[Owasp-codereview] Code Review Guide: Update

Paolo Perego thesp0nge at gmail.com
Thu May 29 06:02:50 EDT 2008

Sure I'll do. Also with Dinis in Ghent we made the parallelism "ESAPI
project is the software adverse party to Owasp Top 10 guide" and
"Orizon is the software adverse party to Owasp CR Guide"

I'll keep myself in charge also in these two things:
a) creating a category list in order to describe the security checks a
CR tool or a Code reviewer needs to check. Something like
   O_CR_1: Input validation
       O_CR_1_1: XSS
            O_CR_1_1_1: On a Java servlet perform input validation
over doGet() method
       O_CR_1_2: Sql Injection
And things like this. Of course this "Top 10" is really live and it
will grow in the time. I think it would be usefull when evaluating a
CR tool, just to say "Ok i'll use this one because it performs 20
checks out of the 40 described in the code review guide"

Of course this will be used also in Orizon project to be the official
owasp security check library

b) helping you Eoin to formalize somemetrics in order to score a
source file when performing a code review. We can use the
aformentioned list in order to assign a score to a source on the basis
of how many "category checks" it fails. This will try to answer the
question "how much is secure this piece of code".

I'll put on the wiki my ideas ASAP. Of course people... I need your help :)

Claim: Two s3xy guides, is better than one.

Ciao ciao
2008/5/29 Eoin <eoin.keary at owasp.org>:
> Paolo,
> this is great news as it is the right place for Orizon documentation. Think
> of the code review guide as a supporting book for the Orizon tool. This is
> something other tools don't have, a complete guide discussing the theory and
> practical aspects of code review and also a guide on how to use the Orizon
> tool.
> Its a perfect interconnect between an OWASP tool and one of the trinity of
> OWASP guides.
> Can you update the wiki when as you go so we can all see the progress and
> help review.
> thanks,
> Eoin
> On 29/05/2008, Paolo Perego <thesp0nge at gmail.com> wrote:
>> 2008/5/28 Eoin <eoin.keary at owasp.org>:
>> > Hello my fellow security colleagues :)
>> >
>> > May I ask that anyone which is contributing to the OWASP Code review
>> > guide
>> > please start updating the wiki with their work :)
>> > This shall help in reviewing the work and brainstorming.
>> Hi Eoin and Hi everybody.
>> As one of my Spoc 2008 goals is to improve Owasp Orizon documentation,
>> I take the "The Owasp Orizon Framework" section in the "Automating
>> Code Reviews" chapter.
>> In my opinion in our guide we need to define a sort of "top 10" or
>> "top 5" or "top something" vulnerabilities in order to give people
>> performing a code review some metrics in order to perform their
>> report.
>> Let me explain further. When I perform an Ethical Hacking I prepare
>> report to my customer saying "hey, you missed Owasp Top 10 point 1, 4
>> and 5. Your application and your application server are prone to this
>> vuln and this one. Do something".
>> It would be great having a group of source code vulnerability
>> categories (language independent) in order to give people the
>> opportunity to make code review reports saying "hey, your code is
>> missing Owasp CR Guide point 1.1 (Input Validation -> filter input in
>> Servlet doGet() method)".
>> May be I'll try to create over the wiki a sort of our TOP 10 and we
>> can make some brainstorming about this.
>> What about this?
>> Ciao ciao
>> thesp0nge
>> --
>> Paolo Perego <thesp0nge at owasp.org>, Owasp Orizon Project leader
>> orizon.sourceforge.net
>> _______________________________________________
>> Owasp-codereview mailing list
>> Owasp-codereview at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Code_Review_Project

Owasp Orizon leader

More information about the Owasp-codereview mailing list