This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Summer Of Code: Code Review Index

Jump to: navigation, search

Code Review Introduction
Steps and Roles
Code Review Processes
Transaction Analysis
How to write an application_security finding
Applicaiton Threat Modeling
The Round Trip Code Review
Code review Metrics

Crawling Code

First sweep of the code base

Examples by Vulnerability

Reviewing Code for Buffer Overruns and Overflows
Reviewing Code for OS Injection
Reviewing Code for SQL Injection
Reviewing Code for Data Validation
Reviewing code for XSS issues
Reviewing code for Cross-Site Request Forgery issues
Reviewing Code for Error Handling
Reviewing Code for Logging Issues
Reviewing The Secure Code Environment
Reviewing Code for Authorization Issues
Reviewing Code for Authentication
Reviewing Code for Session Integrity issues
Reviewing Cryptographic Code
Reviewing Code for Race Conditions

Language specific best practice 

Java gotchas
Java leading security practice

PHP Security Leading Practice

Strings and Integers

Reviewing MySQL Security

Rich Internet Applications

Flash Applications
AJAX Applications
Web Services

Example reports 

How to write
How to determine the risk level of a finding
Sample form

Automating Code Reviews

Reasons for using automated tools
Education and cultural change
Tool Deployment Model
Code Auditor Workbench Tool
The Owasp Orizon Framework

Ways to achieve secure code on a budget

The OWASP Enterprise Security API ( ESAPI)
Resource & Budget