This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Code Review Guide Table of Contents"

From OWASP
Jump to: navigation, search
m (Switched a link from article to navigation shell)
 
(213 intermediate revisions by 16 users not shown)
Line 1: Line 1:
==[[Code Review Introduction|Introduction]] ==
+
{{LinkBar
'''Preface''':
+
  | useprev=PrevLink | prev= | lblprev=
This document is not a “How to perform a Secure Code review” walkthrough but more a guide on how to perform a successful review. Knowing the mechanics of code inspection is a half the battle but I’m afraid people is the other half.
+
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
To Perform a proper code review, to give value to the client from a risk perspective and not from an academic or text book perspective we must understand what we are reviewing.
+
  | usenext=NextLink | next=Code Review Guide Foreword | lblnext=Foreword by OWASP Chair
 +
}}
 +
__NOTOC__
  
Applications may have faults but the client wants to know the “real risk” and not necessarily what the security textbooks say.
 
  
Albeit there are real vulnerabilities in real applications out there and they pose real risk but how do we define real risk as opposed to best practice?
+
==[[Code Review Guide Foreword|Foreword by OWASP Chair]]==
  
This document describes how to get the most out of a secure code review. What is important when managing an engagement with a client and how to keep your eye on the ball the see the “wood from the trees”.
+
==Frontispiece==
  
 +
* [[Code Review Guide Frontispiece|About the OWASP Code Review Project]]
 +
* [[OCRG1.1:About The Open Web Application Security Project|About The Open Web Application Security Project]]
  
'''Introduction''':
+
==Guide History==
The only possible way of developing secure software and keeping it secure going into the future is to make security part of the design. When cars are designed safety is considered and now a big selling point for people buying a new car, “How safe is it?” would be a question a potential buyer may ask, also look at the advertising referring to the “Star” rating for safety a brand/model of car has.
+
* [[Code Review Guide History]]
Unfortunately the software industry is not as evolved and hence people still buy software without paying any regard to the security aspect of the application.
 
  
This is what OWASP are trying to do, to bring security in web application development into the mainstream, to make is a selling point. 30% to 35% of Microsoft’s budget for “Longhorn”
+
==Methodology==
is earmarked for security, a sign of the times. http://news.bbc.co.uk/2/hi/business/4516269.stm
 
  
Every day more and more vulnerabilities are discovered in popular applications, which we all know and use and even use for private transactions over the web.
+
*[[Code Review Introduction|Introduction]]
 +
*[[Code Review Preparation|Preparation]]
 +
*[[Security Code Review in the SDLC]]
 +
*[[Security Code Review Coverage]]
 +
*[[OCRG1.1:Application Threat Modeling|Application Threat Modeling]]
 +
*[[Code Review Metrics]]
  
I’m writing this document not from a purest point of view. Not everything you may agree with but from experience it is rare that we can have the luxury of being a purest in the real world.
+
==Crawling Code==
Many forces in the business world do not see value in spending a proportion of the budget in security and factoring some security into the project timeline.
+
* [[Crawling Code]]
 +
* [[Searching for Code in J2EE/Java]]
 +
* [[Searching for Code in Classic ASP]]
 +
* [[JavaScript/Web 2.0 Keywords and Pointers]]
  
The usual one liners we hear in the wilderness:
+
==Code Reviews and PCI DSS==
 +
* [[Code Reviews and Compliance]]
  
''“We never get hacked (that I know of), we don’t need security”
+
==Examples by Technical Control==
“We never get hacked, we got a firewall”.
+
* [[Codereview-Authentication|Authentication]]
Question: “How much does security cost”? Answer: “How much shall no security cost”?
+
* [[Codereview-Authorization|Authorization]]
"Not to know is bad; not to wish to know is worse."''
+
* [[Codereview-Session-Management|Session Management]]
 +
* [[Codereview-Input Validation|Input Validation]]
 +
* [[Codereview-Error-Handling|Error Handling]]
 +
* [[Codereview-Deployment|Secure Deployment]]
 +
* [[Codereview-Cryptographic_Controls|Cryptographic Controls]]
  
- I love proverbs as you can see.
+
==Examples by Vulnerability==
 +
* [[Reviewing Code for Buffer Overruns and Overflows]]
 +
* [[Reviewing Code for OS Injection]]
 +
* [[Reviewing Code for SQL Injection]]
 +
* [[Reviewing Code for Data Validation]]
 +
* [[Reviewing Code for Cross-Site Scripting]]
 +
* [[Reviewing Code for Cross-Site Request Forgery]]
 +
* [[Reviewing Code for Logging Issues]]
 +
* [[Reviewing Code for Session Integrity]]
 +
* [[Reviewing Code for Race Conditions]]
  
Code inspection is a fairly low-level approach to securing code but is very effective.
+
== Language Specific Best Practice ==
It is in effect a look under the hood of an application (whitebox).
 
  
 +
===Java===
 +
*[[Java Gotchas]]
 +
*[[Leading Java Security Practice]]
 +
 +
===Classic ASP===
 +
*[[Classic ASP Design Mistakes]]
 +
 +
===PHP===
 +
*[[Leading PHP Security Practice]]
 +
 +
===C/C++===
 +
*[[Strings and Integers]]
 +
 +
===MySQL===
 +
*[[Reviewing MySQL Security]]
 +
 +
===Rich Internet Applications===
 +
*[[Reviewing Flash Applications]]
 +
*[[Reviewing AJAX Applications]]
 +
*[[Reviewing Web Services]]
 +
 +
== Example Reports ==
 +
* [[How to Write an Application Code Review Finding]]
 +
 +
==Automating Code Reviews==
 +
* [[Automated Code Review]]
 +
* [[Tool Deployment Model]]
 +
* [[Code Auditor Workbench Tool]]
 +
* [[The Owasp Orizon Framework]]
 +
 +
==[[The Owasp Code Review Top 9]]==
 +
 +
==[[The Owasp Code Review Scoring System]]==
 +
 +
==[[References]]==
 +
 +
{{LinkBar
 +
  | useprev=PrevLink | prev= | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Code Review Guide Foreword | lblnext=Foreword by OWASP Chair
 +
}}
  
 
[[Category:OWASP Code Review Project]]
 
[[Category:OWASP Code Review Project]]
 
==[[Buffer Overruns and Overflows|Buffer Overruns and Overflows]] ==
 
==[[Data Validation (Code Review)|Data Validation]] ==
 
==[[Error Handling]]==
 
==[[OS Injection]] ==
 
==[[The Secure Code Environment]] ==
 
==[[Transaction Analysis]] ==
 
==[[XSS Attacks]] ==
 

Latest revision as of 15:27, 9 September 2010

[This is the first page] Principal
(Table of Contents)

»»Foreword by OWASP Chair»»


Foreword by OWASP Chair

Frontispiece

Guide History

Methodology

Crawling Code

Code Reviews and PCI DSS

Examples by Technical Control

Examples by Vulnerability

Language Specific Best Practice

Java

Classic ASP

PHP

C/C++

MySQL

Rich Internet Applications

Example Reports

Automating Code Reviews

The Owasp Code Review Top 9

The Owasp Code Review Scoring System

References

[This is the first page] Principal
(Table of Contents)

»»Foreword by OWASP Chair»»