Code Review Guide

Code Review Guide

CODE REVIEW GUIDE 3.0 RELEASE Project leaders: Mr. John Doe and Jane Doe Creative Commons (CC) Attribution Free Version at: https://www.owasp.org 1 2 F I 1 Forward - Eoin Keary Introduction How to use the Code Review Guide 7 8 10 2 Secure Code Review 11 Framework Specific Configuration: Jetty 16 2.1 Why does code have vulnerabilities? 12 Framework Specific Configuration: JBoss AS 17 2.2 What is secure code review? 13 Framework Specific Configuration: Oracle WebLogic 18 2.3 What is the difference between code review and secure code review? 13 Programmatic Configuration: JEE 18 2.4 Determining the scale of a secure source code review? 14 Microsoft IIS 20 2.5 We can’t hack ourselves secure 15 Framework Specific Configuration: Microsoft IIS 40 2.6 Coupling source code review and penetration testing 19 Programmatic Configuration: Microsoft IIS 43 2.7 Implicit advantages of code review to development practices 20 2.8 Technical aspects of secure code review 21 2.9 Code reviews and regulatory compliance 22 5 A1 3 Injection 51 Injection 52 Blind SQL Injection 53 Methodology 25 Parameterized SQL Queries 53 3.1 Factors to Consider when Developing a Code Review Process 25 Safe String Concatenation? 53 3.2 Integrating Code Reviews in the S-SDLC 26 Using Flexible Parameterized Statements 54 3.3 When to Code Review 27 PHP SQL Injection 55 3.4 Security Code Review for Agile and Waterfall Development 28 JAVA SQL Injection 56 3.5 A Risk Based Approach to Code Review 29 .NET Sql Injection 56 3.6 Code Review Preparation 31 Parameter collections 57 3.7 Code Review Discovery and Gathering the Information 32 3.8 Static Code Analysis 35 3.9 Application Threat Modeling 39 4.3.2. Step 1: Decompose the Application 39 5 A2 5.4.3. Step 2: Determine and rank threats 42 5.4.4. Step 3: Determine countermeasures and mitigation 45 Broken Authentication And Session Management 3.10 Metrics and Code Review 45 60 A2 Broken Authentication 3.11 Crawling Code 49 60 Forgot Password 62 CAPTCHA 63 Out-of-Band Communication 64 4 A2 Session Management 66 .Net ASPX web.confi 67 Java web.xml 68 Reviewing by Framework 9 PHP.INI 68 Apache Struts 10 .Net ASPX 68 Java Enterprise Edition Declarative Configuration 10 Java 68 JEE Annotations 11 PHP 68 Framework Specific Configuration: Apache Tomcat 15 Session Attacks 69 3 Session Hijacking 69 4.5 Framework Specific Configuration: Jetty 84 Session Fixation 69 4.6 Framework Specific Configuration: JBoss AS 86 Session Elevation 70 4.7 Framework Specific Configuration: Oracle WebLogic 86 Server-Side Defenses for Session Management 70 4.8 Programmatic Configuration: JEE 86 .NET ASPX 70 4.9 Microsoft IIS 89 Java 70 4.10 Framework Specific Configuration: Microsoft IIS 90 PHP.INI 70 4.11 Programmatic Configuration: Microsoft IIS 93 4.12 Further IIS Configurations 94 4.13 Strongly Named Assemblies 102 4.15 Round Tripping A3 105 5 4.16 .NET Authentication Controls 107 Cross-Site Scripting (Xss) 71 Use Microsft’s Anti-XSS library 72 5 A6 .NET ASPX 72 .NET MVC 72 JavaScript and JavaScript Frameworks 72 Sensitive Data Exposure 112 1.1 Cryptographic Controls 112 1.1.1 Description 112 1.1.2 What to Review: Protection in Transit A4 112 5 1.1.3 What to Review: Protection at Rest 115 1.1.4 References 121 1.1.5 Encryption, Hashing & Salting 121 Insecure Direct Object Reference 74 1.1.6 References 124 SQL Injection 74 1.2 Reducing the attack surface 125 HTTP POST requests 74 1.2.1 Description 125 Indirect Reference Maps 75 1.2.2 What to Review 125 Data Binding Technique 75 1.2.3 References 126 Secure Design Recommendation: 76 Review Criteria 76 What the Code Reviewer needs to do: 76 Binding issues in MVC .NET 76 5 A7 A.K.A Over-Posting A.K.A Mass assignments 76 Corresponding view (HTML) 76 Recommendations 77 Missing Function Level Access Control 127 1.3.1 Authorization 127 1.3.2 Description 127 1.3.3 What to Review A5 129 5 1.4 From Access Control Cheat Sheet 131 Security Misconfiguration 78 4.1 Apache Struts 78 4.2 Java Enterprise Edition Declarative Configuration 79 4.3 JEE Annotations 83 4.4 Framework Specific Configuration: Apache Tomcat 84 4 5 A8 Cross-Site Request Forgery (CSRF) 133 5.5.4 What to Review: Potentially Vulnerable Code 156 2.1 Description 133 5.5.5 What to Review: Error Handling in IIS 158 2.2 What to