Code Review Guide Frontispiece
Welcome to the OWASP Code Review Guide 1.0
“I'm glad software developers don't build cars”
-- Eoin Keary
OWASP thanks the authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Code review Guide, please e-mail the Code review Guide mail list:
Copyright and License
Copyright (c) 2007 The OWASP Foundation.
This document is released under the Creative Commons 2.5 License. Please read and understand the license and copyright conditions.
The Code review guide originated in 2006 and an splinter project from the testing guide. It was concieved by Eoin Keary in 2005 and transformed into a wiki.
- September 30, 2007
- "OWASP Code Review Guide", Version 1.0
Eoin Keary: OWASP Code Review Guide 2005- Lead
Jenelle Chapman Andrew van der Stock Eoin Keary Paolo Perego David Lowry David Rook
- Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
- Microsoft is a registered trademark of Microsoft Corporation.
- OWASP is a registered trademark of the OWASP Foundation
All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
OWASP Code Review Guide Project
The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t
Gary and I are still in the process of editing content and putting in place with Hugo Costa. Gary and I will also be attending project summary at this years AppSecUSA 2015 in San Francisco. We hope to get some good editing and technical reviews done on the content. Please help by providing technical and grammar feedback to finalize the beta release via email to Larry Conklin or Gary Robinson or to project mailing list or attending project summary.
The project team: Larry Conklin, Johanna Curiel , Michael Hidalgo ,Eoin Keary, Islam Azeddine Mennouchi, Abbas Naderi ,Carlos Pantelides, Ashish Rao, Gary David Robinson, Josh Stroschein ,Colin Watson, Mghazli Zyad
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Spring Of Code 2007
The Code review guide is proudly sponsored by the OWASP Spring of Code (SpOC) 2007. For more information please see Spring of Code 2007
Summer of Code 2008
The Code review guide is proudly sponsored by the OWASP Summer of Code (SoC) 2008. For more information please see OWASP Summer of Code 2008.
What is the Code Review Guide?
OWASP Code Review Guide provides:
OWASP Testing Guide 
News and Events
Code Review Guide V1.1 on Lulu.
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. We are actively seeking individuals to add new sections as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line email@example.com.
The project's overall goal is to...
be a reference document for the purpose of performing code review. This project shall provide examples in the most common web application development languages (Java and C# .NET)
In the near term, we are focused on the following tactical goals...
1. Looking at each attack type and examine the anti-pattern associated with the vulnerability which makes the attack possible. This shall include code examples to guide a reviewer on what to look for.
2. Looking at the code review process, how it is managed and challanges one may encounter when performing code review in the "real world".
3. Looking at the code review tools available and discussing the benefits and issues of using tools.
4. See also Code Review Guide V2.0's Roadmap.
Roadmap for V2:
- Major enhancements:
- Introduction to be re-written,
- Approach to code review (Risk based approach)to be re-written, re designed,
- Examples by Vulnerability and Technical control to be expanded and refined,
- Common Numbering nomenclature to be used,
- Cross reference to TG and ASVS to be done,
- New sections on tools to be introduced,
- Expand technology specific sections,
- Section on RIA (Rich Internet applications) to be introduced,
- WebServices section to be refined,
- Malware and rootkit sections to be introduced,
- PCI section to be rewritten with more x-reference to other guides.
- Other ideas:
- ESAPI section: how to review OWASP ESAPI implementations?
- Risk based approach Vs ASVS levels,
- Threat modeling and Triage chapters to be revised,
- OWASP O2 section on O2 rules definition, development,
- Crawling code: Additional search vectors to be added,
- Section on Code Crawler, quick start & configuration guide.
All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes. We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below. Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?