[GPC] OWASP code review guide V2.0

Jason Li jason.li at owasp.org
Tue Jul 27 16:58:01 EDT 2010


Eoin,

Looks like a very ambitious roadmap! :-)review

With regards to the ESAPI/O2 section, does it make better sense to
make them separate add-on appendices that the ESAPI/O2 projects
respectively can contribute to independently of the overall Code
Review Guide?

Good luck - let us know if you there's anything you need.

GPC - since Eoin has provided a specific target release date, let's
make sure to leave room in our personal schedules in the January time
frame to review the Code Review Guide so we can help him advance the
CRG as quickly as possible. We should do the same for any other
projects going forward that provide a target date for a release cycle.

-Jason

On Tue, Jul 27, 2010 at 4:35 PM, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:
> GPC,
>
>
>
> Please see below for your information.
>
>
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager
>
>
>
> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
> Sent: terça-feira, 27 de Julho de 2010 21:37
> To: <paulo.coimbra at owasp.org>; Owasp-codereview at lists.owasp.org; OWASP
> Foundation Board List; Alessio Marziali; dinis cruz
> Subject: OWASP code review guide V2.0
>
>
>
> Hi Paulo,
>
> can you inform the GPC of my intention to produce as new version of the code
> review guide by January 2011. This is the same time the testing guide shall
> be released.
>
> Major enhancements:
>
>
>
> Introduction to be re-written.
>
> Approach to code review (Risk based approach)to be re-written, re designed.
>
> Examples by Vulnerability and Technical control to be expanded and refined
>
> Common Numbering nomenclature to be used.
>
> Cross reference to TG and ASVS to be done.
>
> New sections on tools to be introduced.
>
> Expand technology specific sections
>
> Section on RIA (Rich Internet applications) to be introduced.
>
> WebServices section to be refined
>
> Malware and rootkit sections to be introduced.
>
> PCI section to be rewritten with more x-reference to other guides.
>
>
>
> Other ideas:
>
>
>
> ESAPI section: how to review OWASP ESAPI implementations?
>
> Risk based approach Vs ASVS levels
>
> Threat modeling and Triage chapters to be revised
>
> OWASP O2 section on O2 rules definition, development.
>
> Crawling code: Additional search vectors to be added
>
> Section on Code Crawler, quick start & configuration guide
>
>
>
> Suggestions, comments, ideas?
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>


More information about the Global-projects-committee mailing list