Category:OWASP Source Code Flaws Top 10 Project Roadmap

Revision as of 09:24, 14 December 2008 by Paulo Coimbra (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This project deliverable will be a document with an outline very close to the "Owasp Top 10" one. The document will contain for each category:

  • a description about the category itself,
  • a non exhaustive list of security checks that can be assigned to this category,

(for each security check, some example in 2 or 3 web orientend programming language will be provided to show),

  • broken code,
  • how to fix them,
  • the related Top 10 category than can be applied when the source code will be executed,
  • some link to existing material.
  • e.g. (to match A1-A10 style, maybe using C1-C10 with the leading C stands for Code)-
  • C1 - Missing input validation; some words about why this is a security issue in a source code.
  • Check list
  • C1-0x1: Don't build queries using concatenation and java.sql.Statement; example of bad code using Statement and example of good code using PraparedStatement and filtering parameter using whitelist,
  • C1-0xn: n-th security check; example of bad code and example of good code,
  • Correspondent Top 10 categories (if applicable),
    • Cross Site Scripting,
    • Injection Flows,
    • Malicious file execution,
    • CSRF.
  • Link: some link about filtering input
  • My very draft of Top 10 is:
    • Missing input validation,
    • Information leakage and improper error handling (match perfectly TOP10),
    • Insecure communications (All the checks about how transport layer is used, ssl handling in communication, certificates, insecure usage of pipes, sockets, and so on…),
    • Architectural weakness (All the bad things can happen to software architecture. If you don't perform a good threat modeling than your architecture can be subverted.All issues about communication with auxiliary systems must be in this category (insecure connection pool usage, poor SMTP usage, insecure SQL... not sql injection)),
    • Direct object reference,
    • Design weakness (Software design issues… scope… number of methods…),
    • Documentation weakness (If your code is poor documented, poor annotated..),
    • Usage of potentially unsafe APIs (Usage of deprecated or potentially dangerous API (gets(), java.sql.Statement, …)),
    • Misuse of local resources (Infinite loop, resources allocated but never freed, garbage collector issues, …),
    • Best practices violation (Naming convention and all stuff that doesn't match other categories but are know in literature),
  • Related Top 10 categories:
    • Insecure cryptographic storage,
    • Broken auth and session management,
    • Failure to restrict url,
    • access,

My goal is to put this Top 10 summary in the Code Review Guide with a snippet of all information contained and use this taxonomy to gather security checks for Owasp Orizon. With this I finally linked together static analysis tool and the related guide.

This category currently contains no pages or media.