This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Code Review Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
==[[Code Review Introduction|Introduction]] ==
 
==[[Code Review Introduction|Introduction]] ==
 +
'''Preface''':
 +
This document is not a “How to perform a Secure Code review” walkthrough but more a guide on how to perform a successful review. Knowing the mechanics of code inspection is a half the battle but I’m afraid people is the other half.
 +
To Perform a proper code review, to give value to the client from a risk perspective and not from an academic or text book perspective we must understand what we are reviewing.
 +
 +
Applications may have faults but the client wants to know the “real risk” and not necessarily what the security textbooks say.
 +
 +
Albeit there are real vulnerabilities in real applications out there and they pose real risk but how do we define real risk as opposed to best practice?
 +
 +
This document describes how to get the most out of a secure code review. What is important when managing an engagement with a client and how to keep your eye on the ball the see the “wood from the trees”.
 +
 +
[[Category:OWASP Code Review Project]]
 +
 
==[[Buffer Overruns and Overflows|Buffer Overruns and Overflows]] ==
 
==[[Buffer Overruns and Overflows|Buffer Overruns and Overflows]] ==
 
==[[Data Validation (Code Review)|Data Validation]] ==
 
==[[Data Validation (Code Review)|Data Validation]] ==

Revision as of 11:28, 1 June 2006

Introduction

Preface: This document is not a “How to perform a Secure Code review” walkthrough but more a guide on how to perform a successful review. Knowing the mechanics of code inspection is a half the battle but I’m afraid people is the other half. To Perform a proper code review, to give value to the client from a risk perspective and not from an academic or text book perspective we must understand what we are reviewing.

Applications may have faults but the client wants to know the “real risk” and not necessarily what the security textbooks say.

Albeit there are real vulnerabilities in real applications out there and they pose real risk but how do we define real risk as opposed to best practice?

This document describes how to get the most out of a secure code review. What is important when managing an engagement with a client and how to keep your eye on the ball the see the “wood from the trees”.

Buffer Overruns and Overflows

Data Validation

Error Handling

OS Injection

The Secure Code Environment

Transaction Analysis

XSS Attacks