[Owasp-codereview] Code Review Project 2.0

Larry Conklin larry.conklin at owasp.org
Mon Feb 18 01:37:37 UTC 2013


Looking for volunteers for Code Review 2.0 project. Below are the open
tasks that have not assigned to anyone yet. If you have any questions about
how you can contribute or a particular task please ask Eoin Keary the
Technical leader for this project or myself.


*OWASP Code Review Guide V2.0 Open Tasks as of 2/17/2013.*

·      *Methodology:*

1.     Deployment Models

2.     Source and Sink reviews

3.     Code Review Coverage

Previous Version to be updated:

*https://www.owasp.org/index.php/Security_Code_Review_Coverage*

4.     A Risk based approach to code review.

“Doing things right or doing the right things...”

“Not all bugs are equal”

5.     Crawling code

Previous Version to be updated:

https://www.owasp.org/index.php/Crawling_Code

a.     API’s of interest: Java/.NET/PHP/RUBY

b.     Frameworks: Spring/.NET MVC/Struts/Zend

6.     Code Reviews and Compliance

c.     Previous Version to be updated:

d.     *https://www.owasp.org/index.php/Code_Reviews_and_Compliance*



·      *Reviewing by Technical Control*

1.     Reviewing code for Authentication controls

Forgot password

Authentication

CAPTCHA

Out of Band considerations

Previous Version to be updated

2.     Reviewing code for Authorization weakness

Checking authorization upon every request

Reducing the attack surface

Previous Version to be updated

https://www.owasp.org/index.php/Codereview-Authorization

3.     Reviewing client side code < NEW>

Javascript

JASON

Content Security Policy

“Jacking”/Framing

etc...

4.     Reviewing code for input validation

Regex Gotchas <NEW>

ESAPI <NEW>

https://www.owasp.org/index.php/Codereview-Input_Validation

5.     Reviewing code for contextual encoding <NEW>

HTML Attribute

HTML Entity

Javascript Paramaters

JQuery

6.     Reviewing file and resource handling code

Resource Exhaustion - error handling

Native calls

7.     Reviewing Error handling and Error messages

Previous version to be updated

https://www.owasp.org/index.php/Codereview-Error-Handling

8.     Reviewing Security alerts <???>

9.     Reviewing Secure Storage <New>

Hashing & Salting - When, How and Where

Encryption

Previous version to be updated

https://www.owasp.org/index.php/Codereview-Cryptographic_Controls



·      Reviewing by Vulnerability

1.     Persistent -  The Anti pattern

.NET

Ruby

2.     Reflected- The Anti pattern

.NET

Ruby

3.     Stored- The Anti pattern

.NET

Ruby

4.     DOM XSS

5.     Jquery

6.     The Anti pattern

.NET

Searching for traditional SQL, JPA, JPSQL, Criteria, ...

Ruby

Cold Fusion

7.     Transactional logic / Non idempotent functions / State Changing
Functions

8.     Reviewing code for poor logic / Business logic /complex authorization

9.     Reviewing Secure Communications

.NET Config

Spring Config

HTTP Headers

CSP

HSTS

10.  Tech-Stack pitfalls

·      Framework specific issues

1.     Spring

2.     Struts

3.     Drupal

4.     Ruby on Rails

5.     Django

6.     .NET Security / MVC

7.     Security in ASP.NET applications

Strongly Named Assemblies

Round Tripping

How to prevent Round tripping

Setting the right Configurations

Authentication Options

Code Review for Managed code - .NET 1.0 & 2.0

Using OWASP Top 10 as your guideline

Code review for Unsafe Code (C#)

8.     Classic ASP

9.     C#

10.  C/C++

11.  Objective C

12.  Android

13.  Coldfusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-codereview/attachments/20130217/cf32e4dd/attachment-0001.html>


More information about the Owasp-codereview mailing list