OWASP Code Review Guide Table of Contents

Frontispiece

 * About the OWASP Code Review Project
 * About The Open Web Application Security Project

Guide History

 * Code Review Guide History

Methodology

 * Introduction
 * Preparation
 * Security Code Review in the SDLC
 * Security Code Review Coverage
 * Application Threat Modeling
 * Code Review Metrics

Crawling Code

 * Crawling Code
 * Searching for Code in J2EE/Java
 * Searching for Code in Classic ASP
 * JavaScript/Web 2.0 Keywords and Pointers

Code Reviews and PCI DSS

 * Code Reviews and Compliance

Examples by Technical Control

 * Authentication
 * Authorization
 * Session Management
 * Input Validation
 * Error Handling
 * Secure Deployment
 * Cryptographic Controls

Examples by Vulnerability

 * Reviewing Code for Buffer Overruns and Overflows
 * Reviewing Code for OS Injection
 * Reviewing Code for SQL Injection
 * Reviewing Code for Data Validation
 * Reviewing Code for Cross-Site Scripting
 * Reviewing Code for Cross-Site Request Forgery
 * Reviewing Code for Logging Issues
 * Reviewing Code for Session Integrity
 * Reviewing Code for Race Conditions

Java

 * Java Gotchas
 * Leading Java Security Practice

Classic ASP

 * Classic ASP Design Mistakes

PHP

 * Leading PHP Security Practice

C/C++

 * Strings and Integers

MySQL

 * Reviewing MySQL Security

Rich Internet Applications

 * Reviewing Flash Applications
 * Reviewing AJAX Applications
 * Reviewing Web Services

Example Reports

 * How to Write an Application Code Review Finding

Automating Code Reviews

 * Automated Code Review
 * Tool Deployment Model
 * Code Auditor Workbench Tool
 * The Owasp Orizon Framework