This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Code Review Project"

From OWASP
Jump to: navigation, search
(Slight update)
 
(127 intermediate revisions by 4 users not shown)
Line 1: Line 1:
=Main=
 
 
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
 
+
<div style="border:0,margin:0;overflow: hidden;">
 +
{{OWASP Defenders}} {{OWASP Book|5691953}}
 +
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div>
 +
</div>
 +
=Code Review Guide=
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
==The Release Candidate for the OWASP Code Review Guide is now available!==
 +
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource.
 +
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.
  
==OWASP Code Review Guide Project==
+
Thank you,
 
+
Larry Conklin, Gary Robinson
{{OWASP Book|5678680}}
+
OWASP Code Review Guides Co-Leaders
  
 
==Introduction==
 
==Introduction==
 +
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.
  
We are writing a new version of the [https://www.owasp.org/index.php/OWASP_Code_review_V2_Project OWASP code review guide].
+
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10.  Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.
  
Here is the [[OWASP  Code review V2 Table of Contents]].
+
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.
  
==Description==
+
==Review of Code Review Guide 2.0==
 +
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to  [email protected]. Private comments may be sent to [email protected] or [email protected] . All comments are welcome. All comments should indicate the specific relevant page and section.
  
The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.
+
All feedback is critical to the continued success of the OWASP Code Review Guide.
Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t
 
  
 
==Licensing==
 
==Licensing==
 
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
== Spring Of Code 2007 ==
 
The Code review guide is proudly sponsored by the OWASP Spring of Code (SpOC) 2007.
 
For more information please see [[OWASP_Spring_Of_Code_2007|Spring of Code 2007]]
 
 
==Summer of Code 2008==
 
The Code review guide is proudly sponsored by the OWASP Summer of Code (SoC) 2008. For more information please see [[OWASP_Summer_of_Code_2008| OWASP Summer of Code 2008]].
 
  
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
== What is the Code Review Guide? ==
+
== Project Leader ==
 +
* Larry Conklin [mailto:[email protected]]
 +
* Gary Robinson [mailto:[email protected]]
  
OWASP Code Review Guide provides:
+
== Project Email ==
 
+
* Project Email [mailto:[email protected]]
* [[OWASP Code Review Guide Table of Contents]] from v1
 
* [[OWASP  Code review V2 Table of Contents]]
 
 
 
== Presentation ==
 
  
 +
==Classifications==
 +
[[File:Owasp-defenders-small.png|link=]]
  
== Project Leader ==
+
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
  
[mailto:larry.[email protected] Larry Conklin]
+
[[File:Project_Type_Files_DOC.jpg|link=]]
[mailto:[email protected] Gary Robinson]
 
  
 
== Related Projects ==
 
== Related Projects ==
  
[https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
+
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]
 
 
[http://codecrawler.codeplex.com/Release/ProjectReleases.aspx Code Crawler]
 
 
 
== Ohloh ==
 
  
  
Line 60: Line 55:
  
 
== Quick Download ==
 
== Quick Download ==
 +
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]
  
* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf V1.1]
+
== In Print ==
 +
Code Review Guide 2.0 will be available in Lulu in the near future.
  
== Email List ==
 
 
[http://lists.owasp.org/mailman/listinfo/owasp-codereview Sign up]
 
 
== News and Events ==
 
 
 
== In Print ==
 
 
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.
 
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.
 
 
==Classifications==
 
 
  {| width="200" cellpadding="2"
 
  |-
 
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 
  |-
 
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 
  |}
 
 
 
|}
 
|}
 
=FAQs=
 
 
; Q1
 
: A1
 
 
; Q2
 
: A2
 
  
 
= Acknowledgements =
 
= Acknowledgements =
==Volunteers==
+
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Dublin Founder and Chapter Lead.
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. We are actively seeking individuals to add new sections as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line [mailto:[email protected] [email protected]].
 
 
 
 
 
= Road Map and Getting Involved =
 
The project's overall goal is to...
 
