Difference between revisions of "OWASP Code review V2 Table of Contents"

From OWASP
Jump to: navigation, search
(19 intermediate revisions by 4 users not shown)
Line 4: Line 4:
 
==Forward==
 
==Forward==
 
# Author - Eoin Keary
 
# Author - Eoin Keary
## Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
+
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
 +
# [[CRV2_Forward|Put content here]]
  
== Code Review Guide History ==
+
== Code Review Guide Introduction==
# Author - Eoin Keary
+
## Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
+
 
+
== Introduction ==
+
 
# Author - Eoin Keary
 
# Author - Eoin Keary
 +
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
 +
# [[CRV2_Introduction|Put content here]]
  
 
=== What is source code review and Static Analysis ===
 
=== What is source code review and Static Analysis ===
 
# Author - Zyad Mghazli
 
# Author - Zyad Mghazli
## New Section
+
# New Section
 +
# [[CRV2_WhatIsCodeReview|Put content here]]
  
 
=== Manual Review - Pros and Cons ===
 
=== Manual Review - Pros and Cons ===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
### Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
+
# Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
 +
# [[CRV2_ManualReviewProsCons|Put content here]]
  
 
=== Why code review ===
 
=== Why code review ===
 
==== Scope and Objective of secure code review ====
 
==== Scope and Objective of secure code review ====
 
# Author - Ashish Rao
 
# Author - Ashish Rao
 +
# [[CRV2_WhyCodeReview|Put content here]]
  
 
=== We can't hack ourselves secure ===
 
=== We can't hack ourselves secure ===
 
# Author - Prathamesh Mhatre
 
# Author - Prathamesh Mhatre
## New Section
+
# New Section
 +
# [[CRV2_CantHackSecure|Put content here]]
  
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
 +
# [[CRV2_360Review|Put content here]]
  
 
=== Can static code analyzers do it all? ===
 
=== Can static code analyzers do it all? ===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
 +
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]
  
==Methodology==
+
=Methodology=
 
===The code review approach===
 
===The code review approach===
 
#Author -  Prathamesh Mhatre
 
#Author -  Prathamesh Mhatre
 +
# [[CRV2_CodeReviewApproach|Put content here]]
 +
 
==== Preparation and context ====
 
==== Preparation and context ====
 
# Author - Open
 
# Author - Open
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
 +
# [[CRV2_PrepContext|Put content here]]
 +
 
 
====Application Threat Modeling====
 
====Application Threat Modeling====
 
#Author - Andy, Renchie Joan
 
#Author - Andy, Renchie Joan
## Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
+
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
 +
# [[CRV2_AppThreatModeling|Put content here]]
 +
 
 
====Understanding Code layout/Design/Architecture====
 
====Understanding Code layout/Design/Architecture====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
 +
# [[CRV2_CodeLayoutDesignArch|Put content here]]
 +
 
===SDLC Integration===
 
===SDLC Integration===
 
#Author - Andy, Ashish Rao
 
#Author - Andy, Ashish Rao
## Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
 +
# [[CRV2_SDLCInt|Put content here]]
 +
 
 
====Deployment Models====
 
====Deployment Models====
 
=====Secure deployment configurations=====
 
=====Secure deployment configurations=====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
## New Section
+
# [[CRV2_SecDepConfig|Put content here]]
 +
 
 +
# New Section
 
=====Metrics and code review=====
 
=====Metrics and code review=====
 
#Author - Andy
 
#Author - Andy
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
 +
# [[CRV2_MetricsCodeRev|Put content here]]
 +
 
 
=====Source and sink reviews=====
 
=====Source and sink reviews=====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
## New Section
+
# New Section
 +
# [[CRV2_SourceSinkRev|Put content here]]
 +
 
 
=====Code review Coverage=====
 
=====Code review Coverage=====
 
#Author - Open
 
#Author - Open
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
+
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
 +
# [[CRV2_CodeRevCoverage|Put content here]]
 +
 
 
=====Design Reviews=====
 
=====Design Reviews=====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
Line 71: Line 94:
 
**Design Areas to be reviewed
 
**Design Areas to be reviewed
 
**Common Design Flaws
 
**Common Design Flaws
 +
# [[CRV2_DesignRev|Put content here]]
 +
 
=====A Risk based approach to code review=====
 
=====A Risk based approach to code review=====
 
#Author - Renchie Joan
 
#Author - Renchie Joan
Line 76: Line 101:
 
*"Doing things right or doing the right things..."
 
