OWASP Code Review V2 Table of Contents

= OWASP Code Review Guide v2.0: =

Forward
Content here
 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Code Review Guide Introduction
Content here
 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

What is Code Review
 Content here
 * 1) Author - Zyad Mghazli, Eoin Keary
 * 2) New Section

Manual Review - Pros and Cons

 * 1) Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
 * 2) New Section
 * 3) Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
 * 4) Put content here

Advantages of Code Review to Development Practices

 * 1) Author - Gary David Robinson
 * 2) New Section
 * 3) Put content here

Scope and Objective of secure code review

 * 1) Author - Ashish Rao
 * 2) Put content here

We can't hack ourselves secure

 * 1) Author - Eoin Keary
 * 2) New Section
 * 3) Put content here

360 Review: Coupling source code review and Testing / Hybrid Reviews

 * 1) Author - eoin Keary
 * 2) New Section
 * 3) Put content here

Can static code analyzers do it all?

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Put content here

=Methodology=

The code review approach

 * 1) Author - Johanna Curiel
 * 2) Put content here

Preparation and context

 * 1) Author - Gary David Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

Application Threat Modeling

 * 1) Author - Larry Conklin
 * 2) Previous version to be updated: []
 * 3) Put content here

Understanding Code layout/Design/Architecture

 * 1) Author - Open
 * 2) Put content here

Understanding Business Logic

 * 1) Put content here

SDLC Integration

 * 1) Author - Larry Conklin
 * 2) Previous version to be updated: []
 * 3) Put content here

Secure deployment configurations

 * 1) Author -
 * 2) Put content here


 * 1) New Section

Metrics and code review

 * 1) Author -Anthony.Scotka@tea.state.tx.us
 * 2) Previous version to be updated: []
 * 3) Put content here

Source and sink reviews

 * 1) Author - Open
 * 2) New Section
 * 3) Put content here

Code review Coverage

 * 1) Author - Open
 * 2) Previous version to be updated: []
 * 3) Put content here

Design Reviews

 * 1) Author - Ashish Rao
 * Why to review design?
 * Building security in design - secure by design principle
 * Design Areas to be reviewed
 * Common Design Flaws
 * 1) Put content here

A Risk based approach to code review

 * 1) Author - Gary David Robinson
 * 2) New Section
 * "Doing things right or doing the right things..."
 * "Not all bugs are equal
 * 1) Put content here

Crawling code

 * 1) Author - Open
 * 2) Previous version to be updated: []
 * API of Interest:
 * Java
 * .NET
 * PHP
 * RUBY
 * Frameworks:
 * Spring
 * .NET MVC
 * Struts
 * Zend
 * 1) New Section
 * Searching for code in C/C++
 * 1) Author - Gary David Robinson


 * 1) Put content here

Code reviews and Compliance

 * 1) Author -Open
 * 2) Previous version to be updated: []
 * 3) Put content here

=Reviewing by Technical Control=

Reviewing code for Authentication controls

 * 1) Author - Gary Robinson
 * 2) Put content here

Forgot password

 * 1) Author Abbas Naderi, Larry Conklin
 * 2) Put content here

CAPTCHA
Content here
 * 1) Author Larry Conklin, Joan Renchie

Out of Band considerations

 * 1) Author - Gary Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing code Authorization weakness

 * 1) Author Eoin Keary .NET MVC added
 * 2) Put content here

Checking authz upon every request

 * 1) Author - Abbas Naderi
 * 2) Put content here

Reducing the attack surface

 * 1) Author Gary Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

SSL/TLS Implementations

 * 1) Author - Eoin Keary
 * 2) Put content here

Reviewing code for Session handling

 * 1) Author - Abbas Naderi
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing client side code

 * 1) New Section
 * 2) Put content here

Javascript

 * 1) Author - Abbas Naderi
 * 2) Put content here

JSON

 * 1) Author - Open
 * 2) Put content here

Content Security Policy

 * 1) Author - Open
 * 2) Put content here

"Jacking"/Framing

 * 1) Author - Eoin Keary
 * 2) Put content here

HTML 5?

 * 1) Author - Open
 * 2) Put content here

Browser Defenses

 * 1) Author - Open
 * 2) Put content here

Review code for input validation

 * 1) Author - Open
 * 2) Put content here

Regex Gotchas

 * 1) Author - Open
 * 2) New Section
 * 3) Put content here

ESAPI

 * 1) Author - Open
 * 2) New Section
 * 3) Internal Link: []
 * 4) Put content here

Microsoft Web Protection Library

 * 1) Author - Michael Hidalgo
 * 2) New Section
 * 3) Internal Link: []
 * 4) Put content here

Reviewing code for contextual encoding
Overall approach to content encoding and anti XSS

HTML Attribute

 * 1) Author - Eoin Keary
 * 2) Put content here

HTML Entity

 * 1) Author - Eoin Keary
 * 2) Put content here

Javascript Parameters

 * 1) Author - Eoin Keary
 * 2) Put content here

JQuery

 * 1) Author - Open
 * 2) Put content here

Reviewing file and resource handling code

 * 1) Author - Open
 * 2) Put content here

Resource Exhaustion - error handling

 * 1) Author - Open
 * 2) Put content here

native calls

 * 1) Author Open
 * 2) Put content here

Reviewing Logging code - Detective Security

 * 1) Author - Gary Robinson
 * Where to Log
 * What to log
 * What not to log
 * How to log
 * 1) Internal link: []
 * 2) Put content here

Reviewing Error handling and Error messages

 * 1) Author - Gary David Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing Security alerts

 * 1) Author - Gary Robinson
 * 2) Put content here

Review for active defense

 * 1) Author - Colin Watson
 * 2) Put content here

Reviewing Secure Storage

 * 1) Author - Open source
 * 2) New Section
 * 3) Put content here

.NET
Content here
 * 1) Author Larry Conklin, Joan Renchie
 * 2) Previous version to be updated: []
 * Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

=Reviewing by Vulnerability=

Review Code for XSS

 * 1) Author Examples added by Eoin Keary
 * 2) Previous version to be updated: []
 * 3) In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
 * 4) Put content here

Persistent - The Anti pattern

 * 1) Author
 * 2) Put content here

.NET

 * 1) Author Johanna Curiel, Eoin Keary
 * 2) Put content here

.Java

 * 1) Author Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Abbas Naderi
 * 2) Put content here

Ruby

 * 1) Author Open
 * 2) Put content here

Reflected - The Anti pattern

 * 1) Put content here

.NET

 * 1) Author Johanna Curiel
 * 2) Put content here

.Java

 * 1) Author Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Abbas Naderi
 * 2) Put content here

Ruby

 * 1) Author - Open
 * 2) Put content here

Stored - The Anti pattern

 * 1) Author - Johanna Curiel
 * 2) Put content here

.NET

 * 1) Author Johanna Curiel
 * 2) Put content here

.Java

 * 1) Author Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Johanna Curiel
 * 2) Put content here

Ruby

 * 1) Author - Johanna Curiel
 * 2) Put content here

DOM XSS

 * 1) Author Larry Conklin
 * 2) Put content here

JQuery mistakes

 * 1) Author
 * 2) Put content here

Reviewing code for SQL Injection

 * 1) Author Gary Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

PHP

 * 1) Author - Mennouchi Islam Azeddine
 * 2) Put content here

Java

 * 1) Author - Johanna Curiel
 * 2) Put content here

.NET

 * 1) Author - Open
 * 2) Put content here

HQL

 * 1) Author - Open
 * 2) Put content here

The Anti pattern
https://www.owasp.org/index.php/CRV2_AntiPattern
 * 1) Author Larry Conklin
 * 2) Content here

PHP

 * 1) Author -
 * 2) Put content here

Java

 * 1) Author -
 * 2) => Searching for traditional SQL,JPA,JPSQL,Criteria,...
 * 3) Put content here

.NET

 * 1) Author Open
 * 2) Put content here

Ruby

 * 1) Author - Open
 * 2) Put content here

Cold Fusion

 * 1) Author - Open
 * 2) Put content here

Reviewing code for CSRF Issues

 * 1) Author Abbas Naderi
 * 2) Previous version to be updated: []
 * 3) This page needs to be deleted. Put content here

(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions

 * 1) Put content here

Reviewing code for poor logic /Business logic/Complex authorization

 * 1) Author - Open
 * 2) Put content here

.NET Config

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Spring Config

 * 1) Author - Open
 * 2) Put content here

HTTP Headers

 * 1) Author Gary Robinson
 * 2) Put content here

Tech-Stack pitfalls

 * 1) Author Open
 * 2) Put content here

Spring

 * 1) Author - Open
 * 2) Put content here

Struts

 * 1) Author - Open
 * 2) Put content here

Drupal

 * 1) Author Open
 * 2) Put content here

Ruby on Rails

 * 1) Author - Open
 * 2) Put content here

Django

 * 1) Author Open
 * 2) Put content here

.NET Security / MVC

 * 1) Author Johanna Curiel, Eoin Keary
 * 2) Put content here

Security in ASP.NET applications

 * 1) Author Johanna Curiel
 * 2) Put content here

Strongly Named Assemblies

 * 1) Author Johanna Curiel, Larry Conklin
 * 2) Put content here

Round Tripping

 * 1) Author - Open
 * 2) Put content here

How to prevent Round tripping

 * 1) Author - Open
 * 2) Author Johanna Curiel
 * 3) Put content here

Setting the right Configurations

 * 1) Author Johanna Curiel
 * 2) Put content here

Authentication Options

 * 1) Author Johanna Curiel
 * 2) Put content here

Code Review for Managed Code - .Net 1.0 and up

 * 1) Author Johanna Curiel
 * 2) Put content here

Using OWASP Top 10 as your guideline

 * 1) Author Johanna Curiel
 * 2) Put content here

Code review for Unsafe Code (C#)

 * 1) Author Johanna Curiel
 * 2) Put content here

PHP Specific Issues

 * 1) Author Open
 * 2) Put content here

Classic ASP

 * 1) Author Johanna Curiel
 * 2) Put content here

C#

 * 1) Author Open
 * 2) Put content here

C/C++

 * 1) Author Open
 * 2) Put content here

Objective C

 * 1) Author Open
 * 2) Put content here

Java

 * 1) Author Open
 * 2) Put content here

Android

 * 1) Author Open
 * 2) Put content here

Coldfusion

 * 1) Author Open
 * 2) Put content here

CodeIgniter

 * 1) Author Open
 * 2) Put content here

=Security code review for Agile development=
 * 1) Author Carlos Pantelides
 * 2) Put content here

=Code Review for Backdoors= The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.
 * 1) Author Yiannis Pavlosoglou

A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.

An excellent introduction into how to look for rootkits in the Java programming language can be found here. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place. =Code Review Tools= https://www.owasp.org/index.php/CRV2_CodeReviewTools