
 
 
 
===Friday, March 22, 13===
 
Met with  Johanna Curiel and Sherif Koussa. We met for a little under an hour.
 
I brought on the point that code review structure needs to include configuration/xml files besides actual code. OWASP top ten now includes security misconfigurations that are no longer just at the level of infrastructure level on an organization but can happen by the application programmer.
 
 
 
We talk about the current structure. Sherif made the suggestion that the code review structure should use a top down approach with top being more process oriented with a generic checklist to cover all programming platforms. This high level approach would follow the OWASP top ten list but be at a slightly lower level.
 
 
 
From that generic checklist we could subdivide it into sections for each language and specific techniques to help guide the code reviewer.
 
 
 
Johanna and I both thought we would still need the checklist (maybe at a subsection level) to be specific to a language platform.
 
 
 
Some sections would only need to be at a generic level such as session management. (???)
 
I think the current TOC actual might have this in mind but maybe it could be laid out with top levels talking about processes.
 
 
 
Sherif also brought up the point about where the code review process would take place in SDLC. Would it be for at the application level or at the code module level? Would we have a code review process that takes place in application design level so security would not be bolted on as an after thought.
 
 
 
===Wednesday April 3, 2013===
 
It was agreed that by 4/5/2013 we are going with the TOC as it is. Eoin is very open that during the project that if a subject matter that needs to be included it will be addresses at that time.
 
We are working on assigning dates to sections and authors.
 
 
 
Samantha is working on getting base line wiki pages created for the project so authors can add contributed text.
 
Eoin emphasized that all work submitted by each author needs to be original work. Authors do not need to put extra effort/work into diagrams. Eoin says will have all artwork touched up by a profession. We also need to make sure where necessary we have the proper references.
 
 
 
===Friday April 20,2013===
 
===Friday May 3, 2013===
 
===Friday May 17,2013===
 
===Friday June 14,2013===
 
So far there has been a slow start-up on actual work being done on the wiki sections.  If you still intend to work on a section please start (at least with a outline) in the wiki by July 14th so the project coordinators can know you are active on the section. 
 
 
 
If you feel you have taken on too many sections then please remove your name from that section as soon as possible to allow the project coordinators to begin re-assigning. 
 
Any sections that are ''not started by July 14th'' will have the author automatically removed.
 
 
 
Our aim to have a full review draft of all sections by September 2013''
 
 
 
===Friday August 23, 2013===
 
Notes from Aug 23 Meeting.
 
 
 
Discussed checklist for Code Review Guide. Samantha likes the idea but consoles us to gather all content for book before group works on checklist.  I agree with that approach. Several members have talked about checklist so it is something on peoples mind. Idea is simple the Code Review Guide is the authoritarian exhaustive resource on Code Reviews. Checklist can be a much more reduced booklet that concentrates on a single language like c#, java, c++, php, etc.
 
 
 
Group discussed concern about Code Review Guide is to .Net centric and we need to get authors to write about Ruby, PHP, Java.  I discussed that I saw a “Top Ten Vulnerabilities” for the Java language. I brought up the document. Samantha gave us three names that helped create the “Top Ten Vulnerabilities” Java document. I have written to those individuals for help with Java and Code Review Guide.
 
 
 
We also discussed the possibility of reaching out to chapters to help provide sample code and explanations for Ruby and PHP.
 
 
 
Authors if you haven’t already please up the placeholder of your content. Remember if you have any concerns please contact me or Eoin Keary.
 
 
 
 
 
 
 
 
 
==Project Status==
 
April 2013 Status [[http://www.owasp.com/index.php?title=Projects/CRV2_MonthStatusApril2013&redirect=no]]
 

Latest revision as of 20:20, 8 September 2014

Overview

Welcome to the continuation of OWASP Code Review Guide Project! The Code Review Guide Project 2.0 is to bring the successful OWASP Code Review Guide up to date.

Project Lead

Larry Conklin and Gary Robinson are the project leaders.

Past Project Leader/Project Founder

Eoin Keary Eoin is project originator/founder. Eoin lead the first Code Review Guide which was the first open source secure code review guide ever and a best seller with our publisher lulu.com.


Email List

You can sign up for the OWASP Code Review Guide Project email list at General Code Review Guide mailing

http://lists.owasp.org/mailman/listinfo/owasp-codereview  
http://lists.owasp.org/mailman/listinfo/owasp_code_review_guide_authors

Table of Contents for Code Review Guide

Click Link to go to Table of Contents for Code Review Guide [[1]]

Content Template

General Template to be used by Code Review Guide Authors.

Section Title

  • Abstract
  • Description of the issue/control.

Anti-Pattern – How to identify vulnerable code

  • Typical API calls used
  • Vulnerable syntax
  • Java/.Net/imports generally found related to the issue.
  • Possible solutions.
  • Refer to the development guide.
  • Borrow from the Cheat sheet series/Don’t copy from the internet, original work only.

Typical suggestions.

Working Notes For Authors

  • Work in the wiki
    • This shares your workings and progress with other authors who might wish to collaborate on the topic.
  • Don't wait until your writing is complete to add to the wiki
    • Feel free to put outlines, thoughts, rough passages, etc in the wiki as you go along, again this shows your working on the section and allows other authors (who might need to reference your section in the completed document) to know what you plan to cover.
  • Reach out to co-authors
    • If two or more authors have signed up for a particular section, those authors should contact each other to co-ordinate how the section should be written. (see e-mail addressed below).
    • Reviewing the document sections will take time, and this important task cannot be left until the last minute. If all sections are ready for review by September 14th then we will have around 2 months to perform reviews (and pick up any slack).

Writing Style/Notes

  • References

We are using the APA style of referencing our sources for the Code Review Guide V2. Please use this style when referencing any sources for your sections. Please see the References Pages in APA (http://www.apastyle.org/) Format page for examples and more information, and reach out to the (list) with any questions.

Try to reference other sections of the code review document first, else try to reference other parts of the OWASP web site/other projects. If your reference does not fit into the OWASP documentation, then refernence outside (internet) materials, being careful not to mention specific vendors/brands.


Code Review Guide Authors and Reviewers

  • Larry Conklin
  • Johanna Curiel
  • Eoin Keary
  • Islam Azeddine Mennouchi
  • Abbas Naderi
  • Carlos Pantelides
  • Ashish Rao
  • Gary David Robinson
  • Colin Watson
  • Mghazli Zyad