OWASP Code Review V2 Table of Contents

= OWASP Code Review Guide v2.0: =

Forward

 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Code Review Guide History

 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Introduction

 * 1) Author - Eoin Keary

What is source code review and Static Analysis

 * 1) Author - Zyad Mghazli
 * 2) New Section

Manual Review - Pros and Cons

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli

Scope and Objective of secure code review

 * 1) Author - Ashish Rao

We can't hack ourselves secure

 * 1) Author - Prathamesh Mhatre
 * 2) New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

 * 1) Author - Ashish Rao
 * 2) New Section

Can static code analyzers do it all?

 * 1) Author - Ashish Rao
 * 2) New Section

The code review approach

 * 1) Author - Prathamesh Mhatre

Preparation and context

 * 1) Author - Open
 * 2) Previous version to be updated: []

Application Threat Modeling

 * 1) Author - Andy, Renchie Joan
 * 2) Previous version to be updated: []

Understanding Code layout/Design/Architecture

 * 1) Author - Ashish Rao

SDLC Integration

 * 1) Author - Andy, Ashish Rao
 * 2) Previous version to be updated: []

Secure deployment configurations

 * 1) Author - Ashish Rao
 * 2) New Section

Metrics and code review

 * 1) Author - Andy
 * 2) Previous version to be updated: []

Source and sink reviews

 * 1) Author - Ashish Rao
 * 2) New Section

Code review Coverage

 * 1) Author - Open
 * 2) Previous version to be updated: []

Design Reviews

 * 1) Author - Ashish Rao
 * Why to review design?
 * Building security in design - secure by design principle
 * Design Areas to be reviewed
 * Common Design Flaws

A Risk based approach to code review

 * 1) Author - Renchie Joan
 * 2) New Section
 * "Doing things right or doing the right things..."
 * "Not all bugs are equal

Crawling code

 * 1) Author - Abbas Naderi
 * 2) Previous version to be updated: []
 * API of Interest:
 * Java
 * .NET
 * PHP
 * RUBY
 * Frameworks:
 * Spring
 * .NET MVC
 * Structs
 * Zend
 * 1) New Section
 * Searching for code in C/C++
 * 1) Author - Gaz Robinson

Code reviews and Compliance

 * 1) Author -Manual Harti
 * 2) Previous version to be updated: []

Reviewing code for Authentication controls

 * 1) Author - Anand Prakash, Joan Renchie

Forgot password

 * 1) Author Abbas Naderi

Authentication

 * 1) Author - Anand Prakash, Joan Renchie

CAPTHCA

 * 1) Author Larry Conklin, Joan Renchie

Out of Band considerations

 * 1) Author - Open
 * 2) Previous version to be updated: []

Reviewing code Authorization weakness

 * 1) Author Ashish Rao

Checking authz upon every request

 * 1) Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

 * 1) Author Chris Berberich
 * 2) Previous version to be updated: []

Reviewing code for Session handling

 * 1) Author - Palak Gohil, Abbas Naderi
 * 2) Previous version to be updated: []

Reviewing client side code

 * 1) New Section

Javascript

 * 1) Author - Abbas Naderi

JSON

 * 1) Author - Open

Content Security Policy

 * 1) Author - Open

"Jacking"/Framing

 * 1) Author - Abbas Naderi

HTML 5?

 * 1) Author - Sebastien Gioria

Browser Defenses policy

 * 1) Author - Open

Review code for input validation

 * 1) Author - Open

Regex Gotchas

 * 1) Author - Abbas Naderi
 * 2) New Section

ESAPI

 * 1) Author - Abbas Naderi
 * 2) New Section
 * 3) Internal Link: []

HTML Attribute

 * 1) Author - Shenai Silva

HTML Entity

 * 1) Author - Shenai Silva

Javascript Parameters

 * 1) Author - Open

JQuery

 * 1) Author - Abbas Naderi

Reviewing file and resource handling code

 * 1) Author - Open

Resource Exhaustion - error handling

 * 1) Author - Abbas Naderi

native calls

 * 1) Author Abbas Naderi

Reviewing Logging code - Detective Security

 * 1) Author - Palak Gohil
 * Where to Log
 * What to log
 * What not to log
 * How to log
 * 1) Internal link: []

Reviewing Error handling and Error messages

 * 1) Author - Open
 * 2) Previous version to be updated: []

Reviewing Security alerts

 * 1) Author - Open

Review for active defense

 * 1) Author - Colin Watson

Reviewing Secure Storage

 * 1) Author - Azzeddine Ramrami
 * 2) New Section

.NET

 * 1) Author Larry Conklin, Joan Renchie
 * 2) Previous version to be updated: []
 * Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Review Code for XSS

 * 1) Author Palak Gohil, Anand Prakash
 * 2) Previous version to be updated: []
 * 3) In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao

Persistent - The Anti pattern

 * 1) Author Abbas Naderi

.NET

 * 1) Author Johanna Curiel, Renchie Joan

.Java

 * 1) Author Palak Gohil

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi

Ruby

 * 1) Author Chris Berberich

.NET

 * 1) Author Johanna Curiel, Renchie Joan

.Java

 * 1) Author Palak Gohil

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi

.NET

 * 1) Author Johanna Curiel, Renchie Joan

.Java

 * 1) Author Palak Gohil

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi

DOM XSS

 * 1) Author Larry Conklin

JQuery mistakes
===Reviewing code for SQL Injection
 * 1) Author Shenal Silva
 * 1) Author Palak Gohil, Renchie Joan
 * 2) Previous version to be updated: []

PHP

 * 1) Author - Open

Java

 * 1) Author - Open

.NET

 * 1) Author - Open

HQL

 * 1) Author - Open

PHP

 * 1) Author - Mohammad Damavandi, Abbas Naderi

Java

 * 1) Author - Palak Gohil
 * => Searching for traditional SQL,JPA,JPSQL,Criteria,...

.NET

 * 1) Author Johanna Curiel, Renchie Joan

Ruby

 * 1) Author - Open

Cold Fusion

 * 1) Author - Open

Reviewing code for CSRF Issues

 * 1) Author Palak Gohil,Anand Prakash, Abbas Naderi
 * 2) Previous version to be updated: []

Transactional logic / Non idempotent functions / State Changing Functions

 * 1) Author Abbas Naderi