Difference between revisions of "OWASP Code review V2 Table of Contents"

From OWASP
Jump to: navigation, search
Line 10: Line 10:
 
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
 
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
  
== Introduction ==
+
= Introduction =
 
# Author - Eoin Keary
 
# Author - Eoin Keary
  
Line 95: Line 95:
 
#Author -Manual Harti
 
#Author -Manual Harti
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 
+
=Reviewing by Techincal Control=
==Reviewing by Techincal Control==
+
 
===Reviewing code for Authentication controls===
 
===Reviewing code for Authentication controls===
 
#Author - Anand Prakash, Joan Renchie
 
#Author - Anand Prakash, Joan Renchie
Line 180: Line 179:
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
 
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
 
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
==Reviewing by Vulnerability==
+
=Reviewing by Vulnerability=
 
===Review Code for XSS===
 
===Review Code for XSS===
 
#Author Palak Gohil, Anand Prakash
 
#Author Palak Gohil, Anand Prakash

Revision as of 20:33, 22 April 2013

Contents

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
  2. Previous version to be updated:[[1]]

Code Review Guide History

  1. Author - Eoin Keary
  2. Previous version to be updated:[[2]]

Introduction

  1. Author - Eoin Keary

What is source code review and Static Analysis

  1. Author - Zyad Mghazli
  2. New Section

Manual Review - Pros and Cons

  1. Author - Ashish Rao
  2. New Section
  3. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao

We can't hack ourselves secure

  1. Author - Prathamesh Mhatre
  2. New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - Ashish Rao
  2. New Section

Can static code analyzers do it all?

  1. Author - Ashish Rao
  2. New Section

Methodology

The code review approach

  1. Author - Prathamesh Mhatre

Preparation and context

  1. Author - Open
  2. Previous version to be updated: [[3]]

Application Threat Modeling

  1. Author - Andy, Renchie Joan
  2. Previous version to be updated: [[4]]

Understanding Code layout/Design/Architecture

  1. Author - Ashish Rao

SDLC Integration

  1. Author - Andy, Ashish Rao
  2. Previous version to be updated: [[5]]

Deployment Models

Secure deployment configurations
  1. Author - Ashish Rao
  2. New Section
Metrics and code review
  1. Author - Andy
  2. Previous version to be updated: [[6]]
Source and sink reviews
  1. Author - Ashish Rao
  2. New Section
Code review Coverage
  1. Author - Open
  2. Previous version to be updated: [[7]]
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
A Risk based approach to code review
  1. Author - Renchie Joan
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal

Crawling code

  1. Author - Abbas Naderi
  2. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
    • .NET
    • PHP
    • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Structs
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gaz Robinson

Code reviews and Compliance

  1. Author -Manual Harti
  2. Previous version to be updated: [[9]]

Reviewing by Techincal Control

Reviewing code for Authentication controls

  1. Author - Anand Prakash, Joan Renchie

Forgot password

  1. Author Abbas Naderi

Authentication

  1. Author - Anand Prakash, Joan Renchie

CAPTHCA

  1. Author Larry Conklin, Joan Renchie

Out of Band considerations

  1. Author - Open
  2. Previous version to be updated: [[10]]

Reviewing code Authorization weakness

  1. Author Ashish Rao

Checking authz upon every request

  1. Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

  1. Author Chris Berberich
  2. Previous version to be updated: [[11]]

Reviewing code for Session handling

  1. Author - Palak Gohil, Abbas Naderi
  2. Previous version to be updated: [[12]]

Reviewing client side code

  1. New Section
Javascript
  1. Author - Abbas Naderi
JSON
  1. Author - Open
Content Security Policy
  1. Author - Open
"Jacking"/Framing
  1. Author - Abbas Naderi
HTML 5?
  1. Author - Sebastien Gioria
Browser Defenses policy
  1. Author - Open
etc...

