OWASP Code Review Guide Table of Contents

1. Frontispiece
1.1 About the OWASP Code Review Project

1.2 About The Open Web Application Security Project

Guide History
Long long ago...

Methodology

 * Introduction
 * Code Review Processes
 * Steps and Roles
 * Code Review and the SDLC
 * Transactional Analysis
 * Application Threat Modeling
 * Code review Metrics

Crawling Code

 * 1) Introduction
 * 2) First sweep of the code base

Code Reviews and the PCI DSS

 * 1) Code Reviews and compliance

Examples by technical control

 * 1) Authentication
 * 2) Authorisation
 * 3) Session Management
 * 4) Input Validation
 * 5) Error Handling
 * 6) Secure Deployment
 * 7) Privacy

Examples by vulnerability

 * 1) Reviewing Code for Buffer Overruns and Overflows
 * 2) Reviewing Code for OS Injection
 * 3) Reviewing Code for SQL Injection
 * 4) Reviewing Code for Data Validation
 * 5) Reviewing Code for Cross-site scripting
 * 6) Reviewing code for Cross-Site Request Forgery issues
 * 7) Reviewing Code for Error Handling
 * 8) Reviewing Code for Logging Issues


 * 1) Reviewing Code for Authorization Issues
 * 2) Reviewing Code for Authentication
 * 3) Reviewing Code for Session Integrity issues
 * 4) Reviewing Cryptographic Code
 * 5) Reviewing Code for Race Conditions

Java

 * Java gotchas
 * Java leading security practice

Classic ASP

 * Classic_ASP_Design_Mistakes

PHP

 * PHP Security Leading Practice

C/C++

 * Strings and Integers

MySQL

 * Reviewing MySQL Security

Rich Internet Applications

 * Flash Applications
 * AJAX Applications
 * Web Services

Example reports

 * 1) How to write an application_security finding
 * 2) How to determine the risk level of a finding
 * 3) Sample form

Automating Code Reviews

 * 1) Preface
 * 2) Reasons for using automated tools
 * 3) Education and cultural change
 * 4) Tool Deployment Model
 * 5) Code Auditor Workbench Tool
 * 6) The Owasp Orizon Framework

The Owasp Code Review Top 10 flaw categories

 * Preface

The Owasp Code Review Scoring System

 * Preface