[Owasp-testing] Fwd: Code review Structure

Eoin eoin.keary at owasp.org
Thu Jan 11 10:45:01 EST 2007


Hi Mark,
i believe there is a design section but it has not been touched yet:

http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents

Designing for security (section).

You you consider putting a .NET design section within this.

Authoring the .NET best practice section would be great!! I'll put your name
beside it.
thanks,
Eoin


On 11/01/07, Mark Roxberry <me at markroxberry.net> wrote:
>
>  I'll do .NET Code Review Best Practices.
>
> Can I include Design Guidance as a section?  Or maybe we need to consider
> Secure Application Design for an OWASP project (or do we have plans for this
> already)?  An example, in ASP.NET <http://asp.net/> 2.0, when do we
> recommend using the MembershipProviders and integrating with .NET framework
> before rolling your own access control system.  Design guidance would
> outline the scenarios for each security design.  What do you think?
>
> I'll post a topic list by tomorrow.
>
> Regards,
>
> Mark
>
>  ----- Original Message -----
> *From:* Eoin <eoin.keary at owasp.org>
> *To:* owasp-testing at lists.owasp.org ; Owasp-codereview at lists.owasp.org
> *Sent:* Tuesday, January 09, 2007 10:47 AM
> *Subject:* [Owasp-testing] Fwd: Code review Structure
>
>
> Hi,
> Below is the current structure of the code review guide.
>
> If anyone would like to take on a section (improve a section/add more
> info) please let me know and ill pen you in for it.
> thanks,
> Eoin
>
>
> Methodology
>
>
>    *Introduction*
>
>    *Steps and Roles*
>
>    *Code Review Processes*
>
>    Design review
>    *Designing for security*
>
>    Examples by Vulnerability
>
>
>
>
>    *Buffer Overruns and Overflows*
>
>    *OS Injection*
>
>    *SQL Injection*
>
>    *Data Validation*
>
>    *Error Handling*
>
>    *Logging issues*
>
>    *The Secure Code Environment*
>
>    *Transaction Analysis*
>
>    *Authorization*
>
>    *Authentication*
>
>    *Session Integrity*
>
>    *Cross Site Request Forgery*
>
>    *Cryptography*
>
>    *Dangerous HTTP Methods*
>
>    *Race Conditions*
>
>
> Language specific best practice
>
> Java
>
>
>    *Inner classes*
>
>    *Class comparison*
>
>    *Cloneable classes*
>
>    *Serializable classes*
>
>    *Package scope and encapsulation*
>
>    *Mutable objects*
>
>    *Private methods & circumvention*
>
>
>
> .NET
>
> PHP
>
> Automating Code Reviews
>
>
>    *Preface *
>
>    *Reasons for using automated tools*
>
>    *Education and cultural change*
>
>    *Tool Deployment Model*
>
>
>
> *References*
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
>         ------------------------------
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070111/eb247cc9/attachment-0001.html 


More information about the Owasp-testing mailing list