Review code for input validation

  1. Author - Open
Regex Gotchas
  1. Author - Abbas Naderi
  2. New Section
ESAPI
  1. Author - Abbas Naderi
  2. New Section
  3. Internal Link: [[13]]

Reviewing code for contextual encoding

HTML Attribute
  1. Author - Shenai Silva
HTML Entity
  1. Author - Shenai Silva
Javascript Parameters
  1. Author - Open
JQuery
  1. Author - Abbas Naderi

Reviewing file and resource handling code

  1. Author - Open

=Resource Exhaustion - error handling

  1. Author - Abbas Naderi
native calls
  1. Author Abbas Naderi

Reviewing Logging code - Detective Security

  1. Author - Palak Gohil
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[14]]

Reviewing Error handling and Error messages

  1. Author - Open
  2. Previous version to be updated: [[15]]

Reviewing Security alerts

  1. Author - Open

Review for active defense

  1. Author - Colin Watson

Reviewing Secure Storage

  1. Author - Azzeddine Ramrami
  2. New Section

Hashing & Salting - When, How and Where

Encrpyption
.NET
  1. Author Larry Conklin, Joan Renchie
  2. Previous version to be updated: [[16]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Reviewing by Vulnerability

Review Code for XSS

  1. Author Palak Gohil, Anand Prakash
  2. Previous version to be updated: [[17]]
  3. In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao

Persistent - The Anti pattern

  1. Author Abbas Naderi

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

  1. Author Chris Berberich

Reflected - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

Stored - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

DOM XSS

  1. Author Larry Conklin

JQuery mistakes

  1. Author Shenal Silva

===Reviewing code for SQL Injection

  1. Author Palak Gohil, Renchie Joan
  2. Previous version to be updated: [[18]]

PHP

  1. Author - Open

Java

  1. Author - Open

.NET

  1. Author - Open

HQL

  1. Author - Open

The Anti pattern

PHP

  1. Author - Mohammad Damavandi, Abbas Naderi

Java

  1. Author - Palak Gohil
  2. => Searching for traditional SQL,JPA,JPSQL,Criteria,...

.NET

  1. Author Johanna Curiel, Renchie Joan

Ruby

  1. Author - Open

Cold Fusion

  1. Author - Open

Reviewing code for CSRF Issues

  1. Author Palak Gohil,Anand Prakash, Abbas Naderi
  2. Previous version to be updated: [[19]]

Transactional logic / Non idempotent functions / State Changing Functions

  1. Author Abbas Naderi

Reviewing code for poor logic /Business logic/Complex authorization

  1. Author - Open

Reviewing Secure Communications

.NET Config

  1. Author Johanna Curiel, Renchie Joan

Spring Config

  1. Author - Open

HTTP Headers

  1. Author Gregory Disney, Abbas Naderi
CSP
  1. Author Gregory Disney
HSTS
  1. Author Abbas Naderi

Tech-Stack pitfalls

  1. Author Gregory Disney

Framework specific Issues

Spring

  1. Author - Open

Structs

  1. Author - Open

Drupal

  1. Author Gregory Disney

Ruby on Rails

  1. Author - Open

Django

  1. Author Gregory Disney

.NET Security / MVC

  1. Author Johanna Curiel, Renchie Joan

Security in ASP.NET applications

  1. Author Johanna Curiel, Renchie Joan
Strongly Named Assemblies
  1. Author Johanna Curiel, Renchie Joan
Round Tripping
How to prevent Round tripping
  1. Author Johanna Curiel, Renchie Joan
Setting the right Configurations
  1. Author Johanna Curiel, Renchie Joan
Authentication Options
  1. Author Johanna Curiel, Renchie Joan
Code Review for Managed Code - .Net 1.0 and up
  1. Author Johanna Curiel, Renchie Joan
Using OWASP Top 10 as your guideline
  1. Author Johanna Curiel, Renchie Joan
Code review for Unsafe Code (C#)
  1. Author Johanna Curiel, Renchie Joan

PHP Specific Issues

  1. Author Mohammad Damavandi, Abbas Naderi

Classic ASP

  1. Author Johanna Curiel

C#

  1. Author Johanna Curiel, Renchie Joan

C/C++

  1. Author Gaz Robinson

Objective C

  1. Author Open

Java

  1. Author Palak Gohil

Android

  1. Author Open

Coldfusion

  1. Author Open

Security code review for Agile development

  1. Author Open

Willing to review drafts

  1. Terry Nerpester
  2. Larry Conklin