This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Review V2 Table of Contents"
From OWASP
| Line 4: | Line 4: | ||
==Forward== | ==Forward== | ||
# Author - Eoin Keary | # Author - Eoin Keary | ||
| − | + | # Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]] | |
== Code Review Guide History == | == Code Review Guide History == | ||
# Author - Eoin Keary | # Author - Eoin Keary | ||
| − | + | # Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]] | |
== Introduction == | == Introduction == | ||
| Line 15: | Line 15: | ||
=== What is source code review and Static Analysis === | === What is source code review and Static Analysis === | ||
# Author - Zyad Mghazli | # Author - Zyad Mghazli | ||
| − | + | # New Section | |
=== Manual Review - Pros and Cons === | === Manual Review - Pros and Cons === | ||
# Author - Ashish Rao | # Author - Ashish Rao | ||
| − | + | # New Section | |
| − | + | # Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli | |
=== Why code review === | === Why code review === | ||
| Line 28: | Line 28: | ||
=== We can't hack ourselves secure === | === We can't hack ourselves secure === | ||
# Author - Prathamesh Mhatre | # Author - Prathamesh Mhatre | ||
| − | + | # New Section | |
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | === 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | ||
# Author - Ashish Rao | # Author - Ashish Rao | ||
| − | + | # New Section | |
=== Can static code analyzers do it all? === | === Can static code analyzers do it all? === | ||
# Author - Ashish Rao | # Author - Ashish Rao | ||
| − | + | # New Section | |
==Methodology== | ==Methodology== | ||
| Line 43: | Line 43: | ||
==== Preparation and context ==== | ==== Preparation and context ==== | ||
# Author - Open | # Author - Open | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]] | |
====Application Threat Modeling==== | ====Application Threat Modeling==== | ||
#Author - Andy, Renchie Joan | #Author - Andy, Renchie Joan | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]] | |
====Understanding Code layout/Design/Architecture==== | ====Understanding Code layout/Design/Architecture==== | ||
#Author - Ashish Rao | #Author - Ashish Rao | ||
===SDLC Integration=== | ===SDLC Integration=== | ||
#Author - Andy, Ashish Rao | #Author - Andy, Ashish Rao | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]] | |
====Deployment Models==== | ====Deployment Models==== | ||
=====Secure deployment configurations===== | =====Secure deployment configurations===== | ||
#Author - Ashish Rao | #Author - Ashish Rao | ||
| − | + | # New Section | |
=====Metrics and code review===== | =====Metrics and code review===== | ||
#Author - Andy | #Author - Andy | ||
| Line 81: | Line 81: | ||
*API of Interest: | *API of Interest: | ||
**Java | **Java | ||
| − | + | **.NET | |
| − | + | **PHP | |
| − | + | **RUBY | |
*Frameworks: | *Frameworks: | ||
**Spring | **Spring | ||
| Line 94: | Line 94: | ||
====Code reviews and Compliance==== | ====Code reviews and Compliance==== | ||
#Author -Manual Harti | #Author -Manual Harti | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]] | |
==Reviewing by Techincal Control== | ==Reviewing by Techincal Control== | ||
| Line 107: | Line 107: | ||
====Out of Band considerations==== | ====Out of Band considerations==== | ||
#Author - Open | #Author - Open | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]] | |
| − | ===Reviewing code | + | ===Reviewing code Authorization weakness=== |
#Author Ashish Rao | #Author Ashish Rao | ||
====Checking authz upon every request==== | ====Checking authz upon every request==== | ||
| Line 139: | Line 139: | ||
=====ESAPI===== | =====ESAPI===== | ||
#Author - Abbas Naderi | #Author - Abbas Naderi | ||
| − | + | #New Section | |
| − | + | # Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | |
====Reviewing code for contextual encoding==== | ====Reviewing code for contextual encoding==== | ||
=====HTML Attribute===== | =====HTML Attribute===== | ||
