Category:OWASP Code Review Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Introduction
The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t

Alpha Release OWASP Code Review 2.0
OWASP Code Review Guide 2.0 Alpha release is now available. It is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.

The document is divided into two main sections. One section covers the why (reasons for doing secure code reviews) and how. This section main focus is IT management and project leads.

Second sections deals with vulnerabilities. It is based on the poplar OWASP top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.

The last big section is the appendix. Here we have content like code reviewer list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.

Alpha Peer Review of Code Review Guide 2.0
We have a small amount of content that is not in the code review guide. Both Gary and I are working on completing this. One thing we have tried to do is to have the code review guide flow as a book than a collection of separate articles based on a major topic.

Code Review Guide 2.0 needs the following to be peer reviewed:


 * 1) Grammar, spelling.
 * 2) Review content that is easily understandable, not complex to be understood and or followed.
 * 3) Code is correct.
 * 4) No outdated code or components. I.e code sample shows.Net, Java, PHP of release that is at least 8 years old in how current software is being written.  This is very subjective; a good example is java struts where java struts 2.0 would be coded entirely different.
 * 5) Missing content. Did we exclude or gloss over some content that needs to be included? We can’t include everything or we would never get done but if you feel we need to include something please ay so.
 * 6) We are looking for good useable, and complete feedback.

'On the editing process, it will be of great help if a reviewer could send of the corrected paragraph or code block along with the chapter, and page numbers. '

Because of some unforeseen issues we are not able to provide a word document. I apologize for that, however editing the PDF is very possible and should not stop the review process.

Licensing
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is the Code Review Guide?
OWASP Code Review Guide provides:


 * OWASP Code Review Guide Table of Contents from v1

Project Leader

 * Larry Conklin [mailto:larry.conklin@owasp.org]
 * Gary Robinson [mailto:gary.robinson@owasp.org]

Related Projects
OWASP Testing Guide


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * Beta review version of OWASP Code Review Guide for AppSec EU 2016 Summit
 * Code Review Guide V1.1
 * Alpha Release Code Review Guide 2.0
 * Word doc to track changes/additions/deletions to Alpha Release Code review Guide 2.0

Email List
Sign up

News and Events
Code Review Guide 2.0 Alpha Release is now available

OWASP New York Chapter March 2 2016

First before anything else both Gary and I want to thank the New York OWASP Chapter for being willing to have a working session on reviewing the work of the Code Review Guide team. I know its much more exciting to learn new hacking techniques or procedures to prevent it. Never less reviewing the book is a very much-needed effort and Gary and I very much appreciate everyone in New York taking time to do this.

I also want to give out a big shout of thanks to Ken Belva for help in pushing both Gary and myself to get the document ready for everyone. Last but not least we both also want to thank Helen Gao and Charles Beganskas.

In Print
Code Review Guide V1.1 on Lulu.

Classifications

 * }

=FAQs=

= Acknowledgements =

Volunteers
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. Current project leaders are Larry Conklin and Gary Robinson If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]

Get Involved
All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes. We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below or contact the project leaders listed below.

Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!

Code Review Mailing list[mailto:owasp-codereview@lists.owasp.org owasp-codereview@lists.owasp.org]

Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]

=Project About=