Difference between revisions of "OWASP Code Review Guide Table of Contents"

@@ Line 1: / Line 1: @@
+{{LinkBar
+  | useprev=PrevLink | prev= | lblprev=
+  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
+  | usenext=NextLink | next=Code Review Guide Foreword | lblnext=Foreword by OWASP Chair
+}}
+__NOTOC__
+==[[Code Review Guide Foreword|Foreword by OWASP Chair]]==
+==Frontispiece==
+* [[Code Review Guide Frontispiece|About the OWASP Code Review Project]]
+* [[OCRG1.1:About The Open Web Application Security Project|About The Open Web Application Security Project]]
+==Guide History==
+* [[Code Review Guide History]]
 ==Methodology==
-#[[Code Review Introduction|Introduction]]
+*[[Code Review Introduction|Introduction]]
+*[[Code Review Preparation|Preparation]]
+*[[Security Code Review in the SDLC]]
+*[[Security Code Review Coverage]]
+*[[OCRG1.1:Application Threat Modeling|Application Threat Modeling]]
+*[[Code Review Metrics]]
+==Crawling Code==
+* [[Crawling Code]]
+* [[Searching for Code in J2EE/Java]]
+* [[Searching for Code in Classic ASP]]
+* [[JavaScript/Web 2.0 Keywords and Pointers]]
+==Code Reviews and PCI DSS==
+* [[Code Reviews and Compliance]]
+==Examples by Technical Control==
+* [[Codereview-Authentication|Authentication]]
+* [[Codereview-Authorization|Authorization]]
+* [[Codereview-Session-Management|Session Management]]
+* [[Codereview-Input Validation|Input Validation]]
+* [[Codereview-Error-Handling|Error Handling]]
+* [[Codereview-Deployment|Secure Deployment]]
+* [[Codereview-Cryptographic_Controls|Cryptographic Controls]]
+==Examples by Vulnerability==
+* [[Reviewing Code for Buffer Overruns and Overflows]]
+* [[Reviewing Code for OS Injection]]
+* [[Reviewing Code for SQL Injection]]
+* [[Reviewing Code for Data Validation]]
+* [[Reviewing Code for Cross-Site Scripting]]
+* [[Reviewing Code for Cross-Site Request Forgery]]
+* [[Reviewing Code for Logging Issues]]
+* [[Reviewing Code for Session Integrity]]
+* [[Reviewing Code for Race Conditions]]
+== Language Specific Best Practice ==
+===Java===
+*[[Java Gotchas]]
+*[[Leading Java Security Practice]]
+===Classic ASP===
+*[[Classic ASP Design Mistakes]]
+===PHP===
+*[[Leading PHP Security Practice]]
+===C/C++===
+*[[Strings and Integers]]
-NOTE: The following two sections seem to describe quality code review processes, not specifically focused on security. Security code reviews are somewhat different as they require an understanding of the threat model.
+===MySQL===
+*[[Reviewing MySQL Security]]
-#[[Steps and Roles]]
+===Rich Internet Applications===
-#[[Code Review Processes]]
+*[[Reviewing Flash Applications]]
-==Checklists==
+*[[Reviewing AJAX Applications]]
-#[[Buffer Overruns and Overflows|Buffer Overruns and Overflows]]
+*[[Reviewing Web Services]]
-#[[OS Injection]]
-#[[SQL Injection]]
-#[[Data Validation (Code Review)|Data Validation]]
-#[[Error Handling]]
-#[[The Secure Code Environment]]
-#[[Transaction Analysis]]
-==[[Automating Code Reviews]] ==
-'''Reasons for using automated tools:'''
-In large scale code review operations for enterprises such that the volume of code is enormous automated code review techniques can assist in improving the throughput of the code review process.
-'''Education and cultural change:'''
+== Example Reports ==
-Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower devlopers with the knowledge in order to write better code.
+* [[How to Write an Application Code Review Finding]]
-This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality and also help reducing the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand.
+==Automating Code Reviews==
-Also running a tool to assess the code if a fairly painless task once the developer becomes familiar wth the tool(s).
+* [[Automated Code Review]]
+* [[Tool Deployment Model]]
+* [[Code Auditor Workbench Tool]]
+* [[The Owasp Orizon Framework]]
-'''Tool Deployment model:'''
+==[[The Owasp Code Review Top 9]]==
-Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.
-This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulerabilities.
+==[[The Owasp Code Review Scoring System]]==
 ==[[References]]==
+{{LinkBar
+  | useprev=PrevLink | prev= | lblprev=
+  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
+  | usenext=NextLink | next=Code Review Guide Foreword | lblnext=Foreword by OWASP Chair
+}}
 [[Category:OWASP Code Review Project]]

Difference between revisions of "OWASP Code Review Guide Table of Contents"

Latest revision as of 15:27, 9 September 2010

Foreword by OWASP Chair

Frontispiece

Guide History

Methodology

Crawling Code

Code Reviews and PCI DSS

Examples by Technical Control

Examples by Vulnerability

Language Specific Best Practice

Java

Classic ASP

PHP

C/C++

MySQL

Rich Internet Applications

Example Reports

Automating Code Reviews

The Owasp Code Review Top 9

The Owasp Code Review Scoring System

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools