OWASP Code Review Guide Table of Contents

Foreword by OWASP Chair

Frontispiece

• About the OWASP Code Review Project
• About The Open Web Application Security Project

Guide History

• Code Review Guide History

Methodology

• Introduction
• Preparation
• Security Code Review in the SDLC
• Security Code Review Coverage
• Application Threat Modeling
• Code Review Metrics

Crawling Code

• Crawling Code
• Searching for Code in J2EE/Java
• Searching for Code in Classic ASP
• JavaScript/Web 2.0 Keywords and Pointers

Code Reviews and PCI DSS

• Code Reviews and Compliance

Examples by technical control

• Authentication
• Authorization
• Session Management
• Input Validation
• Error Handling
• Secure Deployment
• Cryptographic Controls

Examples by vulnerability

• Reviewing Code for Buffer Overruns and Overflows
• Reviewing Code for OS Injection
• Reviewing Code for SQL Injection
• Reviewing Code for Data Validation
• Reviewing Code for Cross-Site Scripting
• Reviewing Code for Cross-Site Request Forgery
• Reviewing Code for Logging Issues
• Reviewing Code for Session Integrity
• Reviewing Code for Race Conditions

Language specific best practice

Java

• Java gotchas
• Java leading security practice

Classic ASP

• Classic_ASP_Design_Mistakes

PHP

• PHP Security Leading Practice

C/C++

• Strings and Integers

MySQL

• Reviewing MySQL Security

Rich Internet Applications

• Flash Applications
• AJAX Applications
• Reviewing Web Services

Example Reports

• How to Write an Application Code Review Finding

Automating Code Reviews

• Automated Code Review
• Tool Deployment Model
• Code Auditor Workbench Tool
• The Owasp Orizon Framework

The Owasp Code Review Top 9

The Owasp Code Review Scoring System

References