This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CRV2 Forward

Revision as of 10:29, 8 September 2014 by EoinKeary (talk | contribs)

Jump to: navigation, search

The OWASP Code Review Guide:

The OWASP Code Review guide is the result of initially contributing and leading the Testing Guide. Initially, it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.

The Code Review guide was started in 2006 by Eoin Keary. This current version was started in April 2013 via the OWASP Project Reboot initiative.

The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often.

It is common knowledge that more secure software can be produced and developed in a more cost effective way when bugs are detected early on in the systems development life-cycle. Organizations with a proper code review functions integrated into the software development life-cycle (SDLC) produced remarkably better code from a security standpoint. Simply put "We can't hack ourselves secure". Attackers have more time to fine vulnerabilities on a system than the time allocated to a defender. Hacking our way secure amounts to a uneven battlefield; Asymmetric warfare, a loosing battle.

By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.