[Owasp-codereview] Code Review Guide: Update

Paolo Perego thesp0nge at gmail.com
Thu May 29 04:57:44 EDT 2008


2008/5/28 Eoin <eoin.keary at owasp.org>:
> Hello my fellow security colleagues :)
>
> May I ask that anyone which is contributing to the OWASP Code review guide
> please start updating the wiki with their work :)
> This shall help in reviewing the work and brainstorming.
Hi Eoin and Hi everybody.

As one of my Spoc 2008 goals is to improve Owasp Orizon documentation,
I take the "The Owasp Orizon Framework" section in the "Automating
Code Reviews" chapter.

In my opinion in our guide we need to define a sort of "top 10" or
"top 5" or "top something" vulnerabilities in order to give people
performing a code review some metrics in order to perform their
report.

Let me explain further. When I perform an Ethical Hacking I prepare
report to my customer saying "hey, you missed Owasp Top 10 point 1, 4
and 5. Your application and your application server are prone to this
vuln and this one. Do something".

It would be great having a group of source code vulnerability
categories (language independent) in order to give people the
opportunity to make code review reports saying "hey, your code is
missing Owasp CR Guide point 1.1 (Input Validation -> filter input in
Servlet doGet() method)".

May be I'll try to create over the wiki a sort of our TOP 10 and we
can make some brainstorming about this.
What about this?

Ciao ciao
thesp0nge


-- 
Paolo Perego <thesp0nge at owasp.org>, Owasp Orizon Project leader
orizon.sourceforge.net


More information about the Owasp-codereview mailing list