This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Code Review Project

From OWASP
Revision as of 18:08, 3 June 2017 by Larry Conklin (talk | contribs) (Classifications)

Jump to: navigation, search
Lab big.jpg

The Release Candidate for the OWASP Code Review Guide is now available!

Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource.

We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.

Thank you, Larry Conklin, Gary Robinson OWASP Code Review Guides Co-Leaders

Introduction

OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.

Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.

The last big section is the appendix. Here we have content like code reviewer list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.

Review of Code Review Guide 2.0

Constructive comments on this OWASP Top 10 - 2017 Release Candidate should be forwarded via email to [email protected]. Private comments may be sent to [email protected] or [email protected] . All comments are welcome. All comments should indicate the specific relevant page and section.

All feedback is critical to the continued success of the OWASP Code Review Guide.

Licensing

OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Project Leader

  • Larry Conklin [1]
  • Gary Robinson [2]

Related Projects

OWASP Testing Guide [3]


Quick Download

In Print

Code Review Guide 2.0 will be available in Lulu in the near future.

Code Review Guide V1.1 on Lulu.

Classifications

Owasp-defenders-small.png
Cc-button-y-sa-small.png
File:Project Type Files DOCUMENT.jpg

Volunteers

The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. Current project leaders are Larry Conklin and Gary Robinson If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line [email protected] or [email protected]

Get Involved

All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes. We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below or contact the project leaders listed below.

Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!

Code Review Mailing list[email protected]
Project leaders [email protected] or [email protected]
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Code Review Project (home page)
Purpose: The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.

License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
current release
N/A - Unknown Date - (no download available)
Release description: N/A
Rating: {{:Projects/OWASP Code Review Project/GPC/Assessment/{{{release_name}}} | Release Rating}}
last reviewed release
Code Review Guide V1.1 - 4 January 2009 - (download)
Release description:

This release is an expanded and improved version of the former OWASP Code Review Guide’s RC 2.0 version which contains the following additional and expanded chapters: Transactional Analysis, Threat Modelling and Analysis, Example reports and how to write one, Automated code review, Rich Internet Applications, The OWASP ESAPI, Code review Metrics, Integrating Code review with an existing SDLC.

Rating: Greenlight.pngGreenlight.pngGreenlight.png Stable Release - Assessment Details


other releases

Pages in category "OWASP Code Review Project"

The following 69 pages are in this category, out of 69 total.