| Line 165: | Line 165: | ||
====Reviewing Error handling and Error messages==== | ====Reviewing Error handling and Error messages==== | ||
#Author - Open | #Author - Open | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]] | |
====Reviewing Security alerts==== | ====Reviewing Security alerts==== | ||
#Author - Open | #Author - Open | ||
| Line 173: | Line 173: | ||
====Reviewing Secure Storage==== | ====Reviewing Secure Storage==== | ||
#Author - Azzeddine Ramrami | #Author - Azzeddine Ramrami | ||
| − | + | # New Section | |
====Hashing & Salting - When, How and Where==== | ====Hashing & Salting - When, How and Where==== | ||
=====Encrpyption===== | =====Encrpyption===== | ||
======.NET====== | ======.NET====== | ||
#Author Larry Conklin, Joan Renchie | #Author Larry Conklin, Joan Renchie | ||
| − | + | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]] | |
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao'' | *''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao'' | ||
| + | ==Reviewing by Vulnerability== | ||
| + | ===Review Code for XSS=== | ||
| + | #Author Palak Gohil, Anand Prakash | ||
| + | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]] | ||
| + | # In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao | ||
| + | ===Persistent - The Anti pattern=== | ||
| + | #Author Abbas Naderi | ||
| + | ====.NET==== | ||
| + | #Author Johanna Curiel, Renchie Joan | ||
| + | ====.Java==== | ||
| + | #Author Palak Gohil | ||
| + | ====PHP==== | ||
| + | #Author Mohammed Damavandi, Abbas Naderi | ||
| + | ====Ruby==== | ||
| + | #Author Chris Berberich | ||
| + | ===Reflected - The Anti pattern=== | ||
| + | ====.NET==== | ||
| + | #Author Johanna Curiel, Renchie Joan | ||
| + | ====.Java==== | ||
| + | #Author Palak Gohil | ||
| + | ====PHP==== | ||
| + | #Author Mohammed Damavandi, Abbas Naderi | ||
| + | ====Ruby==== | ||
| + | ===Stored - The Anti pattern=== | ||
| + | ====.NET==== | ||
| + | #Author Johanna Curiel, Renchie Joan | ||
| + | ====.Java==== | ||
| + | #Author Palak Gohil | ||
| + | ====PHP==== | ||
| + | #Author Mohammed Damavandi, Abbas Naderi | ||
| + | ====Ruby==== | ||
| + | ===DOM XSS === | ||
| + | #Author Larry Conklin | ||
| + | ===JQuery mistakes=== | ||
| + | #Author Shenal Silva | ||
Revision as of 23:01, 21 April 2013
- 1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide History
- 1.3 Introduction
- 1.4 Methodology
- 1.5 Reviewing by Techincal Control
- 1.5.1 Forgot password
- 1.5.2 Authentication
- 1.5.3 CAPTHCA
- 1.5.4 Out of Band considerations
- 1.5.5 Reviewing code Authorization weakness
- 1.5.5.1 Checking authz upon every request
- 1.5.5.2 Reducing the attack surface
- 1.5.5.3 Reviewing code for Session handling
- 1.5.5.4 Reviewing client side code
- 1.5.5.5 Review code for input validation
- 1.5.5.6 Reviewing code for contextual encoding
- 1.5.5.7 Reviewing file and resource handling code
- 1.5.5.8 =Resource Exhaustion - error handling
- 1.5.5.9 Reviewing Logging code - Detective Security
- 1.5.5.10 Reviewing Error handling and Error messages
- 1.5.5.11 Reviewing Security alerts
- 1.5.5.12 Review for active defense
- 1.5.5.13 Reviewing Secure Storage
- 1.5.5.14 Hashing & Salting - When, How and Where
- 1.6 Reviewing by Vulnerability
OWASP Code Review Guide v2.0:
Forward
- Author - Eoin Keary
- Previous version to be updated:[[1]]
Code Review Guide History
- Author - Eoin Keary
- Previous version to be updated:[[2]]
Introduction
- Author - Eoin Keary
What is source code review and Static Analysis
- Author - Zyad Mghazli
- New Section
Manual Review - Pros and Cons
- Author - Ashish Rao
- New Section
- Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
Why code review
Scope and Objective of secure code review
- Author - Ashish Rao
We can't hack ourselves secure
- Author - Prathamesh Mhatre
- New Section
360 Review: Coupling source code review and Testing / Hybrid Reviews
- Author - Ashish Rao
- New Section
Can static code analyzers do it all?