Review 134 5.5.6 What to Review: Error Handling in Apache 160 2.3 References 139 5.6 What to Review: Leading Practice for Error Handling 161 5.6.1 What to Review: The Order of Catching Exceptions 162 5.6.2 What to Review: Releasing resources and good housekeeping 163 5.6.3 References A9 164 5 5.7 Reviewing Security alerts 164 5.7.1 Description 164 5.7.2 What to Review 166 Using Components With Known Vulnerabilities 140 5.7.3 References 167 3.1 Description 140 5.8 Review for active defense 167 3.2 What to Review 140 5.9 Description 167 3.3 References 141 5.10 What to Review 168 5.11 References 169 5.12 Race Conditions 169 5 A10 5.13 Description 170 5.14 What to Review 170 5.14.1 References 171 5.15 Buffer Overruns 171 Unvalidated Redirects And Forwards 142 5.15.1 Description 171 4.1 Description 142 5.15.2 What to Review: Buffer Overruns 172 4.2 What to Review 143 5.15.3 What to Review: Format Function Overruns 173 4.3 References 145 5.15.4 What to Review: Integer Overflows 174 5. AX - General 145 5.16 References 176 5.1 HTML5 145 5.1.1 Description 145 5.1.2 What to Review: Web Messaging 145 5.1.3 What to Review: Cross Origin Resource Sharing 146 6 5.1.4 What to Review: WebSockets 147 5.1.5 What to Review: Server-Sent Events 148 5.2 Same Origin Policy 148 Code Review Do’s And Dont’s 178 5.2.1 Description 149 Code Review Do’s And Dont’s 178 5.3 What to Review 150 5.4 Reviewing Logging code 150 5.4.1 Description 150 5.4.2 What to Review 151 7 5.4.3 References 152 5.5 Error Handling 152 5.5.1 Description 153 Apendix 180 5.5.2 What to Review 154 7.1 Contributors 180 5.5.3 What to Review: Failing Securely 155 5 SDLC Diagrams - 184 184 Code Review Checklist - 191 191 6 F Code Review Guide Foreword - By Eoin Keary 7 Foreword by Eoin Keary, OWASP Global Board The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. However, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edi- tion was started in April 2013 via the OWASP Project Reboot initiative and a grant from the United States Department of Homeland Security. The OWASP Code Review team consists of a small, but tal- ented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organi- zations, from small start-ups to some of the largest software development organizations in the world. It is common knowledge that more secure software can be produced and developed in a more cost effective way when bugs are detected early on in the systems development lifecycle. Organizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remarkably better code from a security stand- point. To put it simply “We can’t hack ourselves secure”. At- tackers have more time to find vulnerabilities on a system than the time allocated to a defender. Hacking our way se- cure amounts to an uneven battlefield, asymmetric warfare, and a losing battle. By necessity, this guide does not cover all programming lan- guages. It mainly focuses on C#/.NET and Java, but includes C/C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately (or unfortu- nately), the security flaws in web applications are remark- ably consistent across programming languages. Eoin Keary, OWASP Board Member, April 19, 2013 8 Introduction - Contents I INTRODUCTION Welcome to the second edition of the OWASP Code Review Guide Project. The second edition brings the successful OWASP Code Review Guide up to date with current threats and countermeasures. This ver- sion also includes new content reflecting the OWASP communities’ experiences of secure code review best practices. C CONTENTS The Second Edition of the Code Review Guide has been developed to advise software developers and management on the best practices in secure code review, and how it can be used within a secure soft- ware development life-cycle (S-SDLC). The guide begins with sections that introduce the reader to secure code review and how it can be introduced into a company’s S-SDLC. It then concentrates on specific technical subjects and provides examples of what a reviewer should look for when reviewing technical code. Specifically the guide covers: Overview This section introduces the reader to secure code review and the advantages it can bring to a devel- opment organization.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    224 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us