list of code review resources and tools
- Axolo Github/GitLab Slack integration. Create one ephemeral channel per pull request/ merge request.
- Crucible Atlassian's on-premise code review tool.
- Gitpod Code review pull requests in a full IDE within your browser.
- LGTM Automated Git code review for GitHub and Bitbucket pull requests for finding security vulnerabilities and code quality issues.
- Phabricator Open source git/mercurial/svn code review tool originating out of Facebook.
- PullRequest Code review as a service for GitHub pull requests.
- Reviewable Code review tool built on top of GitHub pull requests.
- Review Board Open source review tool that is SCM/platform neutral.
- Sider Automated code review service for GitHub.
- SonarCloud Detect code smells, bugs and vulnerabilities in Azure DevOps, Bitbucket and GitHub repositories.
- Upsource JetBrain's on-premise git/mercurial/perforce/svn code review tool.
- Viezly Code review service with pull request visualization and enhanced navigation between changes.
- OWASP's Secure Coding Dojo Example
- Secure Code Warrior (paid service with free trial)
- What security vulnerabilities is this code susceptible to?
- Are authorization and authentication handled in the right way?
- Is (user) input validated, sanitized, and escaped to prevent cross-site scripting, or SQL injection?
- Is sensitive data like user data, or credit card information securely handled and stored?
- Does this code NOT reveal some secret information like keys, passwords, or usernames?
- Is data retrieved from external APIs or libraries checked accordingly?
- Does error handling or logging NOT expose the system to vulnerabilities?
- Is the right encryption used?
- Are inputs from external sources validated?
- Is user input tested for type, length, format, and range, and by enforcing limits?
- Are flaws in regular expressions causing data validation problems?
- Are exact match approaches used?
- Are allow list approaches used (i.e., check strings for only expected values)?
- Are block list approaches used (i.e., rejected stings for inappropriate values)?
- Are XML documents validated against their schemas?
- Are string concatenations NOT used for user input?
- Are SQL statements NOT dynamically created by using user input?
- Is data validated on the server side?
- Is there a strong separation between data and commands, and data and client-side scripts?
- Is contextual escaping used when passing data to SQL, LDAP, OS and third-party commands?
- Are https headers validated for each request?
- Are sessions handled correctly?
- Do failure messages for invalid usernames or passwords NOT leak information?
- Are invalid passwords NOT logged (which can leak sensitive password & user name combinations)?
- Are the password requirements (lengths/complexity) appropriate?
- Are invalid login attempts correctly handled with lockouts, and rate limits?
- Does the "forgot password" routine NOT leak information, and is NOT vulnerable to spamming?
- Are passwords NOT sent in plain text via email?
- Are appropriate mechanisms such as hashing, salts, and encryption used for storing passwords and usernames?
- Are authentication and authorization the first logic executed for each request?
- Are authorization checks granular (page and directory level)?
- Is access to pages and data denied by default?
- Is re-authenticate for requests that have side effects enforced?
- Are there clear roles for authorization?
- Can authorization NOT be circumvented by parameter or cookie manipulation?
- Are session parameters NOT passed in URLs?
- Do session cookies expire in a reasonably short time?
- Are session cookies encrypted?
- Is session data being validated?
- Is private data in cookies kept to a minimum?
- Does the application avoid excessive cookie use?
- Is the session id complex?
- Is the session storage secure?
- Does the application properly handle invalid session ids?
- Are session limits e.g., inactivity timeouts, enforced?
- Are logouts invalidating the session?
- Are session resources released when sessions are invalidated?
- Are state-of-the-art encryption algorithms used (such as FIPS-140)?
- Are minimum key sizes supported?
- What types of data must be encrypted?
- Has sensitive data been secured in memory, storage and transit?
- Do restricted areas require SSL?
- Is sensitive information passed to/from non-SSL pages?
- Do all methods have appropriate exceptions?
- Do error messages shown to users NOT reveal sensitive information including stack traces, or ids?
- Does the application fail securely when exceptions occur?
- Are system errors NOT shown to users?
- Are resources released and transactions rolled back when there is an error?
- Are all user or system actions are logged?
- Do we make sure that sensitive information is NOT logged (e.g. passwords)?
- Do we make sure we have logs or all important user management events (e.g. password reset)?
- Are unusual activities such as multiple login attempts logged?
- Do logs have enough detail to reconstruct events for audit purposes?
- Vulnerable Task Manager (vtm) : vulnerable task manager in Python/Django, correction not available.
- OWASP WebGoat : vulnerable web application with Java backend, correction available.
- Damn Vulnerable iOS App 1 : vulnerable iOS app written in Objective-C, correction available.
- Damn Vulnerable iOS App 2 : vulnerable iOS app written in Swift, correction available.
- OWASP's Source Code Analysis Tools
- A curated list of static analysis tools and tools and config files (GitHub)
- Static Application Security Testing Suites used in GitLab's CI/CD
- grepmarx - A source code static analysis platform for AppSec enthusiasts
- Joern - Generate queriable code property graphs
- Sourcetrail - open-source interactive source explorer