Summer Of Code 2008 Index of Tasks Assigned

OWASP Code Review Guide Table of Contents Methodology

Code Review Introduction|Introduction Steps and Roles Code Review Processes Transaction Analysis Want to update How to write an application_security finding Application Threat Modeling NEW-Author Name:  Marco Morana

The Round Trip Code Review NEW-Author Name:  Code review Metrics NEW-Author Name:  Allison Shubert

Crawling Code Introduction First sweep of the code base

Examples by Vulnerability ''' The Following sections need to be updated. Extra examples of good and bad code needed. Diagrams and flows regarding solutions. Additional vulnerabilities to be added also''' Reviewing Code for Buffer Overruns and Overflows Reviewing Code for OS Injection Reviewing Code for SQL Injection Reviewing Code for Data Validation Reviewing code for XSS issues Reviewing code for Cross-Site Request Forgery issues Reviewing Code for Error Handling Reviewing Code for Logging Issues Reviewing The Secure Code Environment Reviewing Code for Authorization Issues Reviewing Code for Authentication Reviewing Code for Session Integrity issues Reviewing Cryptographic Code Reviewing Code for Race Conditions

Language specific best practice

Java Java gotchas Java leading security practice

PHP PHP Security Leading Practice

C/C++ Strings and Integers

MySQL Reviewing MySQL Security

Need to Update and add additional examples and text Rich Internet Applications Flash Applications AJAX Applications Web Services

Example reports How to write NEW-Author Name:  How to determine the risk level of a finding NEW-Author Name:  Sample form NEW-Author Name: 

Automating Code Reviews Preface Reasons for using automated tools Education and cultural change Tool Deployment Model Code Auditor Workbench Tool The Owasp Orizon Framework: Paolo Perego &lt;thesp0nge@owasp.org&gt; Owasp Code Review Guide Top 10 Paolo Perego &lt;thesp0nge@owasp.org&gt;

Owasp Code Review Source scoring system Paolo Perego &lt;thesp0nge@owasp.org&gt; (checks how to help Eoin with source code metrics evaluation in order to create a standard scoring system for sources)

Ways to achieve secure code on a budget The OWASP Enterprise Security API ( ESAPI) NEW-Author Name:  Resource & Budget NEW-Author Name: 

References