*"Doing things right or doing the right things..."
 
**"Not all bugs are equal
 
**"Not all bugs are equal
 +
# [[CRV2_RiskBasedApproach|Put content here]]
 +
 
====Crawling code====
 
====Crawling code====
 
#Author - Abbas Naderi
 
#Author - Abbas Naderi
## Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
 
*API of Interest:
 
*API of Interest:
 
**Java
 
**Java
***.NET
+
**.NET
***PHP
+
**PHP
***RUBY
+
**RUBY
 
*Frameworks:
 
*Frameworks:
 
**Spring
 
**Spring
Line 91: Line 118:
 
#New Section
 
#New Section
 
*Searching for code in C/C++
 
*Searching for code in C/C++
#Author - Gaz Robinson
+
#Author - Gary Robinson
 +
 
 +
# [[CRV2_CrawlingCode|Put content here]]
 +
 
 
====Code reviews and Compliance====
 
====Code reviews and Compliance====
 
#Author -Manual Harti
 
#Author -Manual Harti
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 +
# [[CRV2_CodeRevCompliance|Put content here]]
 +
 
 +
=Reviewing by Techincal Control=
 +
===Reviewing code for Authentication controls===
 +
#Author - Anand Prakash, Joan Renchie
 +
# [[CRV2_AuthControls|Put content here]]
 +
 
 +
====Forgot password====
 +
#Author Abbas Naderi
 +
# [[CRV2_ForgotPassword|Put content here]]
 +
 
 +
====Authentication====
 +
#Author - Anand Prakash, Joan Renchie
 +
# [[CRV2_Authentication|Put content here]]
 +
 
 +
====CAPTCHA====
 +
#Author Larry Conklin, Joan Renchie
 +
# [[CRV2_CAPTCHA|Put content here]]
 +
 
 +
====Out of Band considerations====
 +
#Author - Open
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
 +
# [[CRV2_OutofBand|Put content here]]
 +
 
 +
===Reviewing code Authorization weakness===
 +
#Author Ashish Rao
 +
# [[CRV2_AuthorizationWeaknesses|Put content here]]
 +
 
 +
====Checking authz upon every request====
 +
#Author - Abbas Naderi, Joan Renchie
 +
# [[CRV2_CheckAuthzEachRequest|Put content here]]
 +
 
 +
====Reducing the attack surface====
 +
#Author Chris Berberich
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
 +
# [[CRV2_ReducingAttSurf|Put content here]]
 +
 
 +
====Reviewing code for Session handling====
 +
#Author - Palak Gohil, Abbas Naderi
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
 +
# [[CRV2_SessionHandling|Put content here]]
 +
 
 +
====Reviewing client side code====
 +
#New Section
 +
# [[CRV2_ClientSideCodeIntro|Put content here]]
 +
 
 +
=====Javascript=====
 +
#Author - Abbas Naderi
 +
# [[CRV2_ClientSideCodeJScript|Put content here]]
 +
 
 +
=====JSON=====
 +
#Author - Open
 +
# [[CRV2_ClientSideCodeJSon|Put content here]]
 +
 
 +
=====Content Security Policy=====
 +
#Author - Open
 +
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]
 +
 
 +
====="Jacking"/Framing=====
 +
#Author - Abbas Naderi
 +
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]
 +
 
 +
=====HTML 5?=====
 +
#Author - Sebastien Gioria
 +
# [[CRV2_ClientSideCodeHTML5|Put content here]]
 +
 
 +
=====Browser Defenses policy=====
 +
#Author - Open
 +
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]
 +
 
 +
=====etc...=====
 +
 
 +
====Review code for input validation====
 +
#Author - Open
 +
# [[CRV2_InputValIntro|Put content here]]
 +
 
 +
=====Regex Gotchas=====
 +
#Author - Abbas Naderi
 +
#New Section
 +
# [[CRV2_InputValRegexGotchas|Put content here]]
 +
 
 +
=====ESAPI=====
 +
#Author - Abbas Naderi
 +
#New Section
 +
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 +
# [[CRV2_InputValESAPI|Put content here]]
 +
 
 +
====Reviewing code for contextual encoding====
 +
=====HTML Attribute=====
 +
#Author - Shenai Silva
 +
# [[CRV2_ContextEncHTMLAttribute|Put content here]]
 +
 
 +
=====HTML Entity=====
 +
#Author - Shenai Silva
 +
# [[CRV2_ContextEncHTMLEntity|Put content here]]
 +
 
