OWASP Code Review Guide Table of Contents

Frontispiece

 * About the OWASP Code Review Project
 * About The Open Web Application Security Project

Guide History

 * Code Review Guide History

Methodology

 * Introduction
 * Preparation
 * Security Code Review in the SDLC
 * Security Code Review Coverage
 * Application Threat Modeling
 * Code Review Metrics

Crawling Code

 * Crawling Code
 * Searching for Code in J2EE/Java
 * Searching for Code in Classic ASP
 * JavaScript/Web 2.0 Keywords and Pointers

Code Reviews and PCI DSS

 * Code Reviews and Compliance

Examples by technical control

 * Authentication
 * Authorization
 * Session Management
 * Input Validation
 * Error Handling
 * Secure Deployment
 * Cryptographic controls

Examples by vulnerability

 * Reviewing Code for Buffer Overruns and Overflows
 * Reviewing Code for OS Injection
 * Reviewing Code for SQL Injection
 * Reviewing Code for Data Validation
 * Reviewing Code for Cross-site scripting
 * Reviewing code for Cross-Site Request Forgery issues
 * Reviewing Code for Logging Issues
 * Reviewing Code for Session Integrity issues
 * Reviewing Code for Race Conditions

Java

 * Java gotchas
 * Java leading security practice

Classic ASP

 * Classic_ASP_Design_Mistakes

PHP

 * PHP Security Leading Practice

C/C++

 * Strings and Integers

MySQL

 * Reviewing MySQL Security

Rich Internet Applications

 * Flash Applications
 * AJAX Applications
 * Reviewing Web Services

Example Reports

 * How to Write an Application Code Review Finding

Automating Code Reviews

 * Automated Code Review
 * Tool Deployment Model
 * Code Auditor Workbench Tool
 * The Owasp Orizon Framework