Summer Of Code: Code Review Index

Methodology

Code Review Introduction Steps and Roles Code Review Processes Transaction Analysis How to write an application_security finding Applicaiton Threat Modeling The Round Trip Code Review Code review Metrics

Crawling Code Introduction First sweep of the code base

Examples by Vulnerability Reviewing Code for Buffer Overruns and Overflows Reviewing Code for OS Injection Reviewing Code for SQL Injection Reviewing Code for Data Validation Reviewing code for XSS issues Reviewing code for Cross-Site Request Forgery issues Reviewing Code for Error Handling Reviewing Code for Logging Issues Reviewing The Secure Code Environment Reviewing Code for Authorization Issues Reviewing Code for Authentication Reviewing Code for Session Integrity issues Reviewing Cryptographic Code Reviewing Code for Race Conditions

Language specific best practice

Java Java gotchas Java leading security practice

PHP PHP Security Leading Practice

C/C++ Strings and Integers

MySQL Reviewing MySQL Security

Rich Internet Applications Flash Applications AJAX Applications Web Services

Example reports How to write How to determine the risk level of a finding Sample form

Automating Code Reviews Preface Reasons for using automated tools Education and cultural change Tool Deployment Model Code Auditor Workbench Tool The Owasp Orizon Framework

Ways to achieve secure code on a budget The OWASP Enterprise Security API ( ESAPI) Resource & Budget References