[Owasp-codereview] Application Security Code Review using OWASP Resources

monror at comcast.net monror at comcast.net
Wed Jul 23 14:31:08 EDT 2008

Does anyone know how to get the "PHP charset encoder"?

-------------- Original message -------------- 
From: Eoin <eoinkeary at gmail.com> 

Read the methodology part of the code review guide, that may help

On 04/07/2008, Joshua Perrymon <josh at packetfocus.com> wrote: 
Hey Guys,

We have been asked to perform a code review for a  new client next month. Most of my experience has been with black-box pentesting, so I'm putting together our code review methodology and putting resources together now.

I'm thinking of doing this in a 4 step process

1-      Documentation gathering, business/data flow, input identification, code identification
a.       The first step is to understand the application and the data flow, understand who is using the application, what code should be reviewed, and to gather appropriate documentation, code, and config files
2-      Content Analysis
a.       Mirror the site to look for broken links, comments, JavaScript, forms, etc.. 
3-      Strategic Review
a.       Use the OWASP Secure Application Development checklist to identify strategic controls (if implemented)
4-      Code Review
a.       Review the code using a mixture of OWASP top 10 2004-2007 as needed for older classic ASP sites.
b.      Combine with white-box pentesting to validate findings and controls
c.       Use testing guide and code review guide as supporting documents
d.      Use OWASP tools such as code review tool, LAPSE,TIGER, etc

I may look at combining items #1-#2 as they are similar.

Is this sufficient for a smaller/medium sized financial institution? It's much more detailed  than they had in the scope of work.

Joshua Perrymon, CEH, OPST, OPSA
CEO PacketFocus LLC
Josh at packetfocus.com

President Alabama OWASP Chapter www.owasp.org
Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com

Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org

Eoin Keary OWASP - Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080723/49a54a9d/attachment.html 
-------------- next part --------------
An embedded message was scrubbed...
From: Eoin <eoinkeary at gmail.com>
Subject: Re: [Owasp-codereview] Application Security Code Review using OWASP
Date: Tue, 8 Jul 2008 12:03:29 +0000
Size: 739
Url: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080723/49a54a9d/attachment.mht 

More information about the Owasp-codereview mailing list