OWASP代码审计指南v2.0：安全编码审查核心内容

版权申诉

文档资料

5 浏览量更新于2024-07-04 收藏 1.07MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"OWASP(Open Web Application Security Project)代码审计指南v2.0是英文版的一份专业文档，旨在帮助开发者和安全专家进行安全的代码审查，提高软件的安全性。该指南由Larry Conklin和Gary Robinson领导的OWASP项目团队发布，遵循Creative Commons Attribution的自由许可协议。" OWASP代码审计指南主要涵盖了以下几个关键知识点： 1. **代码审查的前言与介绍**： - 提供了关于如何使用这份代码审查指南的指导，包括其目的和适用场景。 - 强调了代码审查在保障软件安全中的重要性。 2. **安全代码审查**： - 探讨了为什么代码会出现漏洞，通常是因为设计、实现或配置错误。 - 定义了安全代码审查的概念，即对源代码进行分析，识别并修复潜在的安全问题。 - 区分了代码审查和安全代码审查的区别，后者更侧重于发现和修复安全漏洞。 - 讨论了确定安全代码审查范围的方法，考虑了项目规模、风险等因素。 - 指出不能仅仅依赖渗透测试来确保安全性，因为代码审查提供了更深入的视角。 - 提出了将代码审查与渗透测试结合使用的好处，两者互补，可以更全面地评估安全性。 - 阐述了代码审查对开发实践的隐性益处，如提高代码质量和团队意识。 3. **技术层面的代码审查**： - 详细介绍了安全代码审查的技术方面，包括使用工具、方法和策略。 - 探讨了代码审查与法规遵从性的关系，强调了在受监管行业中进行审查的必要性。 4. **框架特定配置**： - 文档提供了针对特定框架（如Jetty、JBoss AS、Oracle WebLogic）的安全配置指南。 - 对于JEE（Java企业版）和Microsoft IIS，分别提供了程序化配置和框架特定配置的建议。 5. **审查方法学**： - 列出了在构建代码审查流程时需要考虑的因素，如审查类型、团队组成、审查工具等。 - 讨论了如何将代码审查集成到现有的开发流程中，以实现持续改进。这份指南提供了全面而深入的代码审查实践指南，对于任何希望提升软件安全性的开发团队都是一份宝贵的资源。通过遵循这些最佳实践，开发者可以更好地预防和减少软件中的安全漏洞，从而保护用户数据和系统安全。

资源详情

资源推荐

It should be noted that no one method will be able to identify all vulnerabilities that a software project might

encounter, however a defense-in-depth approach will reduce the risk of unknown issues being including in

production software. Tables 1 through 3 compare the various methods of identifying vulnerabilities for dif-

ferent scenarios.

Table 1 compares the methods abilities to cover high level topics, such are general vulnerabilities, privacy,

compliance, etc.

Table 2 compares them against the SANS/CWE Top 25 list of vulnerabilities, where Table 2 does the same for

the OWASP Top 10 risks, these tables assume a common functionality suite of code scanning and penetration

testing tools, whilst also assuming that the persons conducting the secure code review have the knowledge

and skills to discover the vulnerabilities listed. In these tables the following key applies:

• Good/Green: method has a good chance of nding the vulnerability

• Some/Yellow: method has a chance of nding some of the vulnerability but would not be considered a good choice

• X/None/White: method has little or no chance of nding the listed vulnerability

VULNERABILITIES

PRIVACY

BUSINESS LOGIC

COMPLIANCE

AVAILABILITY

CODE

SCAN

AUTOMATED

SCAN

COMPARISON OF

EVALUATION TECH-

NIQUES AGAINST HIGH

LEVEL BUSINESS AND

APPLICATION TOPICS

MANUAL

PENETRATION

TEST

MANUAL

CODE

REVIEW

Secure Code Review

2.6 Coupling Source Code Review and Penetration Testing

The term “360 review” refers to an approach in which the results of a source code review are used to plan and

execute a penetration test, and the results of the penetration test are, in turn, used to inform additional source

code review.

Knowing the internal code structure from the code review, and using that knowledge to form test cases and abuse

cases is known as white box testing (also called clear box and glass box testing). This approach can lead to a more pro-

ductive penetration test, since testing can be focused on suspected or even known vulnerabilities. Using knowledge

of the specic frameworks, libraries and languages used in the web application, the penetration test can concentrate

on weaknesses known to exist in those frameworks, libraries and languages.

A white box penetration test can also be used to establish the actual risk posed by a vulnerability discovered through

code review. A vulnerability found during code review may turn out not to be exploitable during penetration test due

to the code reviewer(s) not considering a protective measure (input validation, for instance). While the vulnerability in

this case is real, the actual risk may be lower due to the lack of exposure. However there is still an advantage to adding

the penetration test encase the protective measure is changed in the future and therefore exposes the vulnerability.

