OWASP Code review V2 Table of Contents

From OWASP
Revision as of 21:47, 21 April 2013 by Larry Conklin (Talk | contribs)

Jump to: navigation, search

Contents

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
  2. Previous version to be updated:[[1]]

Code Review Guide History

  1. Author - Eoin Keary
  2. Previous version to be updated:[[2]]

Introduction

  1. Author - Eoin Keary

What is source code review and Static Analysis

  1. Author - Zyad Mghazli
  2. New Section

Manual Review - Pros and Cons

  1. Author - Ashish Rao
  2. New Section
  3. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao

We can't hack ourselves secure

  1. Author - Prathamesh Mhatre
  2. New Section

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - Ashish Rao
  2. New Section

Can static code analyzers do it all?

  1. Author - Ashish Rao
  2. New Section

Methodology

The code review approach

  1. Author - Prathamesh Mhatre

Preparation and context

  1. Author - Open
  2. Previous version to be updated: [[3]]

Application Threat Modeling

  1. Author - Andy, Renchie Joan
  2. Previous version to be updated: [[4]]

Understanding Code layout/Design/Architecture

  1. Author - Ashish Rao

SDLC Integration

  1. Author - Andy, Ashish Rao
  2. Previous version to be updated: [[5]]

Deployment Models

Secure deployment configurations
  1. Author - Ashish Rao
  2. New Section
Metrics and code review
  1. Author - Andy
  2. Previous version to be updated: [[6]]
Source and sink reviews
  1. Author - Ashish Rao
  2. New Section
Code review Coverage
  1. Author - Open
  2. Previous version to be updated: [[7]]
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
A Risk based approach to code review
  1. Author - Renchie Joan
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal

Crawling code

  1. Author - Abbas Naderi
  2. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
    • .NET
    • PHP
    • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Structs
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gaz Robinson

Code reviews and Compliance

  1. Author -Manual Harti
  2. Previous version to be updated: [[9]]

Reviewing by Techincal Control

Reviewing code for Authentication controls

  1. Author - Anand Prakash, Joan Renchie

Forgot password

  1. Author Abbas Naderi

Authentication

  1. Author - Anand Prakash, Joan Renchie

CAPTHCA

  1. Author Larry Conklin, Joan Renchie

Out of Band considerations

  1. Author - Open
  2. Previous version to be updated: [[10]]

Reviewing code Authorization weakness

  1. Author Ashish Rao

Checking authz upon every request

  1. Author - Abbas Naderi, Joan Renchie

Reducing the attack surface

  1. Author Chris Berberich
  2. Previous version to be updated: [[11]]

Reviewing code for Session handling

  1. Author - Palak Gohil, Abbas Naderi
  2. Previous version to be updated: [[12]]

Reviewing client side code

  1. New Section
Javascript
  1. Author - Abbas Naderi
JSON
  1. Author - Open
Content Security Policy
  1. Author - Open
"Jacking"/Framing
  1. Author - Abbas Naderi
HTML 5?
  1. Author - Sebastien Gioria
Browser Defenses policy
  1. Author - Open
etc...

Review code for input validation

  1. Author - Open
Regex Gotchas
  1. Author - Abbas Naderi
  2. New Section
ESAPI
  1. Author - Abbas Naderi
  2. New Section
  3. Internal Link: [[13]]

Reviewing code for contextual encoding

HTML Attribute
  1. Author - Shenai Silva
HTML Entity
  1. Author - Shenai Silva
Javascript Parameters
  1. Author - Open
JQuery
  1. Author - Abbas Naderi

Reviewing file and resource handling code

  1. Author - Open

=Resource Exhaustion - error handling

  1. Author - Abbas Naderi
native calls
  1. Author Abbas Naderi

Reviewing Logging code - Detective Security

  1. Author - Palak Gohil
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[14]]

Reviewing Error handling and Error messages

  1. Author - Open
  2. Previous version to be updated: [[15]]

Reviewing Security alerts

  1. Author - Open

Review for active defense

  1. Author - Colin Watson

Reviewing Secure Storage

  1. Author - Azzeddine Ramrami
  2. New Section

Hashing & Salting - When, How and Where

Encrpyption
.NET
  1. Author Larry Conklin, Joan Renchie
  2. Previous version to be updated: [[16]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Reviewing by Vulnerability

Review Code for XSS

  1. Author Palak Gohil, Anand Prakash
  2. Previous version to be updated: [[17]]
  3. In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao

Persistent - The Anti pattern

  1. Author Abbas Naderi

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

  1. Author Chris Berberich

Reflected - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

Stored - The Anti pattern

.NET

  1. Author Johanna Curiel, Renchie Joan

.Java

  1. Author Palak Gohil

PHP

  1. Author Mohammed Damavandi, Abbas Naderi

Ruby

DOM XSS

  1. Author Larry Conklin

JQuery mistakes

  1. Author Shenal Silva