 +
=====Javascript Parameters=====
 +
#Author - Open
 +
# [[CRV2_ContextEncJscriptParams|Put content here]]
 +
 
 +
=====JQuery=====
 +
#Author - Abbas Naderi
 +
# [[CRV2_ContextEncJQuery|Put content here]]
 +
 
 +
====Reviewing file and resource handling code====
 +
#Author - Open
 +
# [[CRV2_FileResourceHandling|Put content here]]
 +
 
 +
====Resource Exhaustion - error handling====
 +
#Author - Abbas Naderi
 +
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]
 +
 
 +
=====native calls=====
 +
#Author Abbas Naderi
 +
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]
 +
 
 +
====Reviewing Logging code - Detective Security====
 +
#Author - Palak Gohil
 +
* Where to Log
 +
* What to log
 +
* What not to log
 +
* How to log
 +
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
 +
# [[CRV2_LoggingCode|Put content here]]
 +
 
 +
====Reviewing Error handling and Error messages====
 +
#Author - Gary Robinson
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
 +
# [[CRV2_ErrorHandlingMessages|Put content here]]
 +
 
 +
====Reviewing Security alerts====
 +
#Author - Open
 +
# [[CRV2_SecurityAlerts|Put content here]]
 +
 
 +
====Review for active defense====
 +
#Author - Colin Watson
 +
# [[CRV2_ActiveDefense|Put content here]]
 +
 
 +
====Reviewing Secure Storage====
 +
#Author - Azzeddine Ramrami
 +
# New Section
 +
# [[CRV2_SecureStorage|Put content here]]
 +
 
 +
====Hashing & Salting - When, How and Where====
 +
=====Encrpyption=====
 +
======.NET======
 +
#Author Larry Conklin, Joan Renchie
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
 +
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
 +
# [[CRV2_HashingandSaltingdotNet|Put content here]]
 +
 
 +
=Reviewing by Vulnerability=
 +
===Review Code for XSS===
 +
#Author Palak Gohil, Anand Prakash
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
 +
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
 +
# [[CRV2_RevCodeXSS|Put content here]]
 +
 
 +
===Persistent - The Anti pattern===
 +
#Author Abbas Naderi
 +
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]
 +
 
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]
 +
 
 +
====.Java====
 +
#Author Palak Gohil
 +
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]
 +
 
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]
 +
 
 +
====Ruby====
 +
#Author Chris Berberich
 +
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]
 +
 
 +
===Reflected - The Anti pattern===
 +
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]
 +
 
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]
 +
 
 +
====.Java====
 +
#Author Palak Gohil
 +
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]
 +
 
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]
 +
 
 +
====Ruby====
 +
# Author - Open
 +
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]
 +
 
 +
===Stored - The Anti pattern===
 +
# Author - Open
 +
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]
 +
 
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]
 +
 
 +
====.Java====
 +
#Author Palak Gohil
 +
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]
 +
 
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]
 +
 
 +
====Ruby====
 +
#Author - Open
 +
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]
 +
 
 +
===DOM XSS ===
 +
#Author Larry Conklin
 +
# [[CRV2_DOMXSS|Put content here]]
 +
 
 +
===JQuery mistakes===
 +
#Author Shenal Silva
 +
# [[CRV2_JQueryMistakes|Put content here]]
 +
 
 +
===Reviewing code for SQL Injection===
 +
#Author Palak Gohil, Renchie Joan
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
 +
# [[CRV2_RevCodeSQLInjection|Put content here]]
 +
 
 +
====PHP====
 +
#Author - Mennouchi Islam Azeddine
 +
# [[CRV2_SQLInjPHP|Put content here]]
 +
 
 +
====Java====
 +
#Author - Open
 +
# [[CRV2_SQLInjJava|Put content here]]
 +
 
 +
====.NET====
 +
#Author - Mennouchi Islam Azeddine
 +
# [[CRV2_SQLInjdotNET|Put content here]]
 +
 
 +
====HQL====
 +
#Author - Open
 +
# [[CRV2_SQLInjHQL|Put content here]]
 +
 
 +
===The Anti pattern===
 +
====PHP====
 +
#Author - Mohammad Damavandi, Abbas Naderi
 +
# [[CRV2_AntiPatternPHP|Put content here]]
 +
 
 +
====Java====
 +
#Author - Palak Gohil
 +
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
 +
# [[CRV2_AntiPatternJava|Put content here]]
 +
 
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_AntiPatterndotNet|Put content here]]
 +
 
