[Owasp-testing] Fwd: Code review Structure

Mark Roxberry me at markroxberry.net
Thu Jan 11 10:24:30 EST 2007


I'll do .NET Code Review Best Practices.

Can I include Design Guidance as a section?  Or maybe we need to consider Secure Application Design for an OWASP project (or do we have plans for this already)?  An example, in ASP.NET 2.0, when do we recommend using the MembershipProviders and integrating with .NET framework before rolling your own access control system.  Design guidance would outline the scenarios for each security design.  What do you think?  

I'll post a topic list by tomorrow.

Regards,

Mark
  ----- Original Message ----- 
  From: Eoin 
  To: owasp-testing at lists.owasp.org ; Owasp-codereview at lists.owasp.org 
  Sent: Tuesday, January 09, 2007 10:47 AM
  Subject: [Owasp-testing] Fwd: Code review Structure


  Hi,
  Below is the current structure of the code review guide.

  If anyone would like to take on a section (improve a section/add more info) please let me know and ill pen you in for it.
  thanks,
  Eoin

  Methodology 


    Introduction 
    Steps and Roles 

    Code Review Processes 

    Design review 
    Designing for security 

    Examples by Vulnerability 



    Buffer Overruns and Overflows 
    OS Injection 

    SQL Injection 

    Data Validation 

    Error Handling 

    Logging issues 

    The Secure Code Environment 

    Transaction Analysis 

    Authorization 

    Authentication 

    Session Integrity 

    Cross Site Request Forgery 

    Cryptography 

    Dangerous HTTP Methods 

    Race Conditions 



























  Language specific best practice 

  Java 


    Inner classes 
    Class comparison 

    Cloneable classes 

    Serializable classes 

    Package scope and encapsulation 

    Mutable objects 

    Private methods & circumvention 













  .NET 

  PHP 

  Automating Code Reviews 


    Preface 
    Reasons for using automated tools 

    Education and cultural change 

    Tool Deployment Model 







  References 


  -- 
  Eoin Keary OWASP - Ireland
  http://www.owasp.org/local/ireland.html
  http://www.owasp.org/index.php/OWASP_Testing_Project 
  http://www.owasp.org/index.php/OWASP_Code_Review_Project 











------------------------------------------------------------------------------


  _______________________________________________
  Owasp-testing mailing list
  Owasp-testing at lists.owasp.org
  http://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070111/209f5159/attachment.html 


More information about the Owasp-testing mailing list