This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Code Review Project"

From OWASP

Jump to: navigation, search

Revision as of 05:20, 25 July 2014

OWASP Code Review Guide Project

This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

Introduction

We are writing a new version of the OWASP code review guide.

Here is the OWASP Code review V2 Table of Contents.

Description

The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t

Licensing

OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Spring Of Code 2007

The Code review guide is proudly sponsored by the OWASP Spring of Code (SpOC) 2007. For more information please see Spring of Code 2007

Summer of Code 2008

The Code review guide is proudly sponsored by the OWASP Summer of Code (SoC) 2008. For more information please see OWASP Summer of Code 2008.

What is the Code Review Guide?

OWASP Code Review Guide provides:

Presentation

Project Leader

Larry Conklin

Related Projects

OWASP Orizon Project

Code Crawler

Ohloh

Quick Download

V1.1

Email List

News and Events

In Print

Code Review Guide V1.1 on Lulu.

Classifications

The project's overall goal is to...

be a reference document for the purpose of performing code review. This project shall provide examples in the most common web application development languages (Java and C# .NET)

In the near term, we are focused on the following tactical goals...

1. Looking at each attack type and examine the anti-pattern associated with the vulnerability which makes the attack possible. This shall include code examples to guide a reviewer on what to look for.

2. Looking at the code review process, how it is managed and challanges one may encounter when performing code review in the "real world".

3. Looking at the code review tools available and discussing the benefits and issues of using tools.

Roadmap for V2:

Major enhancements:
- Introduction to be re-written,
- Approach to code review (Risk based approach)to be re-written, re designed,
- Examples by Vulnerability and Technical control to be expanded and refined,
- Common Numbering nomenclature to be used,
- Cross reference to TG and ASVS to be done,
- New sections on tools to be introduced,
- Expand technology specific sections,
- Section on RIA (Rich Internet applications) to be introduced,
- WebServices section to be refined,
- Malware and rootkit sections to be introduced,
- PCI section to be rewritten with more x-reference to other guides.

Other ideas:
- ESAPI section: how to review OWASP ESAPI implementations?
- Risk based approach Vs ASVS levels,
- Threat modeling and Triage chapters to be revised,
- OWASP O2 section on O2 rules definition, development,
- Crawling code: Additional search vectors to be added,
- Section on Code Crawler, quick start & configuration guide.

Get Involved

All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes. We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below. Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: OWASP Code Review Project (home page)
Purpose: The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.
License: Creative Commons Attribution Share Alike 3.0
who	is working on this project?
Project Leader(s): Larry Conklin @
how	can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links: OWASP Code Review Guide's (Version 2.0) Approved Budget Code Review Guide Table of Contents OWASP Code Review Guide V1.1 - Word file OWASP Code Review Guide V1.1 - PDF file OWASP Code Review V1.1 Book Code Review Guide V1.1 - List of Contributors
Key Contacts
Contact Larry Conklin @ to contribute to this project Contact Larry Conklin @ to review or sponsor this project

current release

N/A - Unknown Date - (no download available)
Release description: N/A
Rating: {{:Projects/OWASP Code Review Project/GPC/Assessment/{{{release_name}}} \| Release Rating}}

last reviewed release

Code Review Guide V1.1 - 4 January 2009 - (download)
Release description: This release is an expanded and improved version of the former OWASP Code Review Guide’s RC 2.0 version which contains the following additional and expanded chapters: Transactional Analysis, Threat Modelling and Analysis, Example reports and how to write one, Automated code review, Rich Internet Applications, The OWASP ESAPI, Code review Metrics, Integrating Code review with an existing SDLC.
Rating: Stable Release - Assessment Details

other releases
Code Review Guide V2.0 Code Review Guide V1.1

Pages in category "OWASP Code Review Project"

The following 69 pages are in this category, out of 69 total.

A

B

C

D

Data Validation (Code Review)

E

H

How to Write an Application Code Review Finding

I

Inner classes

J

L

Logging issues

O

P

PHP Security Leading Practice

R

S

T

X

XSS Attacks

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&oldid=179286"

Categories:

@@ Line 147: / Line 147: @@
 =Project About=
-{{:Projects/OWASP Code Review Project| Project About}
+{{:Projects/OWASP Code Review Project| Project About}}
 __NOTOC__ <headertabs />