OWASP Code Review V2 Table of Contents

= OWASP Code Review Guide v2.0: =

Forward

 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Code Review Guide History

 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Introduction

 * 1) Author - Eoin Keary

What is source code review and Static Analysis

 * 1) Author - Zyad Mghazli
 * 2) New Section

Manual Review - Pros and Cons

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli

Scope and Objective of secure code review

 * 1) Author - Ashish Rao

We can't hack ourselves secure

 * 1) Author - Prathamesh Mhatre
 * 2) New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

 * 1) Author - Ashish Rao
 * 2) New Section

Can static code analyzers do it all?

 * 1) Author - Ashish Rao
 * 2) New Section

The code review approach

 * 1) Author - Prathamesh Mhatre

Preparation and context

 * 1) Author - Open
 * 2) Previous version to be updated: []

Application Threat Modeling

 * 1) Author - Andy, Renchie Joan
 * 2) Previous version to be updated: []

Understanding Code layout/Design/Architecture

 * 1) Author - Ashish Rao

SDLC Integration

 * 1) Author - Andy, Ashish Rao
 * 2) Previous version to be updated: []

Secure deployment configurations

 * 1) Author - Ashish Rao
 * 2) New Section

Metrics and code review

 * 1) Author - Andy
 * 2) Previous version to be updated: []

Source and sink reviews

 * 1) Author - Ashish Rao
 * 2) New Section

Code review Coverage

 * 1) Author - Open
 * 2) Previous version to be updated: []

Design Reviews

 * 1) Author - Ashish Rao
 * Why to review design?
 * Building security in design - secure by design principle
 * Design Areas to be reviewed
 * Common Design Flaws

A Risk based approach to code review

 * 1) Author - Renchie Joan
 * 2) New Section
 * "Doing things right or doing the right things..."
 * "Not all bugs are equal

Crawling code

 * 1) Author - Abbas Naderi
 * 2) Previous version to be updated: []
 * API of Interest:
 * Java
 * .NET
 * PHP
 * RUBY
 * Frameworks:
 * Spring
 * .NET MVC
 * Structs
 * Zend
 * 1) New Section
 * Searching for code in C/C++
 * 1) Author - Gaz Robinson

Code reviews and Compliance

 * 1) Author -Manual Harti
 * 2) Previous version to be updated: []

Reviewing by Techincal Control
===Reviewing code for Authentication controls
 * 1) Author - Anand Prakash, Joan Renchie

Forgot password

 * 1) Author Abbas Naderi

Authentication

 * 1) Author - Anand Prakash, Joan Renchie

CAPTHCA

 * 1) Author Larry Conklin, Joan Renchie

Out of Band considerations
===Reviewing code Authorisation weakness
 * 1) Author - Open
 * 2) Previous version to be updated: []
 * 1) Author Ashish Rao

Checking authz upon every request

 * 1) Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

 * 1) Author Chris Berberich
 * 2) Previous version to be updated: []