 +
====Ruby====
 +
#Author - Open
 +
# [[CRV2_AntiPatternRuby|Put content here]]
 +
 
 +
====Cold Fusion====
 +
#Author - Open
 +
# [[CRV2_AntiPatternColdFusion|Put content here]]
 +
 
 +
===Reviewing code for CSRF Issues===
 +
#Author Palak Gohil,Anand Prakash, Abbas Naderi
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
 +
# [[CRV2_CSRFIssues|Put content here]]
 +
 
 +
===Transactional logic / Non idempotent functions / State Changing Functions===
 +
#Author Abbas Naderi
 +
# [[CRV2_TransLogic|Put content here]]
 +
 
 +
===Reviewing code for poor logic /Business logic/Complex authorization===
 +
#Author - Open
 +
# [[CRV2_PoorLogic|Put content here]]
 +
 
 +
===Reviewing Secure Communications===
 +
====.NET Config====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_SecCommsdotNet|Put content here]]
 +
 
 +
====Spring Config====
 +
#Author - Open
 +
# [[CRV2_SecCommsSpringConfig|Put content here]]
 +
 
 +
====HTTP Headers====
 +
#Author Gregory Disney, Abbas Naderi
 +
# [[CRV2_SecCommsHTTPHdrs|Put content here]]
 +
 
 +
=====CSP=====
 +
#Author Gregory Disney
 +
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]
 +
 
 +
=====HSTS=====
 +
#Author Abbas Naderi
 +
# [[CRV2_SecCommsHTTPHSTS|Put content here]]
 +
 
 +
===Tech-Stack pitfalls===
 +
#Author Gregory Disney
 +
# [[CRV2_TechStackPitfalls|Put content here]]
 +
 
 +
===Framework specific Issues===
 +
====Spring====
 +
#Author - Open
 +
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]
 +
 
 +
====Structs====
 +
#Author - Open
 +
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]
 +
 
 +
====Drupal====
 +
#Author Gregory Disney
 +
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]
 +
 
 +
====Ruby on Rails====
 +
#Author - Open
 +
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]
 +
 
 +
====Django====
 +
#Author Gregory Disney
 +
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]
 +
 
 +
====.NET Security / MVC====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]
 +
 
 +
====Security in ASP.NET applications====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]
 +
 
 +
=====Strongly Named Assemblies=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]
 +
 
 +
======Round Tripping======
 +
# Author - Open
 +
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]
 +
 
 +
======How to prevent Round tripping======
 +
# Author - Open
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]
 +
 
 +
=====Setting the right Configurations=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]
 +
 
 +
=====Authentication Options=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]
 +
 
 +
=====Code Review for Managed Code - .Net 1.0 and up=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]
 +
 
 +
=====Using OWASP Top 10 as your guideline=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]
 +
 
 +
=====Code review for Unsafe Code (C#)=====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]
 +
 
 +
====PHP Specific Issues====
 +
#Author Mohammad Damavandi, Abbas Naderi
 +
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]
 +
 
 +
====Classic ASP====
 +
#Author Johanna Curiel
 +
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]
 +
 
 +
====C#====
 +
#Author Johanna Curiel, Renchie Joan
 +
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]
 +
 
 +
====C/C++====
 +
#Author Gary Robinson
 +
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]
 +
 
 +
====Objective C====
 +
#Author Open
 +
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]
 +
 
 +
====Java====
 +
#Author Palak Gohil
 +
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]
 +
 
 +
====Android====
 +
#Author Open
 +
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]
 +
 
 +
====Coldfusion====
 +
#Author Open
 +
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]
 +
 
 +
=Security code review for Agile development=
 +
#Author Open
 +
# [[CRV2_CodeReviewAgile|Put content here]]
 +
 
 +
=Willing to review drafts=
 +
#Terry Nerpester
 +
#Larry Conklin
 +
#Gary Robinson

Revision as of 21:45, 2 May 2013

Contents

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
  2. Previous version to be updated:[[1]]
  3. Put content here

Code Review Guide Introduction

  1. Author - Eoin Keary
  2. Previous version to be updated:[[2]]
  3. Put content here

What is source code review and Static Analysis

  1. Author - Zyad Mghazli
  2. New Section
  3. Put content here

Manual Review - Pros and Cons

  1. Author - Ashish Rao
  2. New Section
  3. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
  4. Put content here

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao
  2. Put content here

We can't hack ourselves secure

  1. Author - Prathamesh Mhatre
  2. New Section
  3. Put content here

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - Ashish Rao
  2. New Section
  3. Put content here

Can static code analyzers do it all?

