This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summer Of Code 2008 Index of Tasks Assigned"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by one other user not shown)
Line 7: Line 7:
 
Transaction Analysis<b> Want to update</b><br>
 
Transaction Analysis<b> Want to update</b><br>
 
How to write an application_security finding<br>
 
How to write an application_security finding<br>
Applicaiton Threat Modeling<b> NEW-Author Name:<Add Here> </b><br>
+
Application Threat Modeling<b> NEW-Author Name:<Add Here> </b><br>
 +
Marco Morana
 +
 
 
The Round Trip Code Review<b> NEW-Author Name:<Add Here> </b><br>
 
The Round Trip Code Review<b> NEW-Author Name:<Add Here> </b><br>
 
Code review Metrics<b> NEW-Author Name:<Add Here> </b><br>
 
Code review Metrics<b> NEW-Author Name:<Add Here> </b><br>
Line 66: Line 68:
 
Tool Deployment Model<br>
 
Tool Deployment Model<br>
 
Code Auditor Workbench Tool<br>
 
Code Auditor Workbench Tool<br>
The Owasp Orizon Framework<br>
+
The Owasp Orizon Framework: <b>Paolo Perego &lt;[email protected]&gt;</b><br>
 +
 +
Owasp Code Review Guide Top 10 <b>Paolo Perego &lt;[email protected]&gt;</b><br>
 +
 
 +
Owasp Code Review Source scoring system <b>Paolo Perego &lt;[email protected]&gt;</b>
 +
(checks how to help Eoin with source code metrics evaluation in order to create a standard scoring system for sources)
 +
 
  
 
  Ways to achieve secure code on a budget<br>
 
  Ways to achieve secure code on a budget<br>

Latest revision as of 10:19, 29 May 2008

OWASP Code Review Guide Table of Contents

Methodology

Code Review Introduction|Introduction
Steps and Roles
Code Review Processes
Transaction Analysis Want to update
How to write an application_security finding
Application Threat Modeling NEW-Author Name:<Add Here>
Marco Morana

The Round Trip Code Review NEW-Author Name:<Add Here>
Code review Metrics NEW-Author Name:<Add Here>
Allison Shubert

Crawling Code

Introduction
First sweep of the code base


Examples by Vulnerability

The Following sections need to be updated. Extra examples of good and bad code needed. Diagrams and flows regarding solutions. Additional vulnerabilities to be added also
Reviewing Code for Buffer Overruns and Overflows
Reviewing Code for OS Injection
Reviewing Code for SQL Injection
Reviewing Code for Data Validation
Reviewing code for XSS issues
Reviewing code for Cross-Site Request Forgery issues
Reviewing Code for Error Handling
Reviewing Code for Logging Issues
Reviewing The Secure Code Environment
Reviewing Code for Authorization Issues
Reviewing Code for Authentication
Reviewing Code for Session Integrity issues
Reviewing Cryptographic Code
Reviewing Code for Race Conditions

Language specific best practice 

Java
Java gotchas
Java leading security practice

PHP
PHP Security Leading Practice

C/C++
Strings and Integers

MySQL
Reviewing MySQL Security

Need to Update and add additional examples and text
Rich Internet Applications
Flash Applications
AJAX Applications
Web Services

Example reports 

How to write NEW-Author Name:<Add Here>
How to determine the risk level of a finding NEW-Author Name:<Add Here>
Sample form NEW-Author Name:<Add Here>

Automating Code Reviews

Preface
Reasons for using automated tools
Education and cultural change
Tool Deployment Model
Code Auditor Workbench Tool
The Owasp Orizon Framework: Paolo Perego <[email protected]>

Owasp Code Review Guide Top 10 Paolo Perego <[email protected]>
Owasp Code Review Source scoring system Paolo Perego <[email protected]>

(checks how to help Eoin with source code metrics evaluation in order to create a standard scoring system for sources)


Ways to achieve secure code on a budget

The OWASP Enterprise Security API ( ESAPI) NEW-Author Name:<Add Here>
Resource & Budget NEW-Author Name:<Add Here>


References