Difference between revisions of "OWASP Code review V2 Table of Contents"

From OWASP
Jump to: navigation, search
Line 4: Line 4:
 
==Forward==
 
==Forward==
 
# Author - Eoin Keary
 
# Author - Eoin Keary
## Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
+
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
  
 
== Code Review Guide History ==
 
== Code Review Guide History ==
 
# Author - Eoin Keary
 
# Author - Eoin Keary
## Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
+
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
  
 
== Introduction ==
 
== Introduction ==
Line 15: Line 15:
 
=== What is source code review and Static Analysis ===
 
=== What is source code review and Static Analysis ===
 
# Author - Zyad Mghazli
 
# Author - Zyad Mghazli
## New Section
+
# New Section
  
 
=== Manual Review - Pros and Cons ===
 
=== Manual Review - Pros and Cons ===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
### Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
+
# Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
  
 
=== Why code review ===
 
=== Why code review ===
Line 28: Line 28:
 
=== We can't hack ourselves secure ===
 
=== We can't hack ourselves secure ===
 
# Author - Prathamesh Mhatre
 
# Author - Prathamesh Mhatre
## New Section
+
# New Section
  
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
  
 
=== Can static code analyzers do it all? ===
 
=== Can static code analyzers do it all? ===
 
# Author - Ashish Rao
 
# Author - Ashish Rao
## New Section
+
# New Section
  
 
==Methodology==
 
==Methodology==
Line 43: Line 43:
 
==== Preparation and context ====
 
==== Preparation and context ====
 
# Author - Open
 
# Author - Open
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
 
====Application Threat Modeling====
 
====Application Threat Modeling====
 
#Author - Andy, Renchie Joan
 
#Author - Andy, Renchie Joan
## Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
+
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
 
====Understanding Code layout/Design/Architecture====
 
====Understanding Code layout/Design/Architecture====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
 
===SDLC Integration===
 
===SDLC Integration===
 
#Author - Andy, Ashish Rao
 
#Author - Andy, Ashish Rao
## Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
 
====Deployment Models====
 
====Deployment Models====
 
=====Secure deployment configurations=====
 
=====Secure deployment configurations=====
 
#Author - Ashish Rao
 
#Author - Ashish Rao
## New Section
+
# New Section
 
=====Metrics and code review=====
 
=====Metrics and code review=====
 
#Author - Andy
 
#Author - Andy
Line 81: Line 81:
 
*API of Interest:
 
*API of Interest:
 
**Java
 
**Java
***.NET
+
**.NET
***PHP
+
**PHP
***RUBY
+
**RUBY
 
*Frameworks:
 
*Frameworks:
 
**Spring
 
**Spring
Line 94: Line 94:
 
====Code reviews and Compliance====
 
====Code reviews and Compliance====
 
#Author -Manual Harti
 
#Author -Manual Harti
## Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
  
 
==Reviewing by Techincal Control==
 
==Reviewing by Techincal Control==
Line 107: Line 107:
 
====Out of Band considerations====
 
====Out of Band considerations====
 
#Author - Open
 
#Author - Open
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
===Reviewing code Authorisation weakness===
+
===Reviewing code Authorization weakness===
 
#Author Ashish Rao
 
#Author Ashish Rao
 
====Checking authz upon every request====
 
====Checking authz upon every request====
Line 139: Line 139:
 
=====ESAPI=====
 
=====ESAPI=====
 
#Author - Abbas Naderi
 
#Author - Abbas Naderi
##New Section
+
#New Section
## Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
+
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 
====Reviewing code for contextual encoding====
 
====Reviewing code for contextual encoding====
 
=====HTML Attribute=====
 
=====HTML Attribute=====
Line 165: Line 165:
 
====Reviewing Error handling and Error messages====
 
====Reviewing Error handling and Error messages====
 
#Author - Open
 
#Author - Open
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
 
====Reviewing Security alerts====
 
====Reviewing Security alerts====
 
#Author - Open
 
#Author - Open
Line 173: Line 173:
 
====Reviewing Secure Storage====
 
====Reviewing Secure Storage====
 
#Author - Azzeddine Ramrami
 
#Author - Azzeddine Ramrami
##New Section
+
# New Section
 
====Hashing & Salting - When, How and Where====
 
====Hashing & Salting - When, How and Where====
 
=====Encrpyption=====
 
=====Encrpyption=====
 
======.NET======
 
======.NET======
 
#Author Larry Conklin, Joan Renchie
 
#Author Larry Conklin, Joan Renchie
## Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
+
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
 
