OWASP Code Review Guide Table of Contents

1. Frontispiece
1.1 About the OWASP Code Review Project

1.2 About The Open Web Application Security Project

Guide History
Long long ago...

Methodology

 * 1) Introduction
 * 2) Steps and Roles
 * 3) Code Review Processes
 * 4) Transactional Analysis
 * 5) How to write an application_security finding
 * 6) Applicaiton Threat Modeling
 * 7) The Round Trip Code Review
 * 8) Code review Metrics

Crawling Code

 * 1) Introduction
 * 2) First sweep of the code base

Code Reviews and the PCI DSS

 * 1) Code Reviews and compliance

Examples by technical control

 * 1) Authentication
 * 2) Authorisation
 * 3) Session Management
 * 4) Data Validation
 * 5) Error Handling

Examples by Vulnerability

 * 1) Reviewing Code for Buffer Overruns and Overflows
 * 2) Reviewing Code for OS Injection
 * 3) Reviewing Code for SQL Injection
 * 4) Reviewing Code for Data Validation
 * 5) Reviewing code for XSS issues
 * 6) Reviewing code for Cross-Site Request Forgery issues
 * 7) Reviewing Code for Error Handling
 * 8) Reviewing Code for Logging Issues
 * 9) Reviewing The Secure Code Environment
 * 10) Reviewing Code for Authorization Issues
 * 11) Reviewing Code for Authentication
 * 12) Reviewing Code for Session Integrity issues
 * 13) Reviewing Cryptographic Code
 * 14) Reviewing Code for Race Conditions

Java

 * 1) Java gotchas
 * 2) Java leading security practice

Classic ASP

 * 1) Classic_ASP_Design_Mistakes

PHP

 * 1) PHP Security Leading Practice

C/C++

 * 1) Strings and Integers

MySQL

 * 1) Reviewing MySQL Security

Rich Internet Applications

 * 1) Flash Applications
 * 2) AJAX Applications
 * 3) Web Services

Example reports

 * 1) How to write
 * 2) How to determine the risk level of a finding
 * 3) Sample form

Automating Code Reviews

 * 1) Preface
 * 2) Reasons for using automated tools
 * 3) Education and cultural change
 * 4) Tool Deployment Model
 * 5) Code Auditor Workbench Tool
 * 6) The Owasp Orizon Framework

Ways to achieve secure code on a budget

 * 1) The OWASP Enterprise Security API ( ESAPI)
 * 2) Resource & Budget

The Owasp Code Review Top 10 flaw categories

 * 1) Preface

The Owasp Code Review Scoring System

 * 1) Preface