insanesecurity » ASP http://insanesecurity.info/blog security through a distorted eye Thu, 25 Feb 2010 22:31:12 +0000 en hourly 1 http://wordpress.org/?v=3.0 OWASP Code Review Guide http://insanesecurity.info/blog/owasp-code-review-guide http://insanesecurity.info/blog/owasp-code-review-guide#comments Wed, 24 Jun 2009 16:25:00 +0000 dblackshell http://insanesecurity.info/blog/?p=50 Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. (Introduction)

The first section (Methodology) walks you through the: introduction to code review, preparation for code review, security code review in software development life cycle (waterfall and agile), security code review coverage, application threat modeling and code review metrics. From this first section I’ve found very interesting the “application threat modeling” page, because I never did know how to classify (evaluate) the risk of a vulnerability and it really made me understand a lot about it.

The next section of the guide is about crawling code, what to look for in JAVA/ASP/JavaSript.

I’ll skip the rest (I’ll let you discover it) and only mention the “example by technical control”, section which I would recommend to any web developer (regardless of language) because It points out every aspect for the following technical controls: authentication, authorization, session management, input/data validation, error handling, secure deployment, cryptographic controls.

That being said, you can read the guide on-line at owasp.org, or download the pdf version from lulu.com.

]]> http://insanesecurity.info/blog/owasp-code-review-guide/feed 0