All the same Lynda. Plus, personalized course recommendations tailored just for you. All the same access to your Lynda learning history and certifications. Same instructors. New platform. Did you know that OWASP maintains a project designed to help you learn how to perform source code security reviews?

Author:Akinosida Kazratilar
Country:Dominican Republic
Language:English (Spanish)
Published (Last):9 January 2014
PDF File Size:13.71 Mb
ePub File Size:14.88 Mb
Price:Free* [*Free Regsitration Required]

All the same Lynda. Plus, personalized course recommendations tailored just for you. All the same access to your Lynda learning history and certifications.

Same instructors. New platform. Did you know that OWASP maintains a project designed to help you learn how to perform source code security reviews? This guide begins with considerable information on what a code security review actually is and on how to scope it.

How to couple these code security reviews with online penetration tests. And it also includes a methodology for integrating code security reviews into your SDLC. OWASP built this guide to align with the top 10 web application security risks. For each item in the Top Ten the code review guide includes specific code snippets that demonstrate how those flaws might appear in your source code.

More importantly, the guide shows instructors what to review and how to validate that the code is resistant to certain attacks. The guide also includes detailed references for further reading. The code review guide focuses on offline application security testing activities.

While the testing guide shifts that focus to online testing. Using both resources in tandem will have a huge positive impact on your application security testing activities. I cover the testing guide in detail in my online application security testing course. But for now know that you should consider both guides to be integral to your application security program. One of the reasons I think so highly of the code review guide is that it brings topics like maturity and risk into your application security conversations.

The project team understands the importance of applying risk-based intelligence to code security reviews in order to get the most Combining that intelligence with threat modeling, you can build a core set of tests that are more likely to reflect actual attacks your application could experience once it goes live. It's also critical for developers and security testers alike to understand how external business drivers impact code security review activities.

The guide was written with three specific audiences in mind. It was written for management teams who won't be doing the actual testing, but still need some understanding of what testing will be performed and why it's important. It was also written for software leads who need to understand the relationship between code reviews and code security reviews.

Most importantly, it was written for the secure code reviewer who's going to be doing most, if not all, of the hands-on work. By writing this guide with all three audiences in mind, the project team created a resource that brings these three groups together, increasing the likelihood that the resulting processes will find adoption across the entire organization.

The guide goes into detail regarding a number of factors to consider when developing your internal code security review processes. The alignment with the Top Ten risks is obviously core to the guide, but it also provides both purpose and context to help everyone involved develop a better understanding of why we're performing code security reviews in the first place.

OWASP urges testers to consider the number of lines of code in scope for your reviews as well. Larger, more complex programs are more likely to be exposed to security flaws. And you'll need to determine how in depth your code security reviews can be.

If you don't have time or resources to perform the level of review that you feel is necessary, you'll likely want to compensate with additional scrutiny during your online testing. As we discussed earlier, knowing which programming languages are in play is crucial.

The guide also urges you to consider available resources, the time those resources can allocate to testing, and the deadlines that are going to influence your testing activities. If you've done any threat modeling in the past, chances are you're somewhat familiar with one or both of these models.

It focuses on six potential threats, spoofing a user's identity, tampering with the integrity of the application, repudiation, information disclosure, denial of service attacks, and elevation of privilege. By considering these six threat types when assessing your source code, it helps your testers focus their efforts on risks to confidentiality, integrity, availability, and so on.

This model relies on five threat categories to determine which threats represent the greatest risk to an application. Damage, if an attack was successful, how bad would it be? Reproducibility, once one person figures out how to execute the attack how hard would it be for them or others to repeat it?

Exploitability, how hard is it to actually execute the attack? Affected users, how many people would be impacted by a successful attack? And discoverability, how simple is it for an attacker to find this threat. OWASP suggests that testers might use this threat model to assign a more traditional score using the risk equals likelihood times impact equation. When building out a code security review process, you personally run the risk of being overwhelmed by the scope of the effort and by the imbalance between potential threats and available security resources.

Download the guide. Download the guide and build it into your process. You'll be hard pressed to find a better resource for this purpose. Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course. Type in the entry box, then click Enter to save your note. Start My Free Month. You started this assessment previously and didn't complete it. You can pick up where you left off, or start over. Develop in-demand skills with access to thousands of expert-led courses on business, tech and creative topics. You are now leaving Lynda.

To access Lynda. Visit our help center. Preview This Course. Resume Transcript Auto-Scroll. Author Jerod Brennen. This course identifies tools and techniques that developers can use to minimize the cost and impact of security testing—while maximizing its impact and effectiveness. In this course, instructor Jerod Brennen focuses on offline testing activities: preparing test plans, policies, and other documentation and conducting offline source code reviews.

Along the way, you can become familiar with best practices around security in the SDLC. The hands-on sections—with demos of popular tools such as Codacy and SonarQube—prepare you to apply the lessons in the real world. Skill Level Intermediate. Show More Show Less. Related Courses. Preview course. Search This Course Clear Search. The importance of offline testing 1m 4s. What you should know 1m 17s. Leading Practices. Security in the SDLC 3m 45s. Development methodologies 5m 10s. Programming languages 3m 19s.

Security frameworks 6m 10s. Top 25 Software Errors 5m 1s. BSIMM 6m 31s. Building your test lab 4m 4s. Preparing your checklist 3m 21s. Security Documentation. Internal project plans 5m 39s. Communication planning 4m 41s. Change control policy 5m 26s. Security incident response policy 4m 47s. Logging and monitoring policy 5m 22s. Third-party agreements 7m 10s. Source Code Security Reviews.

Challenges of assessing source code 5m 47s. Bytecode scanners 4m 37s. Binary code scanners 6m 13s. Code review models 7m 55s. Application threat modeling 4m 42s. Code review metrics 5m 48s. Demo: Codacy 4m 29s. Demo: SonarQube 6m 33s. A1: Injection 6m 48s. A2: Broken authentication 6m 51s.


OWASP Code Review Guide V2

We plan to release the final version in Aug. OWASP Code Review Guide is a technical book written for those responsible for code reviews management, developers, security professionals. The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review.


OWASP Code Review Guide



OWASP Code Review Guide 2.0



OWASP Code Review Project


Related Articles