This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Review V2 Table of Contents"
From OWASP
| Line 310: | Line 310: | ||
#Author Johanna Curiel, Renchie Joan | #Author Johanna Curiel, Renchie Joan | ||
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]] | # [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]] | ||
| + | == Anti-Pattern #1: Tight Coupling == | ||
| + | == Anti-Pattern #2: Assuming Static Requirements == | ||
| + | == Anti-Pattern #3: Mishandled Concurrency == | ||
| + | == Anti-Pattern #4: Stateful Services == | ||
| + | == Anti-Pattern #5: Two Tiers Pretending to be Three == | ||
| + | == Anti-Pattern #6: Undervaluing Simplicity == | ||
====.Java==== | ====.Java==== | ||
Revision as of 12:07, 14 June 2013
- 1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide Introduction
- 2 Methodology
- 3 Reviewing by Techincal Control
- 3.1 Reviewing code for Authentication controls
- 3.2 Reviewing code Authorization weakness
- 3.2.1 Checking authz upon every request
- 3.2.2 Reducing the attack surface
- 3.2.3 Reviewing code for Session handling
- 3.2.4 Reviewing client side code
- 3.2.5 Review code for input validation
- 3.2.6 Reviewing code for contextual encoding
- 3.2.7 Reviewing file and resource handling code
- 3.2.8 Resource Exhaustion - error handling
- 3.2.9 Reviewing Logging code - Detective Security
- 3.2.10 Reviewing Error handling and Error messages
- 3.2.11 Reviewing Security alerts
- 3.2.12 Review for active defense
- 3.2.13 Reviewing Secure Storage
- 3.2.14 Hashing & Salting - When, How and Where
- 4 Reviewing by Vulnerability
- 4.1 Review Code for XSS
- 4.2 Persistent - The Anti pattern
- 4.3 Reflected - The Anti pattern
- 4.4 Anti-Pattern #1: Tight Coupling
- 4.5 Anti-Pattern #2: Assuming Static Requirements
- 4.6 Anti-Pattern #3: Mishandled Concurrency
- 4.7 Anti-Pattern #4: Stateful Services
- 4.8 Anti-Pattern #5: Two Tiers Pretending to be Three
- 4.9 Anti-Pattern #6: Undervaluing Simplicity
- 4.9.1 .Java
- 4.9.2 PHP
- 4.9.3 Ruby
- 4.9.4 Stored - The Anti pattern
- 4.9.5 DOM XSS
- 4.9.6 JQuery mistakes
- 4.9.7 Reviewing code for SQL Injection
- 4.9.8 The Anti pattern
- 4.9.9 Reviewing code for CSRF Issues
- 4.9.10 Transactional logic / Non idempotent functions / State Changing Functions
- 4.9.11 Reviewing code for poor logic /Business logic/Complex authorization
- 4.9.12 Reviewing Secure Communications
- 4.9.13 Tech-Stack pitfalls
- 4.9.14 Framework specific Issues
- 4.9.14.1 Spring
- 4.9.14.2 Structs
- 4.9.14.3 Drupal
- 4.9.14.4 Ruby on Rails
- 4.9.14.5 Django
- 4.9.14.6 .NET Security / MVC
- 4.9.14.7 Security in ASP.NET applications
- 4.9.14.8 PHP Specific Issues
- 4.9.14.9 Classic ASP
- 4.9.14.10 C#
- 4.9.14.11 C/C++
- 4.9.14.12 Objective C
- 4.9.14.13 Java
- 4.9.14.14 Android
- 4.9.14.15 Coldfusion
- 5 Security code review for Agile development
- 6 Willing to review drafts
OWASP Code Review Guide v2.0:
Forward
- Author - Eoin Keary
- Previous version to be updated:[[1]]
- Put content here
Code Review Guide Introduction
- Author - Eoin Keary
- Previous version to be updated:[[2]]
- Put content here
What is source code review and Static Analysis
- Author - Zyad Mghazli
- New Section
- Put content here
Manual Review - Pros and Cons
- Author - Ashish Rao
- New Section
- Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
- Suggestion: Highlight the advantages of code review to the department/team - Gary David Robinson
- Put content here
Why code review
Scope and Objective of secure code review
- Author - Ashish Rao
- Put content here
We can't hack ourselves secure
- Author - Prathamesh Mhatre
- New Section
- Put content here
360 Review: Coupling source code review and Testing / Hybrid Reviews
- Author - Ashish Rao
- New Section
- Put content here
Can static code analyzers do it all?
