2.0 RELEASE - OWASP
CODE REVIEW GUIDE
2.0
RELEASE
Project leaders: Larry Conklin and Gary Robinson Creative Commons (CC) Attribution
Free Version at:
1
1 Introduction Foreword
3
Acknowledgements 5
Introduction 6
How To Use The Code Review Guide 8
2
Secure Code Review
9
Methodology
20
3
Technical Reference For Secure Code Review
Appendix
A1 Injection
43
Code Review Do's And Dont's
192
A2 Broken Authentication And Session Management
58
Code Review Checklist
196
A3 Cross-Site Scripting (XSS)
70
Threat Modeling Example
200
A4 Insecure Direct Object Reference
77
Code Crawling
206
A5 Security Misconfiguration
82
A6 Sensitive Data Exposure
117
A7 Missing Function Level Access Control
133
A8 Cross-Site Request Forgery (CSRF)
139
A9 Using Components With Know Vulnerabilities
146
A10 Unvalidated Redirects And Forwards
149
4
HTML5
154
Same Origin Policy
158
Reviewing Logging Code
160
Error Handling
163
Reviewing Security Alerts
175
Review For Active Defence
178
Race Conditions
181
Buffer Overruns
183
Client Side JavaScript
188
2
1
Code Review Guide Foreword - By Eoin Keary 3
1 FOREWORD
By Eoin Keary, Long Serving OWASP Global Board Member
The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. However, the topic of security code review is too big and evolved into its own stand-alone guide.
I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initiative and a grant from the United States Department of Homeland Security.
The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organizations in the world.
It is common knowledge that more secure software can be produced and developed in a more cost effective way when bugs are detected early on in the systems development lifecycle. Organizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint.To put it simply"We can't hack ourselves secure". Attackers have more time to find vulnerabilities on a system than the time allocated to a defender. Hacking our way secure amounts to an uneven battlefield, asymmetric warfare, and a losing battle.
By necessity, this guide does not cover all programming languages. It mainly focuses on C#/.NET and Java, but includes C/ C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately (or unfortunately), the security flaws in web applications are remarkably consistent across programming languages.
Eoin Keary, June 2017
4 Acknowledgements
APPRECIATION TO UNITED STATES DEPARTMENT OF HOMELAND SECURITY
OWASP community and Code Review Guide project leaders wish to expresses its deep appreciation to United States Department of Homeland Security for helping make this book possible by funds provided to OWASP thru a grant. OWASP continues be to the preeminent organization for free unbiased/unfretted application security. We have seen a disturbing rise in threats and attacks on community institutions thru application vulnerabilities, only by joining forces, and with unfretted information can we help turn back the tide these threats. The world now runs on software and that software needs to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing in this goal.
FEEDBACK
If you have any feedback for the OWASP Code Review team, and/or find any mistakes or improvements in this Code Review Guide please contact us at: owasp-codereview-project@
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.