[Owasp-testing] Fwd: Code review Structure

James Kist kist at meridiansecurity.net
Fri Jan 12 10:25:36 EST 2007


What is the desired structure for the best practices section? How about
something like this:
 
Vulnerability (with a link to the section that describes the vulnerability)
Best practice 1 - Description (includes how and to what level the
vulnerability is addressed by this best practice)
Best practice 1 - Code example (if applicable)
Best practice 2 - Description
Best practice 2 - Code example (if applicable)
 
etc.
 
 

  _____  

From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Thursday, January 11, 2007 10:45 AM
To: Mark Roxberry
Cc: Owasp-codereview at lists.owasp.org; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Fwd: Code review Structure


Hi Mark,
i believe there is a design section but it has not been touched yet:
 
http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents
 
Designing for security (section).
 
You you consider putting a .NET design section within this.
 
Authoring the .NET best practice section would be great!! I'll put your name
beside it.
thanks,
Eoin

 
On 11/01/07, Mark Roxberry <me at markroxberry.net> wrote: 

I'll do .NET Code Review Best Practices.
 
Can I include Design Guidance as a section?  Or maybe we need to consider
Secure Application Design for an OWASP project (or do we have plans for this
already)?  An example, in ASP.NET <http://asp.net/>  2.0, when do we
recommend using the MembershipProviders and integrating with .NET framework
before rolling your own access control system.  Design guidance would
outline the scenarios for each security design.  What do you think?  
 
I'll post a topic list by tomorrow.

Regards,
 
Mark


----- Original Message ----- 
From: Eoin <mailto:eoin.keary at owasp.org>  
To: owasp-testing at lists.owasp.org  <mailto:owasp-testing at lists.owasp.org> ;
Owasp-codereview at lists.owasp.org 
Sent: Tuesday, January 09, 2007 10:47 AM
Subject: [Owasp-testing] Fwd: Code review Structure

 
Hi,
Below is the current structure of the code review guide.

If anyone would like to take on a section (improve a section/add more info)
please let me know and ill pen you in for it.
thanks,
Eoin
 

Methodology 



	Introduction 

	Steps and Roles 


	Code Review Processes 

	Design review 
Designing for security 

	Examples by Vulnerability 

	

	

	


	Buffer Overruns and Overflows 

	OS Injection 


	SQL Injection 


	Data Validation 


	Error Handling 


	Logging issues 


	The Secure Code Environment 


	Transaction Analysis 


	Authorization 


	Authentication 


	Session Integrity 


	Cross Site Request Forgery 


	Cryptography 


	Dangerous HTTP Methods 


	Race Conditions 

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

Language specific best practice 


Java 



	Inner classes 

	Class comparison 


	Cloneable classes 


	Serializable classes 


	Package scope and encapsulation 


	Mutable objects 


	Private methods & circumvention 

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	


.NET 


PHP 


Automating Code Reviews 



	Preface 

	Reasons for using automated tools 


	Education and cultural change 


	Tool Deployment Model 

	

	

	

	

	

	

	

	


References 



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
<http://www.owasp.org/local/ireland.html> 
http://www.owasp.org/index.php/OWASP_Testing_Project
<http://www.owasp.org/index.php/OWASP_Testing_Project> 
http://www.owasp.org/index.php/OWASP_Code_Review_Project
<http://www.owasp.org/index.php/OWASP_Code_Review_Project> 



















































  _____  




_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org  <mailto:Owasp-testing at lists.owasp.org> 
http://lists.owasp.org/mailman/listinfo/owasp-testing









-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070112/cd7f26a5/attachment.html 


More information about the Owasp-testing mailing list