- Author - Ashish Rao
- New Section
- Put content here
Methodology
The code review approach
- Author - Prathamesh Mhatre
- Put content here
Preparation and context
- Author - Open
- Previous version to be updated: [[3]]
- Put content here
Application Threat Modeling
- Author - Andy, Renchie Joan
- Previous version to be updated: [[4]]
- Put content here
Understanding Code layout/Design/Architecture
- Author - Ashish Rao
- Put content here
SDLC Integration
- Author - Andy, Ashish Rao
- Previous version to be updated: [[5]]
- Put content here
Deployment Models
Secure deployment configurations
- Author - Ashish Rao
- Put content here
- New Section
Metrics and code review
- Author - Andy
- Previous version to be updated: [[6]]
- Put content here
Source and sink reviews
- Author - Ashish Rao
- New Section
- Put content here
Code review Coverage
- Author - Open
- Previous version to be updated: [[7]]
- Put content here
Design Reviews
- Author - Ashish Rao
- Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws
A Risk based approach to code review
- Author - Renchie Joan
- New Section
- "Doing things right or doing the right things..."
- "Not all bugs are equal
Crawling code
- Author - Abbas Naderi
- Previous version to be updated: [[8]]
- API of Interest:
- Java
- .NET
- PHP
- RUBY
- Frameworks:
- Spring
- .NET MVC
- Structs
- Zend
- New Section
- Searching for code in C/C++
- Author - Gary Robinson
Code reviews and Compliance
- Author -Manual Harti
- Previous version to be updated: [[9]]
- Put content here
Reviewing by Techincal Control
Reviewing code for Authentication controls
- Author - Anand Prakash, Joan Renchie
- Put content here
Forgot password
- Author Abbas Naderi
- Put content here
Authentication
- Author - Anand Prakash, Joan Renchie
- Put content here
CAPTCHA
- Author Larry Conklin, Joan Renchie
- Put content here
Out of Band considerations
- Author - Open
- Previous version to be updated: [[10]]
- Put content here
Reviewing code Authorization weakness
- Author Ashish Rao
- Put content here
Checking authz upon every request
- Author - Abbas Naderi, Joan Renchie
- Put content here
Reducing the attack surface
- Author Chris Berberich
- Previous version to be updated: [[11]]
- Put content here
Reviewing code for Session handling
- Author - Palak Gohil, Abbas Naderi
- Previous version to be updated: [[12]]
- Put content here
Reviewing client side code
- New Section
- Put content here
Javascript
- Author - Abbas Naderi
- Put content here
JSON
- Author - Open
- Put content here
Content Security Policy
- Author - Open
- Put content here
"Jacking"/Framing
- Author - Abbas Naderi
- Put content here
HTML 5?
- Author - Sebastien Gioria
- Put content here
Browser Defenses policy
- Author - Open
- Put content here
etc...
Review code for input validation
- Author - Open
- Put content here
Regex Gotchas
- Author - Abbas Naderi
- New Section
- Put content here
ESAPI
- Author - Abbas Naderi
- New Section
- Internal Link: [[13]]
- Put content here
Reviewing code for contextual encoding
HTML Attribute
- Author - Shenai Silva
- Put content here
HTML Entity
- Author - Shenai Silva
- Put content here
Javascript Parameters
- Author - Open
- Put content here
JQuery
- Author - Abbas Naderi
- Put content here
Reviewing file and resource handling code
- Author - Open
- Put content here
Resource Exhaustion - error handling
- Author - Abbas Naderi
- Put content here
native calls
- Author Abbas Naderi
- Put content here
Reviewing Logging code - Detective Security
- Author - Palak Gohil
- Where to Log
- What to log
- What not to log
- How to log
- Internal link: [[14]]
- Put content here
Reviewing Error handling and Error messages
- Author - Gary Robinson
- Previous version to be updated: [[15]]
- Put content here
Reviewing Security alerts
- Author - Open
- Put content here
Review for active defense
- Author - Colin Watson
- Put content here
Reviewing Secure Storage
- Author - Azzeddine Ramrami
- New Section
- Put content here
Hashing & Salting - When, How and Where
Encrpyption
.NET
- Author Larry Conklin, Joan Renchie
- Previous version to be updated: [[16]]
- Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao
Reviewing by Vulnerability
Review Code for XSS
- Author Palak Gohil, Anand Prakash
- Previous version to be updated: [[17]]