  1. Author - Ashish Rao
  2. New Section
  3. Put content here

Methodology

The code review approach

  1. Author - Prathamesh Mhatre
  2. Put content here

Preparation and context

  1. Author - Open
  2. Previous version to be updated: [[3]]
  3. Put content here

Application Threat Modeling

  1. Author - Andy, Renchie Joan
  2. Previous version to be updated: [[4]]
  3. Put content here

Understanding Code layout/Design/Architecture

  1. Author - Ashish Rao
  2. Put content here

SDLC Integration

  1. Author - Andy, Ashish Rao
  2. Previous version to be updated: [[5]]
  3. Put content here

Deployment Models

Secure deployment configurations
  1. Author - Ashish Rao
  2. Put content here
  1. New Section
Metrics and code review
  1. Author - Andy
  2. Previous version to be updated: [[6]]
  3. Put content here
Source and sink reviews
  1. Author - Ashish Rao
  2. New Section
  3. Put content here
Code review Coverage
  1. Author - Open
  2. Previous version to be updated: [[7]]
  3. Put content here
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
  1. Put content here
A Risk based approach to code review
  1. Author - Renchie Joan
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal
  1. Put content here

Crawling code

  1. Author - Abbas Naderi
  2. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
    • .NET
    • PHP
    • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Structs
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gary Robinson
  1. Put content here

Code reviews and Compliance

  1. Author -Manual Harti
  2. Previous version to be updated: [[9]]
  3. Put content here

Reviewing by Techincal Control

Reviewing code for Authentication controls

  1. Author - Anand Prakash, Joan Renchie
  2. Put content here

Forgot password

  1. Author Abbas Naderi
  2. Put content here

Authentication

  1. Author - Anand Prakash, Joan Renchie
  2. Put content here

CAPTCHA

  1. Author Larry Conklin, Joan Renchie
  2. Put content here

Out of Band considerations

  1. Author - Open
  2. Previous version to be updated: [[10]]
  3. Put content here

Reviewing code Authorization weakness

  1. Author Ashish Rao
  2. Put content here

Checking authz upon every request

  1. Author - Abbas Naderi, Joan Renchie
  2. Put content here

Reducing the attack surface

  1. Author Chris Berberich
  2. Previous version to be updated: [[11]]
  3. Put content here

Reviewing code for Session handling

  1. Author - Palak Gohil, Abbas Naderi
  2. Previous version to be updated: [[12]]
  3. Put content here

Reviewing client side code

  1. New Section
  2. Put content here
Javascript
  1. Author - Abbas Naderi
  2. Put content here
JSON
  1. Author - Open
  2. Put content here
Content Security Policy
  1. Author - Open
  2. Put content here
"Jacking"/Framing
  1. Author - Abbas Naderi
  2. Put content here
HTML 5?
  1. Author - Sebastien Gioria
  2. Put content here
Browser Defenses policy
  1. Author - Open
  2. Put content here
etc...

Review code for input validation

  1. Author - Open
  2. Put content here
Regex Gotchas
  1. Author - Abbas Naderi
  2. New Section
  3. Put content here
ESAPI
  1. Author - Abbas Naderi
  2. New Section
  3. Internal Link: [[13]]
  4. Put content here

Reviewing code for contextual encoding

HTML Attribute
  1. Author - Shenai Silva
  2. Put content here
HTML Entity
  1. Author - Shenai Silva
  2. Put content here
Javascript Parameters
  1. Author - Open
  2. Put content here
JQuery
  1. Author - Abbas Naderi
  2. Put content here

Reviewing file and resource handling code

  1. Author - Open
  2. Put content here

Resource Exhaustion - error handling

  1. Author - Abbas Naderi
  2. Put content here
native calls
  1. Author Abbas Naderi
  2. Put content here

Reviewing Logging code - Detective Security

  1. Author - Palak Gohil
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[14]]
  2. Put content here

Reviewing Error handling and Error messages

  1. Author - Gary Robinson
  2. Previous version to be updated: [[15]]
  3. Put content here

Reviewing Security alerts

  1. Author - Open
  2. Put content here

Review for active defense

  1. Author - Colin Watson
  2. Put content here

Reviewing Secure Storage

  1. Author - Azzeddine Ramrami
  2. New Section
  3. Put content here

Hashing & Salting - When, How and Where

Encrpyption
.NET
  1. Author Larry Conklin, Joan Renchie
  2. Previous version to be updated: [[16]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao
  1. Put content here

