OWASP Code Review Guide


The current (July 2017) PDF version can be found here.

OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primary focus of this book has been divided into two main sections. Section one is the “why and how of code reviews” and section two focuses on the “types of vulnerabilities and how to identify throughout the review”. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations’ SDLC (Secure Development Life Cycle) that desires good secure code in production.

Chapters in the second section are mostly based on the popular OWASP 2013 top 10. Here you will find most of the code examples for both on “what not to do” and on “what to do”. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP, and Java or any other computer language. Now add in “Object-Oriented Programming” and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iffy” in what to write. We tried to keep the sample code so code reviewers can see red flags and not “do it my way or else”.

The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide complete.


OWASP Code Review Guide is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.