 
 
'''be a reference document for the purpose of performing code review. This project shall provide examples in the most common web application development languages (Java and C# .NET)'''
 
 
 
In the near term, we are focused on the following tactical goals...
 
 
 
1. Looking at each attack type and examine the anti-pattern associated with the vulnerability which makes the attack possible. This shall include code examples to guide a reviewer on what to look for.
 
 
 
2. Looking at the code review process, how it is managed and challanges one may encounter when performing code review in the "real world".
 
 
 
3. Looking at the code review tools available and discussing the benefits and issues of using tools.
 
 
 
4. See also [[Projects/OWASP Code Review Project/Releases/Code Review Guide V2.0/Roadmap|Code Review Guide V2.0's Roadmap]].
 
 
[[Category:OWASP Code Review Project]]
 
 
 
==Roadmap for V2:==
 
 
 
*'''Major enhancements''':
 
**Introduction to be re-written,
 
**Approach to code review (Risk based approach)to be re-written, re designed,
 
**Examples by Vulnerability and Technical control to be expanded and refined,
 
**Common Numbering nomenclature to be used,
 
**Cross reference to TG and ASVS to be done,
 
**New sections on tools to be introduced,
 
**Expand technology specific sections,
 
**Section on RIA (Rich Internet applications) to be introduced,
 
**WebServices section to be refined,
 
**Malware and rootkit sections to be introduced,
 
**PCI section to be rewritten with more x-reference to other guides.
 
 
 
*'''Other ideas''':
 
**ESAPI section: how to review OWASP ESAPI implementations?
 
**Risk based approach Vs ASVS levels,
 
**Threat modeling and Triage chapters to be revised,
 
**OWASP O2 section on O2 rules definition, development,
 
**Crawling code: Additional search vectors to be added,
 
**Section on Code Crawler, quick start & configuration guide.
 
  
==Get Involved==
+
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]
All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes.
 
We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below. Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!
 
  
=Project About=
+
{{:Projects/OWASP Code Review Project| Project About}}
 
  
__NOTOC__ <headertabs />  
+
__NOTOC__ <headertabs />
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]] [[Category:OWASP Project|Code Review Project]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
[[Category:OWASP Document]]
 
[[Category:OWASP Release Quality Document]]
 

Latest revision as of 10:29, 14 July 2017

Lab big.jpg
OWASP Defenders logo.png This project is part of the OWASP Defenders community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.
OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

Share this:  E-mail this story Bookmark with Facebook Share on Digg.com Share on delicious Share on reddit.com Share on stumbleupon.com Share on LinkedIn.com Share on twitter.com Seed on Newsvine

The Release Candidate for the OWASP Code Review Guide is now available!

Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.

Thank you, Larry Conklin, Gary Robinson OWASP Code Review Guides Co-Leaders

Introduction

OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.

Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.

The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.

Review of Code Review Guide 2.0

Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to [email protected]. Private comments may be sent to [email protected] or [email protected] . All comments are welcome. All comments should indicate the specific relevant page and section.

All feedback is critical to the continued success of the OWASP Code Review Guide.

Licensing

OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Project Leader

  • Larry Conklin [1]
  • Gary Robinson [2]

Project Email

  • Project Email [3]

Classifications

Owasp-defenders-small.png

Cc-button-y-sa-small.png

Project Type Files DOC.jpg

Related Projects

OWASP Testing Guide [4]


Quick Download

In Print

Code Review Guide 2.0 will be available in Lulu in the near future.

Code Review Guide V1.1 on Lulu.

The OWASP Code Review project was conceived by Eoin Keary, the OWASP Dublin Founder and Chapter Lead. 

Code Review Mailing list[5]

Project leaders [email protected] or [email protected]

Pages in category "OWASP Code Review Project"

The following 69 pages are in this category, out of 69 total.

A

B

C

D

E

H

I

J

L

O

P

R

S

T

X

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&oldid=231677"