OWASP Code Review V2 Table of Contents

= OWASP Code Review Guide v2.0: =

Forward
Content here
 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

Code Review Guide Introduction
Content here
 * 1) Author - Eoin Keary
 * 2) Previous version to be updated:[]

What is Code Review
 Content here
 * 1) Author - Zyad Mghazli
 * 2) New Section

Manual Review - Pros and Cons

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
 * 4) Put content here

Advantages of Code Review to Development Practices

 * 1) Author - Gary David Robinson
 * 2) New Section
 * 3) Put content here

Scope and Objective of secure code review

 * 1) Author - Ashish Rao
 * 2) Put content here

We can't hack ourselves secure

 * 1) Author - Prathamesh Mhatre
 * 2) New Section
 * 3) Put content here

360 Review: Coupling source code review and Testing / Hybrid Reviews

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Put content here

Can static code analyzers do it all?

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Put content here

=Methodology=

The code review approach

 * 1) Author - Prathamesh Mhatre
 * 2) Put content here

Preparation and context

 * 1) Author - Gary David Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

Application Threat Modeling

 * 1) Author - Andy, Renchie Joan
 * 2) Previous version to be updated: []
 * 3) Put content here

Understanding Code layout/Design/Architecture

 * 1) Author - Ashish Rao
 * 2) Put content here

SDLC Integration

 * 1) Author - Andy, Ashish Rao
 * 2) Previous version to be updated: []
 * 3) Put content here

Secure deployment configurations

 * 1) Author - Ashish Rao
 * 2) Put content here


 * 1) New Section

Metrics and code review

 * 1) Author - Andy
 * 2) Previous version to be updated: []
 * 3) Put content here

Source and sink reviews

 * 1) Author - Ashish Rao
 * 2) New Section
 * 3) Put content here

Code review Coverage

 * 1) Author - Open
 * 2) Previous version to be updated: []
 * 3) Put content here

Design Reviews

 * 1) Author - Ashish Rao
 * Why to review design?
 * Building security in design - secure by design principle
 * Design Areas to be reviewed
 * Common Design Flaws
 * 1) Put content here

A Risk based approach to code review

 * 1) Author - Renchie Joan
 * 2) New Section
 * "Doing things right or doing the right things..."
 * "Not all bugs are equal
 * 1) Put content here

Crawling code

 * 1) Author - Abbas Naderi
 * 2) Previous version to be updated: []
 * API of Interest:
 * Java
 * .NET
 * PHP
 * RUBY
 * Frameworks:
 * Spring
 * .NET MVC
 * Structs
 * Zend
 * 1) New Section
 * Searching for code in C/C++
 * 1) Author - Gary David Robinson


 * 1) Put content here

Code reviews and Compliance

 * 1) Author -Manual Harti
 * 2) Previous version to be updated: []
 * 3) Put content here

=Reviewing by Technical Control=

Reviewing code for Authentication controls

 * 1) Author - Anand Prakash, Joan Renchie
 * 2) Put content here

Forgot password

 * 1) Author Abbas Naderi, Larry Conklin
 * 2) Put content here

Authentication

 * 1) Author - Anand Prakash, Joan Renchie
 * 2) Put content here

CAPTCHA
Content here
 * 1) Author Larry Conklin, Joan Renchie

Out of Band considerations

 * 1) Author - Open
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing code Authorization weakness

 * 1) Author Ashish Rao (Eoin Keary .NET MVC added)
 * 2) Put content here

Checking authz upon every request

 * 1) Author - Abbas Naderi, Joan Renchie
 * 2) Put content here

Reducing the attack surface

 * 1) Author Chris Berberich
 * 2) Previous version to be updated: []
 * 3) Put content here

SSL/TLS Implementations

 * 1) Author - Eoin Keary
 * 2) Put content here

Reviewing code for Session handling

 * 1) Author - Palak Gohil, Abbas Naderi
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing client side code

 * 1) New Section
 * 2) Put content here

Javascript

 * 1) Author - Abbas Naderi
 * 2) Put content here

JSON

 * 1) Author - Open
 * 2) Put content here

Content Security Policy

 * 1) Author - Open
 * 2) Put content here

"Jacking"/Framing

 * 1) Author - Eoin Keary
 * 2) Put content here

HTML 5?

