Does anyone have a good checklist to use when doing a security code review? The majority of the focus will be on C# code with some TSql sprocs reviewed as well.
+5
A:
Microsoft has a .net security code review checklist here: Improving Web Application Security: Threats and Countermeasures : Code Review
The contents list looks like this:
- Performing Text Searches
- Cross-Site Scripting (XSS)
- SQL Injection
- Buffer Overflows
- Managed Code
- Code Access Security
- Unmanaged Code
- ASP.NET Pages and Controls
- Web Services
- Serviced Components
- Remoting
- Data Access Code
which seems like a decent start. 8-)
RichieHindle
2009-08-12 17:38:18
+4
A:
The OWASP top ten is a good start for developing a security checklist*:
- Cross Site Scripting (XSS)
- Injection Flaws
- Malicious File Execution
- Insecure Direct Object Reference
- Cross Site Request Forgery (CSRF)
- Information Leakage and Improper Error Handling
- Broken Authentication and Session Management
- Insecure Cryptographic Storage
- Insecure Communications
- Failure to Restrict URL Access
* for web applications
Gavin Miller
2009-08-12 17:47:34