Reviewing by Vulnerability

Review Code for XSS

  1. Author Palak Gohil, Anand Prakash
  2. Previous version to be updated: [[17]]
  3. In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
  4. Put content here

Persistent - The Anti pattern

  1. Author Abbas Naderi
  2. Put content here

.NET

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

.Java

  1. Author Palak Gohil
  2. Put content here

PHP

  1. Author Mohammed Damavandi, Abbas Naderi
  2. Put content here

Ruby

  1. Author Chris Berberich
  2. Put content here

Reflected - The Anti pattern

  1. Put content here

.NET

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

.Java

  1. Author Palak Gohil
  2. Put content here

PHP

  1. Author Mohammed Damavandi, Abbas Naderi
  2. Put content here

Ruby

  1. Author - Open
  2. Put content here

Stored - The Anti pattern

  1. Author - Open
  2. Put content here

.NET

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

.Java

  1. Author Palak Gohil
  2. Put content here

PHP

  1. Author Mohammed Damavandi, Abbas Naderi
  2. Put content here

Ruby

  1. Author - Open
  2. Put content here

DOM XSS

  1. Author Larry Conklin
  2. Put content here

JQuery mistakes

  1. Author Shenal Silva
  2. Put content here

Reviewing code for SQL Injection

  1. Author Palak Gohil, Renchie Joan
  2. Previous version to be updated: [[18]]
  3. Put content here

PHP

  1. Author - Mennouchi Islam Azeddine
  2. Put content here

Java

  1. Author - Open
  2. Put content here

.NET

  1. Author - Mennouchi Islam Azeddine
  2. Put content here

HQL

  1. Author - Open
  2. Put content here

The Anti pattern

PHP

  1. Author - Mohammad Damavandi, Abbas Naderi
  2. Put content here

Java

  1. Author - Palak Gohil
  2. => Searching for traditional SQL,JPA,JPSQL,Criteria,...
  3. Put content here

.NET

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

Ruby

  1. Author - Open
  2. Put content here

Cold Fusion

  1. Author - Open
  2. Put content here

Reviewing code for CSRF Issues

  1. Author Palak Gohil,Anand Prakash, Abbas Naderi
  2. Previous version to be updated: [[19]]
  3. Put content here

Transactional logic / Non idempotent functions / State Changing Functions

  1. Author Abbas Naderi
  2. Put content here

Reviewing code for poor logic /Business logic/Complex authorization

  1. Author - Open
  2. Put content here

Reviewing Secure Communications

.NET Config

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

Spring Config

  1. Author - Open
  2. Put content here

HTTP Headers

  1. Author Gregory Disney, Abbas Naderi
  2. Put content here
CSP
  1. Author Gregory Disney
  2. Put content here
HSTS
  1. Author Abbas Naderi
  2. Put content here

Tech-Stack pitfalls

  1. Author Gregory Disney
  2. Put content here

Framework specific Issues

Spring

  1. Author - Open
  2. Put content here

Structs

  1. Author - Open
  2. Put content here

Drupal

  1. Author Gregory Disney
  2. Put content here

Ruby on Rails

  1. Author - Open
  2. Put content here

Django

  1. Author Gregory Disney
  2. Put content here

.NET Security / MVC

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

Security in ASP.NET applications

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Strongly Named Assemblies
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Round Tripping
  1. Author - Open
  2. Put content here
How to prevent Round tripping
  1. Author - Open
  2. Author Johanna Curiel, Renchie Joan
  3. Put content here
Setting the right Configurations
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Authentication Options
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Code Review for Managed Code - .Net 1.0 and up
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Using OWASP Top 10 as your guideline
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here
Code review for Unsafe Code (C#)
  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

PHP Specific Issues

  1. Author Mohammad Damavandi, Abbas Naderi
  2. Put content here

Classic ASP

  1. Author Johanna Curiel
  2. Put content here

C#

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

C/C++

  1. Author Gary Robinson
  2. Put content here

Objective C

  1. Author Open
  2. Put content here

Java

  1. Author Palak Gohil
  2. Put content here

Android

  1. Author Open
  2. Put content here

Coldfusion

  1. Author Open
  2. Put content here

Security code review for Agile development

  1. Author Open
  2. Put content here

Willing to review drafts

  1. Terry Nerpester
  2. Larry Conklin
  3. Gary Robinson