 * 1) Author - Sebastien Gioria
 * 2) Put content here

Browser Defenses policy

 * 1) Author - Open
 * 2) Put content here

Review code for input validation

 * 1) Author - Open
 * 2) Put content here

Regex Gotchas

 * 1) Author - Abbas Naderi
 * 2) New Section
 * 3) Put content here

ESAPI

 * 1) Author - Abbas Naderi
 * 2) New Section
 * 3) Internal Link: []
 * 4) Put content here

Reviewing code for contextual encoding
Overall approach to content encoding and anti XSS

HTML Attribute

 * 1) Author - Eoin Keary
 * 2) Put content here

HTML Entity

 * 1) Author - Eoin Keary
 * 2) Put content here

Javascript Parameters

 * 1) Author - Open
 * 2) Put content here

JQuery

 * 1) Author - Abbas Naderi
 * 2) Put content here

Reviewing file and resource handling code

 * 1) Author - Open
 * 2) Put content here

Resource Exhaustion - error handling

 * 1) Author - Abbas Naderi
 * 2) Put content here

native calls

 * 1) Author Abbas Naderi
 * 2) Put content here

Reviewing Logging code - Detective Security

 * 1) Author - Palak Gohil
 * Where to Log
 * What to log
 * What not to log
 * How to log
 * 1) Internal link: []
 * 2) Put content here

Reviewing Error handling and Error messages

 * 1) Author - Gary David Robinson
 * 2) Previous version to be updated: []
 * 3) Put content here

Reviewing Security alerts

 * 1) Author - Open
 * 2) Put content here

Review for active defense

 * 1) Author - Colin Watson
 * 2) Put content here

Reviewing Secure Storage

 * 1) Author - Azzeddine Ramrami
 * 2) New Section
 * 3) Put content here

.NET
Content here
 * 1) Author Larry Conklin, Joan Renchie
 * 2) Previous version to be updated: []
 * Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

=Reviewing by Vulnerability=

Review Code for XSS

 * 1) Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
 * 2) Previous version to be updated: []
 * 3) In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
 * 4) Put content here

Persistent - The Anti pattern

 * 1) Author Abbas Naderi
 * 2) Put content here

.NET

 * 1) Author Johanna Curiel, Renchie Joan, Larry Conklin
 * 2) Put content here

.Java

 * 1) Author Palak Gohil, Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi
 * 2) Put content here

Ruby

 * 1) Author Chris Berberich
 * 2) Put content here

Reflected - The Anti pattern

 * 1) Put content here

.NET

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

.Java

 * 1) Author Palak Gohil, Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi
 * 2) Put content here

Ruby

 * 1) Author - Open
 * 2) Put content here

Stored - The Anti pattern

 * 1) Author - Open
 * 2) Put content here

.NET

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

.Java

 * 1) Author Palak Gohil, Johanna Curiel
 * 2) Put content here

PHP

 * 1) Author Mohammed Damavandi, Abbas Naderi
 * 2) Put content here

Ruby

 * 1) Author - Open
 * 2) Put content here

DOM XSS

 * 1) Author Larry Conklin
 * 2) Put content here

JQuery mistakes

 * 1) Author Shenal Silva
 * 2) Put content here

Reviewing code for SQL Injection

 * 1) Author Palak Gohil, Renchie Joan
 * 2) Previous version to be updated: []
 * 3) Put content here

