Code Review Guide
Total Page:16
File Type:pdf, Size:1020Kb
CODE REVIEW GUIDE 2.0 RELEASE Project leaders: Larry Conklin and Gary Robinson Creative Commons (CC) Attribution Free Version at: https://www.owasp.org 1 1 Introduction Foreword Acknowledgements Introduction How To Use The Code Review Guide 3 5 6 8 2 Secure Code Review 9 Methodology 20 3 Technical Reference For Secure Code Review Appendix A1 Injection 43 Code Review Do’s And Dont’s 192 A2 Broken Authentication And Session Management 58 Code Review Checklist 196 A3 Cross-Site Scripting (XSS) 70 Threat Modeling Example 200 A4 Insecure Direct Object Reference 77 Code Crawling 206 A5 Security Misconfguration 82 A6 Sensitive Data Exposure 117 A7 Missing Function Level Access Control 133 A8 Cross-Site Request Forgery (CSRF) 139 A9 Using Components With Know Vulnerabilities 146 A10 Unvalidated Redirects And Forwards 149 4 HTML5 154 Same Origin Policy 158 Reviewing Logging Code 160 Error Handling 163 Reviewing Security Alerts 175 Review For Active Defence 178 Race Conditions 181 Bufer Overruns 183 Client Side JavaScript 188 2 1 Code Review Guide Foreword - By Eoin Keary 3 1 FOREWORD By Eoin Keary, Long Serving OWASP Global Board Member The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. Howev- er, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initia- tive and a grant from the United States Department of Home- land Security. The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organi- zations in the world. It is common knowledge that more secure software can be pro- duced and developed in a more cost efective way when bugs are detected early on in the systems development lifecycle. Or- ganizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remark- ably better code from a security standpoint. To put it simply “We can’t hack ourselves secure”. Attackers have more time to fnd vulnerabilities on a system than the time allocated to a defend- er. Hacking our way secure amounts to an uneven battlefeld, asymmetric warfare, and a losing battle. By necessity, this guide does not cover all programming lan- guages. It mainly focuses on C#/.NET and Java, but includes C/ C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to al- most any code environment. Fortunately (or unfortunately), the security faws in web applications are remarkably consistent across programming languages. Eoin Keary, June 2017 4 Acknowledgements APPRECIATION TO UNITED STATES DEPARTMENT OF HOMELAND SECURITY OWASP community and Code Review Guide project leaders wish to expresses its deep ap- preciation to United States Department of Homeland Security for helping make this book possible by funds provided to OWASP thru a grant. OWASP continues be to the preeminent organization for free unbiased/unfretted application security. We have seen a disturbing rise in threats and attacks on community institutions thru appli- cation vulnerabilities, only by joining forces, and with unfretted information can we help turn back the tide these threats. The world now runs on software and that software needs to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing in this goal. FEEDBACK If you have any feedback for the OWASP Code Review team, and/or fnd any mistakes or improvements in this Code Review Guide please contact us at: [email protected] Acknowledgements 5 ACKNOWLEDGEMENTS Project Leaders Larry Conklin Gary Robinson VERSION 2.0, 2017 Content Contributors Michael Hidalgo David Li Larry Conklin Reviewers Lawrence J Timmins Gary Robinson Alison Shubert Kwok Cheng Johanna Curiel Fernando Galves Ken Prole Eoin Keary Sytze van Koningsveld David D’Amico Islam Azeddine Mennouchi Carolyn Cohen Robert Ferris Abbas Naderi Helen Gao Lenny Halseth Carlos Pantelides Jan Masztal Kenneth F. Belva VERSION 1.0, 2007 Project Leader Content Contributors Reviewers Eoin Keary Jenelle Chapman Jef Williams Andrew van der Stock Rahin Jina Paolo Perego David Lowry David Rook Dinis Cruz Jef Williams 6 Introduction - Contents INTRODUCTION Welcome to the second edition of the OWASP Code Review Guide Project. The second edition brings the successful OWASP Code Review Guide up to date with current threats and countermeasures. This ver- sion also includes new content refecting the OWASP communities’ experiences of secure code review best practices. CONTENTS The Second Edition of the Code Review Guide has been developed to advise software developers and management on the best practices in secure code review, and how it can be used within a secure soft- ware development life-cycle (S-SDLC). The guide begins with sections that introduce the reader to secure code review and how it can be introduced into a company’s S-SDLC. It then concentrates on specifc technical subjects and provides examples of what a reviewer should look for when reviewing technical code. Specifcally the guide covers: Overview This section introduces the reader to secure code review and the advantages it can bring to a devel- opment organization. It gives an overview of secure code review techniques and describes how code review compares other techniques for analyzing secure code. Methodology The methodology section goes into more detail on how to integrate secure review techniques into de- velopment organizations S-SDLC and how the personnel reviewing the code can ensure they have the correct context to conduct an efective review. Topics include applying risk based intelligence to securi- ty code reviews, using threat modelling to understand the application being reviewed, and understand- ing how external business drivers can afect the need for secure code review. How to use 7 HOW TO USE THE CODE REVIEW GUIDE The contents and the structure of the book have been carefully designed. Further, all the contributed chapters have been judi- ciously edited and integrated into a unifying framework that provides uniformity in structure and style. This book is written to satisfy three diferent perspectives. 1. Management teams who wish to understand the reasons of why code reviews are needed and why they are included in best practices in developing secure enterprise software for todays organizations. Senior management should thoroughly read sec- tions one and two of this book. Management needs to consider the following items if doing secure coding is going to be part of the organizations software development lifecycle: • Does organization project estimation allot time for code reviews? • Does management have the capability to track the relevant metrics of code review and static analysis for each project and programmer? • Management needs to decide when in the project life cycle will that code reviews should be done in the project lifecycle and what changes to existing projects require review of previously completed code reviews. 2. Software leads who want to give manfully feedback to peers in code review with ample empirical artifacts as what to look for in helping create secure enterprise software for their organizations. They should consider: •As a peer code reviewer, to use this book you frst decided on the type of code review do you want to accomplish. Lets spend a few minutes going over each type of code review to help in deciding how this book can be assistance to you. • API/design code reviews. Use this book to understand how architecture designs can lead to security vulnerabilities. Also if the API is a third party API what security controls are in place in the code to prevent security vulnerabilities. • Maintainability code reviews. These types of code reviews are more towards the organizations internal best coding practices. This book does cover code metrics, which can help the code reviewer, better understand what code to look at for security vul- nerabilities if a section of code is overly complex. • Integration code reviews. Again these types of code reviews are more towards the organizations internal coding policies. Is the code being integrated into the project fully vetted by IT management and approved? Many security vulnerabilities are now being implemented by using open source libraries whichh may bring in dependencies that are not secure. • Testing code reviews. Agile and Test Driven design where programmer creates unit tests to prove code methods works as the programmer intended. This code is not a guide for testing software. The code reviewer may want to pay attention to unit test cases to make sure all methods have appropriate exceptions; code fails in a safe way. If possible each security control in code has the appropriate unit test cases. 3. Secure code reviewer who wants an updated guide on how secure code reviews are integrated in to the organizations secure software development lifecycle. This book will also work as a reference guide for the code review as code is in the review process. This book provides a complete source of information needed by the code reviewer. It should be read frst as a story about code reviews and seconds as a desktop reference guide. 8 2 Secure Code Review 9 SECURE CODE REVIEW Technical Reference For Secure Code Review Here the guide drills down into common vulnerabilities and technical controls, including XSS, SQL injection, session tracking, authentication, authorization, logging, and information leakage, giving code examples in various languages to guide the reviewer.