- Author - Ashish Rao
- New Section
Methodology
The code review approach
- Author - Prathamesh Mhatre
Preparation and context
- Author - Open
- Previous version to be updated: [[3]]
Application Threat Modeling
- Author - Andy, Renchie Joan
- Previous version to be updated: [[4]]
Understanding Code layout/Design/Architecture
- Author - Ashish Rao
SDLC Integration
- Author - Andy, Ashish Rao
- Previous version to be updated: [[5]]
Deployment Models
Secure deployment configurations
- Author - Ashish Rao
- New Section
Metrics and code review
- Author - Andy
- Previous version to be updated: [[6]]
Source and sink reviews
- Author - Ashish Rao
- New Section
Code review Coverage
- Author - Open
- Previous version to be updated: [[7]]
Design Reviews
- Author - Ashish Rao
- Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws
A Risk based approach to code review
- Author - Renchie Joan
- New Section
- "Doing things right or doing the right things..."
- "Not all bugs are equal
Crawling code
- Author - Abbas Naderi
- Previous version to be updated: [[8]]
- API of Interest:
- Java
- .NET
- PHP
- RUBY
- Frameworks:
- Spring
- .NET MVC
- Structs
- Zend
- New Section
- Searching for code in C/C++
- Author - Gaz Robinson
Code reviews and Compliance
- Author -Manual Harti
- Previous version to be updated: [[9]]
Reviewing by Techincal Control
===Reviewing code for Authentication controls
- Author - Anand Prakash, Joan Renchie
Forgot password
- Author Abbas Naderi
Authentication
- Author - Anand Prakash, Joan Renchie
CAPTHCA
- Author Larry Conklin, Joan Renchie
Out of Band considerations
- Author - Open
- Previous version to be updated: [[10]]
Reviewing code Authorization weakness
- Author Ashish Rao
Checking authz upon every request
- Author - Abbas Naderi, Joan Renchie
Reducing the attack surface
- Author Chris Berberich
- Previous version to be updated: [[11]]
Reviewing code for Session handling
- Author - Palak Gohil, Abbas Naderi
- Previous version to be updated: [[12]]
Reviewing client side code
- New Section
Javascript
- Author - Abbas Naderi
JSON
- Author - Open
Content Security Policy
- Author - Open
"Jacking"/Framing
- Author - Abbas Naderi
HTML 5?
- Author - Sebastien Gioria
Browser Defenses policy
- Author - Open
etc...
Review code for input validation
Regex Gotchas
- Author - Abbas Naderi
- New Section
ESAPI
- Author - Abbas Naderi
- New Section
- Internal Link: [[13]]
Reviewing code for contextual encoding
HTML Attribute
- Author - Shenai Silva
HTML Entity
- Author - Shenai Silva
Javascript Parameters
- Author - Open
JQuery
- Author - Abbas Naderi
Reviewing file and resource handling code
=Resource Exhaustion - error handling
- Author - Abbas Naderi
native calls
- Author Abbas Naderi
Reviewing Logging code - Detective Security
- Author - Palak Gohil
- Where to Log
- What to log
- What not to log
- How to log
- Internal link: [[14]]
Reviewing Error handling and Error messages
- Author - Open
- Previous version to be updated: [[15]]
Reviewing Security alerts
- Author - Open
Review for active defense
- Author - Colin Watson
Reviewing Secure Storage
- Author - Azzeddine Ramrami
- New Section
Hashing & Salting - When, How and Where
Encrpyption
.NET
- Author Larry Conklin, Joan Renchie
- Previous version to be updated: [[16]]
- Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao
Reviewing by Vulnerability
Review Code for XSS
- Author Palak Gohil, Anand Prakash
- Previous version to be updated: [[17]]
- In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
Persistent - The Anti pattern
- Author Abbas Naderi
.NET
- Author Johanna Curiel, Renchie Joan
.Java
- Author Palak Gohil
PHP
- Author Mohammed Damavandi, Abbas Naderi
Ruby
- Author Chris Berberich
Reflected - The Anti pattern
.NET
- Author Johanna Curiel, Renchie Joan
.Java
- Author Palak Gohil
PHP
- Author Mohammed Damavandi, Abbas Naderi
Ruby
Stored - The Anti pattern
.NET
- Author Johanna Curiel, Renchie Joan
.Java
- Author Palak Gohil
PHP
- Author Mohammed Damavandi, Abbas Naderi
Ruby
DOM XSS
- Author Larry Conklin
JQuery mistakes
- Author Shenal Silva
