[Owasp-codereview] Code Review Project 2.0
Larry Conklin
larry.conklin at owasp.org
Mon Feb 18 01:37:37 UTC 2013
Looking for volunteers for Code Review 2.0 project. Below are the open
tasks that have not assigned to anyone yet. If you have any questions about
how you can contribute or a particular task please ask Eoin Keary the
Technical leader for this project or myself.
*OWASP Code Review Guide V2.0 Open Tasks as of 2/17/2013.*
· *Methodology:*
1. Deployment Models
2. Source and Sink reviews
3. Code Review Coverage
Previous Version to be updated:
*https://www.owasp.org/index.php/Security_Code_Review_Coverage*
4. A Risk based approach to code review.
“Doing things right or doing the right things...”
“Not all bugs are equal”
5. Crawling code
Previous Version to be updated:
https://www.owasp.org/index.php/Crawling_Code
a. API’s of interest: Java/.NET/PHP/RUBY
b. Frameworks: Spring/.NET MVC/Struts/Zend
6. Code Reviews and Compliance
c. Previous Version to be updated:
d. *https://www.owasp.org/index.php/Code_Reviews_and_Compliance*
· *Reviewing by Technical Control*
1. Reviewing code for Authentication controls
Forgot password
Authentication
CAPTCHA
Out of Band considerations
Previous Version to be updated
2. Reviewing code for Authorization weakness
Checking authorization upon every request
Reducing the attack surface
Previous Version to be updated
https://www.owasp.org/index.php/Codereview-Authorization
3. Reviewing client side code < NEW>
Javascript
JASON
Content Security Policy
“Jacking”/Framing
etc...
4. Reviewing code for input validation
Regex Gotchas <NEW>
ESAPI <NEW>
https://www.owasp.org/index.php/Codereview-Input_Validation
5. Reviewing code for contextual encoding <NEW>
HTML Attribute
HTML Entity
Javascript Paramaters
JQuery
6. Reviewing file and resource handling code
Resource Exhaustion - error handling
Native calls
7. Reviewing Error handling and Error messages
Previous version to be updated
https://www.owasp.org/index.php/Codereview-Error-Handling
8. Reviewing Security alerts <???>
9. Reviewing Secure Storage <New>
Hashing & Salting - When, How and Where
Encryption
Previous version to be updated
https://www.owasp.org/index.php/Codereview-Cryptographic_Controls
· Reviewing by Vulnerability
1. Persistent - The Anti pattern
.NET
Ruby
2. Reflected- The Anti pattern
.NET
Ruby
3. Stored- The Anti pattern
.NET
Ruby
4. DOM XSS
5. Jquery
6. The Anti pattern
.NET
Searching for traditional SQL, JPA, JPSQL, Criteria, ...
Ruby
Cold Fusion
7. Transactional logic / Non idempotent functions / State Changing
Functions
8. Reviewing code for poor logic / Business logic /complex authorization
9. Reviewing Secure Communications
.NET Config
Spring Config
HTTP Headers
CSP
HSTS
10. Tech-Stack pitfalls
· Framework specific issues
1. Spring
2. Struts
3. Drupal
4. Ruby on Rails
5. Django
6. .NET Security / MVC
7. Security in ASP.NET applications
Strongly Named Assemblies
Round Tripping
How to prevent Round tripping
Setting the right Configurations
Authentication Options
Code Review for Managed code - .NET 1.0 & 2.0
Using OWASP Top 10 as your guideline
Code review for Unsafe Code (C#)
8. Classic ASP
9. C#
10. C/C++
11. Objective C
12. Android
13. Coldfusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-codereview/attachments/20130217/cf32e4dd/attachment-0001.html>
More information about the Owasp-codereview
mailing list