PHP

 * 1) Author - Mennouchi Islam Azeddine
 * 2) Put content here

Java

 * 1) Author - Johanna Curiel
 * 2) Put content here

.NET

 * 1) Author - Mennouchi Islam Azeddine
 * 2) Put content here

HQL

 * 1) Author - Open
 * 2) Put content here

The Anti pattern
https://www.owasp.org/index.php/CRV2_AntiPattern
 * 1) Author Larry Conklin
 * 2) Content here

PHP

 * 1) Author - Mohammad Damavandi, Abbas Naderi
 * 2) Put content here

Java

 * 1) Author - Palak Gohil
 * 2) => Searching for traditional SQL,JPA,JPSQL,Criteria,...
 * 3) Put content here

.NET

 * 1) Author Johanna Curiel, Renchie Joan,Larry Conklin
 * 2) Put content here

Ruby

 * 1) Author - Open
 * 2) Put content here

Cold Fusion

 * 1) Author - Open
 * 2) Put content here

Reviewing code for CSRF Issues

 * 1) Author Palak Gohil,Anand Prakash, Abbas Naderi
 * 2) Previous version to be updated: []
 * 3) Put content here

Transactional logic / Non idempotent functions / State Changing Functions

 * 1) Author Abbas Naderi
 * 2) Put content here

Reviewing code for poor logic /Business logic/Complex authorization

 * 1) Author - Sam Denard
 * 2) Put content here

.NET Config

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Spring Config

 * 1) Author - Open
 * 2) Put content here

HTTP Headers

 * 1) Author Gregory Disney, Abbas Naderi
 * 2) Put content here

CSP

 * 1) Author Gregory Disney
 * 2) Put content here

HSTS

 * 1) Author Abbas Naderi
 * 2) Put content here

Tech-Stack pitfalls

 * 1) Author Gregory Disney
 * 2) Put content here

Spring

 * 1) Author - Open
 * 2) Put content here

Structs

 * 1) Author - Open
 * 2) Put content here

Drupal

 * 1) Author Gregory Disney
 * 2) Put content here

Ruby on Rails

 * 1) Author - Open
 * 2) Put content here

Django

 * 1) Author Gregory Disney
 * 2) Put content here

.NET Security / MVC

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Security in ASP.NET applications

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Strongly Named Assemblies

 * 1) Author Johanna Curiel, Renchie Joan, Larry Conklin
 * 2) Put content here

Round Tripping

 * 1) Author - Open
 * 2) Put content here

How to prevent Round tripping

 * 1) Author - Open
 * 2) Author Johanna Curiel, Renchie Joan
 * 3) Put content here

Setting the right Configurations

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Authentication Options

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Code Review for Managed Code - .Net 1.0 and up

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Using OWASP Top 10 as your guideline

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

Code review for Unsafe Code (C#)

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

PHP Specific Issues

 * 1) Author Mohammad Damavandi, Abbas Naderi
 * 2) Put content here

Classic ASP

 * 1) Author Johanna Curiel
 * 2) Put content here

C#

 * 1) Author Johanna Curiel, Renchie Joan
 * 2) Put content here

C/C++

 * 1) Author Gary David Robinson
 * 2) Put content here

Objective C

 * 1) Author Open
 * 2) Put content here

Java

 * 1) Author Palak Gohil
 * 2) Put content here

Android

 * 1) Author Open
 * 2) Put content here

Coldfusion

 * 1) Author Open
 * 2) Put content here

CodeIgniter

 * 1) Author User:Zakiakhmad
 * 2) Put content here

=Security code review for Agile development=
 * 1) Author Carlos Pantelides
 * 2) Put content here

=Code Review Tools= https://www.owasp.org/index.php/CRV2_CodeReviewTools

=Willing to review drafts=
 * 1) Terry Nerpester
 * 2) Larry Conklin
 * 3) Gary David Robinson
 * 4) Simon Whittaker
 * 5) Jason Johnson
 * 6) Carlos Pantelides
 * 7) Damien Moran