Difference between revisions of "OWASP Code review V2 Table of Contents"

From OWASP
Jump to: navigation, search
Line 126: Line 126:
 
=====Content Security Policy=====
 
=====Content Security Policy=====
 
#Author - Open
 
#Author - Open
====="Jacking"/Framing
+
====="Jacking"/Framing=====
 
#Author - Abbas Naderi
 
#Author - Abbas Naderi
 
=====HTML 5?=====
 
=====HTML 5?=====
Line 141: Line 141:
 
##New Section
 
##New Section
 
## Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 
## Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 +
====Reviewing code for contextual encoding====
 +
=====HTML Attribute=====
 +
#Author - Shenai Silva
 +
=====HTML Entity=====
 +
#Author - Shenai Silva
 +
=====Javascript Parameters=====
 +
#Author - Open
 +
=====JQuery=====
 +
#Author - Abbas Naderi
 +
====Reviewing file and resource handling code====
 +
=====Resource Exhaustion - error handling====
 +
#Author - Abbas Naderi
 +
=====native calls=====
 +
#Author Abbas Naderi
 +
====Reviewing Logging code - Detective Security
 +
#Author - Palak Gohil
 +
* Where to Log
 +
* What to log
 +
* What not to log
 +
* How to log
 +
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
 +
 +
====Reviewing Error handling and Error messages====
 +
#Author - Open
 +
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
 +
====Reviewing Security alerts====
 +
#Author - Open
 +
====Review for active defense====
 +
#Author - Colin Watson
 +
 +
====Reviewing Secure Storage====
 +
#Author - Azzeddine Ramrami
 +
##New Section
 +
====Hashing & Salting - When, How and Where====
 +
=====Encrpyption=====
 +
======.NET======
 +
#Author Larry Conklin, Joan Renchie
 +
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
 +
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''

Revision as of 19:43, 18 April 2013

Contents

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
    1. Previous version to be updated:[[1]]

Code Review Guide History

  1. Author - Eoin Keary
    1. Previous version to be updated:[[2]]

Introduction

  1. Author - Eoin Keary

What is source code review and Static Analysis

  1. Author - Zyad Mghazli
    1. New Section

Manual Review - Pros and Cons

  1. Author - Ashish Rao
    1. New Section
      1. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao

We can't hack ourselves secure

  1. Author - Prathamesh Mhatre
    1. New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - Ashish Rao
    1. New Section

Can static code analyzers do it all?

  1. Author - Ashish Rao
    1. New Section

Methodology

The code review approach

  1. Author - Prathamesh Mhatre

Preparation and context

  1. Author - Open
    1. Previous version to be updated: [[3]]

Application Threat Modeling

  1. Author - Andy, Renchie Joan
    1. Previous version to be updated: [[4]]

Understanding Code layout/Design/Architecture

  1. Author - Ashish Rao

SDLC Integration

  1. Author - Andy, Ashish Rao
    1. Previous version to be updated: [[5]]

Deployment Models

Secure deployment configurations
  1. Author - Ashish Rao
    1. New Section
Metrics and code review
  1. Author - Andy
    1. Previous version to be updated: [[6]]
Source and sink reviews
  1. Author - Ashish Rao
    1. New Section
Code review Coverage
  1. Author - Open
    1. Previous version to be updated: [[7]]
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
A Risk based approach to code review
  1. Author - Renchie Joan
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal

Crawling code

  1. Author - Abbas Naderi
    1. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
      • .NET
      • PHP
      • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Structs
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gaz Robinson

Code reviews and Compliance

  1. Author -Manual Harti
    1. Previous version to be updated: [[9]]

Reviewing by Techincal Control

===Reviewing code for Authentication controls

  1. Author - Anand Prakash, Joan Renchie

Forgot password

  1. Author Abbas Naderi

Authentication

  1. Author - Anand Prakash, Joan Renchie

CAPTHCA

  1. Author Larry Conklin, Joan Renchie

Out of Band considerations

  1. Author - Open
    1. Previous version to be updated: [[10]]

Reviewing code Authorisation weakness

  1. Author Ashish Rao

Checking authz upon every request

  1. Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

  1. Author Chris Berberich
    1. Previous version to be updated: [[11]]

Reviewing code for Session handling

  1. Author - Palak Gohil, Abbas Naderi
    1. Previous version to be updated: [[12]]

Reviewing client side code

  1. New Section
Javascript
  1. Author - Abbas Naderi
JSON
  1. Author - Open
Content Security Policy
  1. Author - Open
"Jacking"/Framing
  1. Author - Abbas Naderi
HTML 5?
  1. Author - Sebastien Gioria
Browser Defenses policy
  1. Author - Open
etc...

Review code for input validation

Regex Gotchas
  1. Author - Abbas Naderi
    1. New Section
ESAPI
  1. Author - Abbas Naderi
    1. New Section
    2. Internal Link: [[13]]

Reviewing code for contextual encoding

HTML Attribute
  1. Author - Shenai Silva
HTML Entity
  1. Author - Shenai Silva
Javascript Parameters
  1. Author - Open
JQuery
  1. Author - Abbas Naderi

Reviewing file and resource handling code

=Resource Exhaustion - error handling

  1. Author - Abbas Naderi
native calls
  1. Author Abbas Naderi

====Reviewing Logging code - Detective Security

  1. Author - Palak Gohil
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[14]]

Reviewing Error handling and Error messages

  1. Author - Open
    1. Previous version to be updated: [[15]]

Reviewing Security alerts

  1. Author - Open

Review for active defense

  1. Author - Colin Watson

Reviewing Secure Storage

  1. Author - Azzeddine Ramrami
    1. New Section

Hashing & Salting - When, How and Where

Encrpyption
.NET
  1. Author Larry Conklin, Joan Renchie
    1. Previous version to be updated: [[16]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao