Code Review Guide Frontispiece

From OWASP
Revision as of 09:58, 15 September 2008 by EoinKeary (talk | contribs) (Revision History)

Jump to: navigation, search

Welcome to the OWASP Code Review Guide 1.1

“Thank Jaysus for the interweb”
-- Eoin Keary

OWASP thanks the authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Code review Guide, please e-mail the Code review Guide mail list:

https://lists.owasp.org/mailman/listinfo/owasp-codereview

Copyright and License

Copyright (c) 2008 The OWASP Foundation.

This document is released under the Creative Commons 2.5 License. Please read and understand the license and copyright conditions.

Revision History

The Code review guide originated in 2006 and an splinter project from the testing guide. It was concieved by Eoin Keary in 2005 and transformed into a wiki.

September 30, 2007
"OWASP Code Review Guide", Version 1.0 (RC1)
December 22, 2007
""OWASP Code Review Guide", Version 1.0 (RC2)
November 01, 2008
"OWASP Code Review Guide", Version 1.1 (Release)

Editors

Eoin Keary: OWASP Code Review Guide 2005- Lead

Authors

Jenelle Chapman
Andrew van der Stock
Eoin Keary
Paolo Perego
David Lowry
David Rook

Reviewers

Jeff Williams

Trademarks

  • Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
  • Microsoft is a registered trademark of Microsoft Corporation.
  • OWASP is a registered trademark of the OWASP Foundation

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Lab big.jpg
OWASP Defenders logo.png This project is part of the OWASP Defenders community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.
OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

The Release Candidate for the OWASP Code Review Guide is now available!

Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.

Thank you, Larry Conklin, Gary Robinson OWASP Code Review Guides Co-Leaders

Introduction

OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.

Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.

The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.

Review of Code Review Guide 2.0

Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.

All feedback is critical to the continued success of the OWASP Code Review Guide.

Licensing

OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Project Leader

  • Larry Conklin [1]
  • Gary Robinson [2]

Project Email

  • Project Email [3]

Classifications

Owasp-defenders-small.png

Cc-button-y-sa-small.png

Project Type Files DOC.jpg

Related Projects

OWASP Testing Guide [4]


Quick Download

In Print

Code Review Guide 2.0 will be available in Lulu in the near future.

Code Review Guide V1.1 on Lulu.

The OWASP Code Review project was conceived by Eoin Keary, the OWASP Dublin Founder and Chapter Lead.

Code Review Mailing list[5]
Project leaders larry.conklin@owasp.org or gary.robinson@owasp.org