The Owasp Code Review Top 9

From OWASP
Revision as of 08:56, 4 June 2008 by Thesp0nge (Talk | contribs)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents

Contents


Preface

In this section, we will try to organize the most critical security flaws you can find during a code review in order to have a finite set of categories to evaluate the whole code review process.

needs more details here

The 7 flaw categories

In term of source code security, source code vulnerabilities can be managed in million of ways.

Source code vulnerabilities must reflect Owasp Top 10 recommendations. Applications are made of source so, in some way source code flaws can be re conducted to flaws in application.

needs more details here

Here you can find the seventh source code flaw categories:

  • Input validation
  • Source code design
  • Information leakage and improper error handling
  • Direct object reference
  • Resource usage
  • API usage
  • Best practices violation

As you may see 3 categories out of 7 are equals to the correspondent Owasp Top 10 key point.

Let's go more in detail going deeper in describing the source code flaw categories.

Input validation

This flaw categories is the source code counterpart of the Owasp Top 10 A1 category.

The check's families contained in this category are all the ones tied to the missing validation of input data submitted by user and that they will reflect in a Owasp Top 10 A1 violation.

In this category the follow security flaw family are contained:

  • Input validation
    • Cross site scripting
    • SQL Injection
    • XPATH Injection
    • LDAP Injection
    • Cross site request forgery
    • Buffer overflow
    • Format bug

Source code design

Security in source code starts from design and from the choices made

Information leakage and improper error handling

Direct object reference

Resource usage

API usage

Best practices violation