OWASP Code Review Guide Table of Contents

1. Frontispiece

 * About the OWASP Code Review Project
 * About The Open Web Application Security Project

Guide History
Code Review Guide History

Methodology

 * Introduction
 * Preparation
 * Security Code Review in the SDLC
 * Security Code Review Coverage
 * Application Threat Modeling
 * Code Review Metrics

Crawling Code

 * 1) Crawling Code
 * 2) Searching for Code in J2EE/Java
 * 3) Searching for Code in Classic ASP
 * 4) JavaScript/Web 2.0 Keywords and Pointers

Code Reviews and PCI DSS

 * 1) Code Reviews and Compliance

Examples by technical control

 * 1) Authentication
 * 2) Authorization
 * 3) Session Management
 * 4) Input Validation
 * 5) Error Handling
 * 6) Secure Deployment
 * 7) Cryptographic controls

Examples by vulnerability

 * 1) Reviewing Code for Buffer Overruns and Overflows
 * 2) Reviewing Code for OS Injection
 * 3) Reviewing Code for SQL Injection
 * 4) Reviewing Code for Data Validation
 * 5) Reviewing Code for Cross-site scripting
 * 6) Reviewing code for Cross-Site Request Forgery issues


 * 1) Reviewing Code for Logging Issues


 * 1) Reviewing Code for Session Integrity issues


 * 1) Reviewing Code for Race Conditions

Java

 * Java gotchas
 * Java leading security practice

Classic ASP

 * Classic_ASP_Design_Mistakes

PHP

 * PHP Security Leading Practice

C/C++

 * Strings and Integers

MySQL

 * Reviewing MySQL Security

Rich Internet Applications

 * Flash Applications
 * AJAX Applications
 * Reviewing Web Services

Example reports

 * 1) How to Write an Application Code Review Finding

Automating Code Reviews

 * 1) Automated Code Review
 * 2) Tool Deployment Model
 * 3) Code Auditor Workbench Tool
 * 4) The Owasp Orizon Framework

The Owasp Code Review Scoring System

 * Preface