Professional Documents
Culture Documents
REVIEW
GUIDE
2.0
RELEASE
1 Introduction
3 5 6 8
2
Secure Code Review 9
Methodology 20
3
Technical Reference For Secure Code Review Appendix
A1 Injection 43 Code Review Do’s And Dont’s 192
A2 Broken Authentication And Session Management 58 Code Review Checklist 196
A3 Cross-Site Scripting (XSS) 70 Threat Modeling Example 200
A4 Insecure Direct Object Reference 77 Code Crawling 206
A5 Security Misconfiguration 82
A6 Sensitive Data Exposure 117
A7 Missing Function Level Access Control 133
A8 Cross-Site Request Forgery (CSRF) 139
A9 Using Components With Know Vulnerabilities 146
A10 Unvalidated Redirects And Forwards 149
HTML5 154
Same Origin Policy 158
Reviewing Logging Code 160
Error Handling 163
Reviewing Security Alerts 175
Review For Active Defence 178
Race Conditions 181
Buffer Overruns 183
Client Side JavaScript 188
2
1
Code Review Guide Foreword - By Eoin Keary 3
1 FOREWORD
By Eoin Keary,
Long Serving OWASP Global Board Member
The OWASP Code Review guide was originally born from the
OWASP Testing Guide. Initially code review was covered in the
Testing Guide, as it seemed like a good idea at the time. Howev-
er, the topic of security code review is too big and evolved into
its own stand-alone guide.
We have seen a disturbing rise in threats and attacks on community institutions thru appli-
cation vulnerabilities, only by joining forces, and with unfretted information can we help
turn back the tide these threats. The world now runs on software and that software needs
to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing
in this goal.
FEEDBACK
If you have any feedback for the OWASP Code Review team, and/or find any mistakes or
improvements in this Code Review Guide please contact us at:
owasp-codereview-project@owasp.org
Acknowledgements 5
ACKNOWLEDGEMENTS
Project Leaders
Larry Conklin Gary Robinson
INTRODUCTION
Welcome to the second edition of the OWASP Code Review Guide Project. The second edition brings the
successful OWASP Code Review Guide up to date with current threats and countermeasures. This ver-
sion also includes new content reflecting the OWASP communities’ experiences of secure code review
best practices.
CONTENTS
The Second Edition of the Code Review Guide has been developed to advise software developers and
management on the best practices in secure code review, and how it can be used within a secure soft-
ware development life-cycle (S-SDLC). The guide begins with sections that introduce the reader to
secure code review and how it can be introduced into a company’s S-SDLC. It then concentrates on
specific technical subjects and provides examples of what a reviewer should look for when reviewing
technical code. Specifically the guide covers:
Overview
This section introduces the reader to secure code review and the advantages it can bring to a devel-
opment organization. It gives an overview of secure code review techniques and describes how code
review compares other techniques for analyzing secure code.
Methodology
The methodology section goes into more detail on how to integrate secure review techniques into de-
velopment organizations S-SDLC and how the personnel reviewing the code can ensure they have the
correct context to conduct an effective review. Topics include applying risk based intelligence to securi-
ty code reviews, using threat modelling to understand the application being reviewed, and understand-
ing how external business drivers can affect the need for secure code review.
How to use 7
The contents and the structure of the book have been carefully designed. Further, all the contributed chapters have been judi-
ciously edited and integrated into a unifying framework that provides uniformity in structure and style.
• Does management have the capability to track the relevant metrics of code review and static analysis for each project and
programmer?
• Management needs to decide when in the project life cycle will that code reviews should be done in the project lifecycle and
what changes to existing projects require review of previously completed code reviews.
2. Software leads who want to give manfully feedback to peers in code review with ample empirical artifacts as what to look for
in helping create secure enterprise software for their organizations. They should consider:
•As a peer code reviewer, to use this book you first decided on the type of code review do you want to accomplish. Lets spend a
few minutes going over each type of code review to help in deciding how this book can be assistance to you.
• API/design code reviews. Use this book to understand how architecture designs can lead to security vulnerabilities. Also if the
API is a third party API what security controls are in place in the code to prevent security vulnerabilities.
• Maintainability code reviews. These types of code reviews are more towards the organizations internal best coding practices.
This book does cover code metrics, which can help the code reviewer, better understand what code to look at for security vul-
nerabilities if a section of code is overly complex.
• Integration code reviews. Again these types of code reviews are more towards the organizations internal coding policies. Is
the code being integrated into the project fully vetted by IT management and approved? Many security vulnerabilities are now
being implemented by using open source libraries whichh may bring in dependencies that are not secure.
• Testing code reviews. Agile and Test Driven design where programmer creates unit tests to prove code methods works as the
programmer intended. This code is not a guide for testing software. The code reviewer may want to pay attention to unit test
cases to make sure all methods have appropriate exceptions; code fails in a safe way. If possible each security control in code has
the appropriate unit test cases.
3. Secure code reviewer who wants an updated guide on how secure code reviews are integrated in to the organizations secure
software development lifecycle. This book will also work as a reference guide for the code review as code is in the review process.
This book provides a complete source of information needed by the code reviewer. It should be read first as a story about code
reviews and seconds as a desktop reference guide.
8
2
Secure Code Review 9
This section can be used to learn the important aspects of the various controls, and as an on-the-job reference
when conducting secure code reviews.
We start with the OWASP Top 10 issues, describing technical aspects to consider for each of these issues. We
then move onto other common application security issues not specific to the OWASP Top 10
Secure code review is probably the single-most effective technique for identifying security bugs early in the
system development lifecycle. When used together with automated and manual penetration testing, code
review can significantly increase the cost effectiveness of an application security verification effort.
This guide does not prescribe a process for performing a security code review. Rather, it provides guidance on
how the effort should be structured and executed. The guide also focuses on the mechanics of reviewing code
for certain vulnerabilities.
Manual secure code review provides insight into the “real risk” associated with insecure code. This contextual,
white-box approach is the single most important value. A human reviewer can understand the relevance of
a bug or vulnerability in code. Context requires human understanding of what is being assessed. With ap-
propriate context we can make a serious risk estimate that accounts for both the likelihood of attack and the
business impact of a breach. Correct categorization of vulnerabilities helps with priority of remediation and
fixing the right things as opposed to wasting time fixing everything.
These problems have become so important in recent years because we continue to increase connectivity
and add technologies and protocols at an extremely fast rate. The ability to invent technology has seriously
outstripped the ability to secure it. Many of the technologies in use today simply have not received enough
(or any) security scrutiny.
There are many reasons why businesses are not spending the appropriate amount of time on security. Ulti-
mately, these reasons stem from an underlying problem in the software market. Because software is essen-
tially a black box, it is extremely difficult for a customer to tell the difference between good code and insecure
code. Without this visibility vendors are not encouraged to spend extra effort to produce secure code. Nev-
ertheless, information security experts frequently get pushback when they advocate for security code review,
with the following (unjustified) excuses for not putting more effort into security: