[Owasp-codereview] Code Review Project 2.0

Larry Conklin larry.conklin at owasp.org
Mon Feb 18 01:37:37 UTC 2013

Looking for volunteers for Code Review 2.0 project. Below are the open
tasks that have not assigned to anyone yet. If you have any questions about
how you can contribute or a particular task please ask Eoin Keary the
Technical leader for this project or myself.

*OWASP Code Review Guide V2.0 Open Tasks as of 2/17/2013.*

·      *Methodology:*

1.     Deployment Models

2.     Source and Sink reviews

3.     Code Review Coverage

Previous Version to be updated:


4.     A Risk based approach to code review.

“Doing things right or doing the right things...”

“Not all bugs are equal”

5.     Crawling code

Previous Version to be updated:


a.     API’s of interest: Java/.NET/PHP/RUBY

b.     Frameworks: Spring/.NET MVC/Struts/Zend

6.     Code Reviews and Compliance

c.     Previous Version to be updated:

d.     *https://www.owasp.org/index.php/Code_Reviews_and_Compliance*

·      *Reviewing by Technical Control*

1.     Reviewing code for Authentication controls

Forgot password



Out of Band considerations

Previous Version to be updated

2.     Reviewing code for Authorization weakness

Checking authorization upon every request

Reducing the attack surface

Previous Version to be updated


3.     Reviewing client side code < NEW>



Content Security Policy



4.     Reviewing code for input validation

Regex Gotchas <NEW>



5.     Reviewing code for contextual encoding <NEW>

HTML Attribute

HTML Entity

Javascript Paramaters


6.     Reviewing file and resource handling code

Resource Exhaustion - error handling

Native calls

7.     Reviewing Error handling and Error messages

Previous version to be updated


8.     Reviewing Security alerts <???>

9.     Reviewing Secure Storage <New>

Hashing & Salting - When, How and Where


Previous version to be updated


·      Reviewing by Vulnerability

1.     Persistent -  The Anti pattern



2.     Reflected- The Anti pattern



3.     Stored- The Anti pattern



4.     DOM XSS

5.     Jquery

6.     The Anti pattern


Searching for traditional SQL, JPA, JPSQL, Criteria, ...


Cold Fusion

7.     Transactional logic / Non idempotent functions / State Changing

8.     Reviewing code for poor logic / Business logic /complex authorization

9.     Reviewing Secure Communications

.NET Config

Spring Config

HTTP Headers



10.  Tech-Stack pitfalls

·      Framework specific issues

1.     Spring

2.     Struts

3.     Drupal

4.     Ruby on Rails

5.     Django

6.     .NET Security / MVC

7.     Security in ASP.NET applications

Strongly Named Assemblies

Round Tripping

How to prevent Round tripping

Setting the right Configurations

Authentication Options

Code Review for Managed code - .NET 1.0 & 2.0

Using OWASP Top 10 as your guideline

Code review for Unsafe Code (C#)

8.     Classic ASP

9.     C#

10.  C/C++

11.  Objective C

12.  Android

13.  Coldfusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-codereview/attachments/20130217/cf32e4dd/attachment-0001.html>

More information about the Owasp-codereview mailing list