Code Review Guide Frontispiece

From OWASP

Contents 1 Welcome to the OWASP Code Review Guide 1.0 2 Copyright and License 3 Revision History 4 Editors 5 Authors 6 Reviewers 7 Trademarks 8 Contents 9 Code review guide to be part of Summer of Code 2008 10 Code Review Guide (RC2) Completed 11 Code review tool 12 Owasp Orizon Code review engine 13 Spring Of Code 2007 14 Project Contributors 15 Volunteers Needed 16 Subscribe to the list 17 Roadmap

Welcome to the OWASP Code Review Guide 1.0

“I'm glad software developers don't build cars”
-- Eoin Keary

OWASP thanks the authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Code review Guide, please e-mail the Code review Guide mail list:

https://lists.owasp.org/mailman/listinfo/owasp-codereview

Copyright and License

Copyright (c) 2007 The OWASP Foundation.

This document is released under the Creative Commons 2.5 License. Please read and understand the license and copyright conditions.

Revision History

The Code review guide originated in 2006 and an splinter project from the testing guide. It was concieved by Eoin Keary in 2005 and transformed into a wiki.

September 30, 2007

"OWASP Code Review Guide", Version 1.0

Editors

Eoin Keary: OWASP Code Review Guide 2005- Lead

Authors

Jenelle Chapman
Andrew van der Stock
Eoin Keary
Paolo Perego
David Lowry
David Rook

Reviewers

Jeff Williams

Trademarks

• Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
• Microsoft is a registered trademark of Microsoft Corporation.
• OWASP is a registered trademark of the OWASP Foundation

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books.

Click here to return to OWASP Projects page.

Click here to see (& edit, if wanted) the template.

PROJECT IDENTIFICATION
Project Name	OWASP Code Review Project V1.1
Short Project Description	The code review guide is currently at version RC 2.0 and the second best selling OWASP book. I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project. The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Proposal: I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.
Email Contacts	Project Leader Eoin Keary	Project Contributors (if applicable) Name&Email	Mailing List/Subscribe Mailing List/Use	First Reviewer Rahim Jina Curriculum	Second Reviewer P.Satish Kumar Curriculum	OWASP Board Member Jeff Williams

PROJECT MAIN LINKS
Code Review Guide Table of Contents Code Review Guide (RC2) Book (If appropriate, links to be added)

RELATED PROJECTS
OWASP Code Crawler Project OWASP Orizon Project

SPONSORS & GUIDELINES
Sponsor - OWASP Summer of Code 2008	Sponsored Project/Guidelines/Roadmap

ASSESSMENT AND REVIEW PROCESS
Review/Reviewer	Author's Self Evaluation (applicable for Alpha Quality & further)	First Reviewer (applicable for Alpha Quality & further)	Second Reviewer (applicable for Beta Quality & further)	OWASP Board Member (applicable just for Release Quality)
50% Review	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit:50% Review/Self-Evaluation (A)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50% Review/1st Reviewer (C)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50%Review/2nd Reviewer (E)	X
Final Review	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/SelfEvaluation (B)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/1st Reviewer (D)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/2nd Reviewer (F)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See/Edit: Final Review/Board Member (G)

Contents

OWASP Code Review Guide Table of Contents

Code review guide to be part of Summer of Code 2008

The OWASP code review guide is to given the go-ahead for the summer of code 2008. This shall enable the authors to further expand and refine the guide.
Volunteers welcome for SoC 2008

Code Review Guide (RC2) Completed

The code review guide has been completed and is available here: http://www.lulu.com/content/1415989 Either as a free PDF or a bound book.

Code review tool

The following link is for the new version of Code Crawler,code review tool which examines code for keywords discussed in the section "First sweep of the code base"
It has a new look and feel and also uses MS SQL Server express.

you can find it here:

http://www.cyphersec.com/software_archive/CodeCrawler.rar It's a lightweight tool and undergoing constant development.

Source code can be found here: http://www.cyphersec.com/software_archive/CodeCrawler_source.rar

Owasp Orizon Code review engine

The Owasp Orizon Project is born in 2006 to provide a set of APIs to provide an opensource engine to provide static analysis services to developers that wants to build a code review tool.

The Owasp Orizon will evolve accordingly in order to implement security checks described in the Code Review Guide. With the framework a UI is also provided in order to give people a standalone tool to realize code review for the security flaws listed in the "The Owasp Code Review Top 10 flaw categories"

The Owasp Orizon main page is available here: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project

Source code is hosted at Sourceforge.net site: http://orizon.sourceforge.net

Spring Of Code 2007

The Code review guide is proudly sponsored by the OWASP Spring of Code (SpOC) 2007. For more information please see http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

Project Contributors

The OWASP Code Review project was conceived by Eoin Keary the OWASP Ireland Founder and Chapter Lead. We are actively seeking techies to add new sections as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line mailto:eoin.keary@owasp.org

Volunteers Needed

Yes please, drop me a line. Need help on this one, don't be shy, all help appreciated

Subscribe to the list

Go here to subscribe to the maillist.

http://lists.owasp.org/mailman/listinfo/owasp-codereview

Roadmap

View the OWASP Code Review Project Roadmap