- In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
- Put content here
Persistent - The Anti pattern
- Author Abbas Naderi
- Put content here
.NET
- Author Johanna Curiel, Renchie Joan
- Put content here
.Java
- Author Palak Gohil
- Put content here
PHP
- Author Mohammed Damavandi, Abbas Naderi
- Put content here
Ruby
- Author Chris Berberich
- Put content here
Reflected - The Anti pattern
.NET
- Author Johanna Curiel, Renchie Joan
- Put content here
Anti-Pattern #1: Tight Coupling
Anti-Pattern #2: Assuming Static Requirements
Anti-Pattern #3: Mishandled Concurrency
Anti-Pattern #4: Stateful Services
Anti-Pattern #5: Two Tiers Pretending to be Three
Anti-Pattern #6: Undervaluing Simplicity
.Java
- Author Palak Gohil
- Put content here
PHP
- Author Mohammed Damavandi, Abbas Naderi
- Put content here
Ruby
- Author - Open
- Put content here
Stored - The Anti pattern
- Author - Open
- Put content here
.NET
- Author Johanna Curiel, Renchie Joan
- Put content here
.Java
- Author Palak Gohil
- Put content here
PHP
- Author Mohammed Damavandi, Abbas Naderi
- Put content here
Ruby
- Author - Open
- Put content here
DOM XSS
- Author Larry Conklin
- Put content here
JQuery mistakes
- Author Shenal Silva
- Put content here
Reviewing code for SQL Injection
- Author Palak Gohil, Renchie Joan
- Previous version to be updated: [[18]]
- Put content here
PHP
- Author - Mennouchi Islam Azeddine
- Put content here
Java
- Author - Open
- Put content here
.NET
- Author - Mennouchi Islam Azeddine
- Put content here
HQL
- Author - Open
- Put content here
The Anti pattern
PHP
- Author - Mohammad Damavandi, Abbas Naderi
- Put content here
Java
- Author - Palak Gohil
- => Searching for traditional SQL,JPA,JPSQL,Criteria,...
- Put content here
.NET
- Author Johanna Curiel, Renchie Joan
- Put content here
Ruby
- Author - Open
- Put content here
Cold Fusion
- Author - Open
- Put content here
Reviewing code for CSRF Issues
- Author Palak Gohil,Anand Prakash, Abbas Naderi
- Previous version to be updated: [[19]]
- Put content here
Transactional logic / Non idempotent functions / State Changing Functions
- Author Abbas Naderi
- Put content here
Reviewing code for poor logic /Business logic/Complex authorization
- Author - Sam Denard
- Put content here
Reviewing Secure Communications
.NET Config
- Author Johanna Curiel, Renchie Joan
- Put content here
Spring Config
- Author - Open
- Put content here
HTTP Headers
- Author Gregory Disney, Abbas Naderi
- Put content here
CSP
- Author Gregory Disney
- Put content here
HSTS
- Author Abbas Naderi
- Put content here
Tech-Stack pitfalls
- Author Gregory Disney
- Put content here
Framework specific Issues
Spring
- Author - Open
- Put content here
Structs
- Author - Open
- Put content here
Drupal
- Author Gregory Disney
- Put content here
Ruby on Rails
- Author - Open
- Put content here
Django
- Author Gregory Disney
- Put content here
.NET Security / MVC
- Author Johanna Curiel, Renchie Joan
- Put content here
Security in ASP.NET applications
- Author Johanna Curiel, Renchie Joan
- Put content here
Strongly Named Assemblies
- Author Johanna Curiel, Renchie Joan
- Put content here
Round Tripping
- Author - Open
- Put content here
How to prevent Round tripping
- Author - Open
- Author Johanna Curiel, Renchie Joan
- Put content here
Setting the right Configurations
- Author Johanna Curiel, Renchie Joan
- Put content here
Authentication Options
- Author Johanna Curiel, Renchie Joan
- Put content here
Code Review for Managed Code - .Net 1.0 and up
- Author Johanna Curiel, Renchie Joan
- Put content here
Using OWASP Top 10 as your guideline
- Author Johanna Curiel, Renchie Joan
- Put content here
Code review for Unsafe Code (C#)
- Author Johanna Curiel, Renchie Joan
- Put content here
PHP Specific Issues
- Author Mohammad Damavandi, Abbas Naderi
- Put content here
Classic ASP
- Author Johanna Curiel
- Put content here
C#
- Author Johanna Curiel, Renchie Joan
- Put content here
C/C++
- Author Gary Robinson
- Put content here
Objective C
- Author Open
- Put content here
Java
- Author Palak Gohil
- Put content here
Android
- Author Open
- Put content here
Coldfusion
- Author Open
- Put content here
Security code review for Agile development
- Author Open
- Put content here
Willing to review drafts
- Terry Nerpester
- Larry Conklin
- Gary Robinson
- Simon Whittaker