While vulnerabilities exploited during a white box penetration test (based on secure code review) are certainly real,

the actual risk of these vulnerabilities should be carefully analyzed. It is unrealistic that an attacker would be given

access to the target web application’s source code and advice from its developers. Thus, the risk that an outside at-

tacker could exploit the vulnerabilities found by the white box penetration tester is probably lower. However, if the

web application organization is concerned with the risk of attackers with inside knowledge (former employees or

collusion with current employees or contractors), the real-world risk may be just as high.

The results of the penetration test can then be used to target additional areas for code review. Besides addressing the

par-ticular vulnerability exploited in the test, it is a good practice to look for additional places where that same class of

vulnerability is present, even if not explicitly exploited in test. For instance, if output encoding is not used in one area

of the application and the penetration test exploited that, it is quite possible that output encoding is also not used

elsewhere in the application.

Secure Code Review

CODE

REVIEW

SUSPECTED KNOWN

VULNERABILITIES

EXPLOITED

VULNERABILITIES

PENETRATION

TEST

FIGURE

2.0

2.7 Implicit Advantages of Code Review to Development Practices

Integrating code review into a company’s development processes can have many benets which will depend

upon the processes and tools used to perform code reviews, how well that data is backed up, and how those

tools are used. The days of bringing developers into a room and displaying code on a projector, whilst record-

ing the review results on a printed copy are long gone, today many tools exist to make code review more

ecient and to track the review records and decisions. When the code review process is structured correctly,

the act of reviewing code can be ecient and provide educational, auditable and historical benets to any

organization. This section provides a list of benets that a code review procedure can add to development

organization.

Provides an historical record

If any developer has joined a company, or moved teams within a company, and had to maintain or enhance a

piece of code written years ago, one of the biggest frustrations can be the lack of context the new developer

has on the old code. Various schools of opinion exist on code documentation, both within the code (com-

ments) and external to the code (design and functional documents, wikis, etc.). Opinions range from zero-doc-

umentation tolerance through to near-NASA level documentation, where the size of the documentation far

exceeds the size of the code module.

Many of the discussions that occur during a code review, if recorded, would provide valuable information

(context) to module maintainers and new programmers. From the writer describing the module along with

some of their design decisions, to each reviewers comments, stating why they think one SQL query should be

restructured, or an algorithm changed, there is a development story unfolding in front of the reviewers eyes

which can be used by future coders on the module, who are not involved in the review meetings.

Capturing those review discussions in a review tool automatically and storing them for future reference will

provide the development organization with a history of the changes on the module which can be queried at a

later time by new developers. These discussions can also contain links to any architectural/functional/design/

test specications, bug or enhancement numbers.

Verication that the change has been tested

When a developer is about to submit code into the repository, how does the company know they have su-

ciently tested it? Adding a description of the tests they have run (manually or automated) against the changed

code can give reviewers (and management) condence that the change will work and not cause any regres-

sions. Also by declaring the tests the writer has ran against their change, the author is allowing reviewers to

review the tests and suggest further testing that may have been missed by the author.

In a development scenario where automated unit or component testing exists, the coding guidelines can

require that the developer include those unit/component tests in the code review. This again allows reviewers

within this environment to ensure the correct unit/component tests are going to be included in the environ-

ment, keeping the quality of the continuous integration cycles.

Coding education for junior developers

After an employee learns the basics of a language and read a few of the best practices book, how can they get

good on-the-job skills to learn more? Besides buddy coding (which rarely happens and is never cost eective)

and training sessions (brown bag sessions on coding, tech talks, etc.) the design and code decisions discussed

during a code review can be a learning experience for junior developers. Many experienced developers admit

to this being a two way street, where new developers can come in with new ideas or tricks that the older de-

velopers can learn from. Altogether this cross pollination of experience and ideas can only be benecial to a

development organization.

Secure Code Review

剩余222页未读，继续阅读

数研基站

粉丝: 14
资源: 97

OWASP代码审计指南v2.0：安全编码审查核心内容

OWASP代码审计指南v2.0（含中英文2个版本）.zip

OWASP_Top_10_2017_中文版v1.3.pdf

owasp testing guide v4 中文版.pdf

请访问CWE官网（ http://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html ）和OWASP官网（https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ），比较分析CWE Top25和OWASP Top10对漏洞的划分有什么不同？

owasp-top10-2021 最新中文版v1.0.pdf下载

如何触发modsecurity_crs_41_xss_attacks.conf

owasp_broken_web_apps_vm_1.2

OWASP Broken Web Apps v0.94

Cannot invoke "org.owasp.validator.html.InternalPolicy.getMaxInputSize()" because "this.policy" is null

Caused by: java.lang.ClassNotFoundException: com.huawei.org.owasp.esapi.errors.Encrypt*****#*#*****

owasp_testing_guide

OWASP ZAP下载安装

kali下载owasp速度慢

owasp zap中文显示乱码

什么是代码审计，代码审计有哪些类别？详细介绍一下并给出java 代码案例

owasp漏洞扫描工具

OWASP ZAP下载

owasp zap安装

owasp zap下载

最新资源