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
 
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
 +
==Reviewing by Vulnerability==
 +
===Review Code for XSS===
 +
#Author Palak Gohil, Anand Prakash
 +
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
 +
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
 +
===Persistent - The Anti pattern===
 +
#Author Abbas Naderi
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
====.Java====
 +
#Author Palak Gohil
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
====Ruby====
 +
#Author Chris Berberich
 +
===Reflected - The Anti pattern===
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
====.Java====
 +
#Author Palak Gohil
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
====Ruby====
 +
===Stored - The Anti pattern===
 +
====.NET====
 +
#Author Johanna Curiel, Renchie Joan
 +
====.Java====
 +
#Author Palak Gohil
 +
====PHP====
 +
#Author Mohammed Damavandi, Abbas Naderi
 +
====Ruby====
 +
===DOM XSS ===
 +
#Author Larry Conklin
 +
===JQuery mistakes===
 +
#Author Shenal Silva

Revision as of 18:01, 21 April 2013

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
  2. Previous version to be updated:[[1]]

Code Review Guide History

  1. Author - Eoin Keary
  2. Previous version to be updated:[[2]]

Introduction

  1. Author - Eoin Keary

What is source code review and Static Analysis

  1. Author - Zyad Mghazli
  2. New Section

Manual Review - Pros and Cons

  1. Author - Ashish Rao
  2. New Section
  3. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao

We can't hack ourselves secure

  1. Author - Prathamesh Mhatre
  2. New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - Ashish Rao
  2. New Section

Can static code analyzers do it all?

  1. Author - Ashish Rao
  2. New Section

Methodology

The code review approach

  1. Author - Prathamesh Mhatre

Preparation and context

  1. Author - Open
  2. Previous version to be updated: [[3]]

Application Threat Modeling

  1. Author - Andy, Renchie Joan
  2. Previous version to be updated: [[4]]

Understanding Code layout/Design/Architecture

  1. Author - Ashish Rao

SDLC Integration

  1. Author - Andy, Ashish Rao
  2. Previous version to be updated: [[5]]

Deployment Models

Secure deployment configurations
  1. Author - Ashish Rao
  2. New Section
Metrics and code review
  1. Author - Andy
    1. Previous version to be updated: [[6]]
Source and sink reviews
  1. Author - Ashish Rao
    1. New Section
Code review Coverage
  1. Author - Open
    1. Previous version to be updated: [[7]]
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
A Risk based approach to code review
  1. Author - Renchie Joan
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal

Crawling code

  1. Author - Abbas Naderi
    1. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
    • .NET
    • PHP
    • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Structs
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gaz Robinson

Code reviews and Compliance

  1. Author -Manual Harti
  2. Previous version to be updated: [[9]]

Reviewing by Techincal Control

===Reviewing code for Authentication controls

  1. Author - Anand Prakash, Joan Renchie

Forgot password

  1. Author Abbas Naderi

Authentication

  1. Author - Anand Prakash, Joan Renchie

CAPTHCA

  1. Author Larry Conklin, Joan Renchie

Out of Band considerations

  1. Author - Open
  2. Previous version to be updated: [[10]]

Reviewing code Authorization weakness

  1. Author Ashish Rao

Checking authz upon every request

  1. Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

  1. Author Chris Berberich
    1. Previous version to be updated: [[11]]

Reviewing code for Session handling

  1. Author - Palak Gohil, Abbas Naderi
    1. Previous version to be updated: [[12]]

Reviewing client side code

  1. New Section
Javascript
  1. Author - Abbas Naderi
JSON
  1. Author - Open
Content Security Policy
  1. Author - Open
"Jacking"/Framing
  1. Author - Abbas Naderi
HTML 5?
  1. Author - Sebastien Gioria
Browser Defenses policy
  1. Author - Open
etc...

Review code for input validation

Regex Gotchas
  1. Author - Abbas Naderi
    1. New Section
ESAPI
  1. Author - Abbas Naderi
  2. New Section
  3. Internal Link: [[13]]

Reviewing code for contextual encoding

HTML Attribute
  1. Author - Shenai Silva
HTML Entity
  1. Author - Shenai Silva
Javascript Parameters
  1. Author - Open
JQuery
  1. Author - Abbas Naderi

Reviewing file and resource handling code

=Resource Exhaustion - error handling

  1. Author - Abbas Naderi
native calls
  1. Author Abbas Naderi

Reviewing Logging code - Detective Security

  1. Author - Palak Gohil
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[14]]

Reviewing Error handling and Error messages

  1. Author - Open
  2. Previous version to be updated: [[15]]

Reviewing Security alerts

  1. Author - Open

Review for active defense

  1. Author - Colin Watson

Reviewing Secure Storage

  1. Author - Azzeddine Ramrami
  2. New Section

Hashing & Salting - When, How and Where

Encrpyption
.NET
  1. Author Larry Conklin, Joan Renchie
  2. Previous version to be updated: [[16]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Reviewing by Vulnerability

Review Code for XSS

  1. Author Palak Gohil, Anand Prakash
  2. Previous version to be updated: [[17]]
  3. In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao

Persistent - The Anti pattern

  1. Author Abbas Naderi

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

  1. Author Chris Berberich

Reflected - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

Stored - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

DOM XSS

  1. Author Larry Conklin

JQuery mistakes

  1. Author Shenal Silva