OWASP code Review checklist excel

Code Review Checklist [edit]

//www.guru99.com/asp-net-web-api-interview-questions.html

//www.fullstack.cafe/blog/asp-net-web-api-interview-questions

AdminLTE.Core[HAY HAY HAY]

//www.udemy.com/course/complete-aspnet-core-21-course/

Implementing CQRS Pattern with Vue.js & ASP.NET Core MVC

//www.codeproject.com/Articles/5262285/Implementing-CQRS-Pattern-with-Vue-js-ASP-NET-Core

//www.c-sharpcorner.com/article/implementing-cqrs-pattern-with-vue-js-asp-net-core-mvc/

Implementing CQRS Pattern with Vue.js & ASP.NET Core MVC

//codeload.github.com/ColorlibHQ/AdminLTE/zip/v2.4.18[HAY HAY HAY]

//github.com/moemura/AdminLTE.Core[HAY HAY HAY]

//github.com/moemura/AdminLTE.Core/releases/tag/2.0.1

//github.com/dotnet-express/AdminLTE-Starter-Kit/releases

//github.com/dotnet-express/AdminLTE-Starter-Kit/releases/tag/v0.8.0

//github.com/go2ismail/adminlte-aspnetcore2-version

//github.com/shehryarkn/Dynamic-User-Defined-Dashboards-Asp-Net-Core

//github.com/shehryarkn/Asp-net-Core-Project-with-Admin-Template-Setup

Code Review

Checklist://www.michaelagreiler.com/code-review-checklist/

Google://blog.fullstory.com/what-we-learned-from-google-code-reviews-arent-just-for-catching-bugs/

Microsoft://www.michaelagreiler.com/code-reviews-at-microsoft-how-to-code-review-at-a-large-software-company/

Code Guide

//www.cybersecuritycourses.com/course/dev544-secure-coding-in-net-developing-defensible-applications/[HAY HAY HAY]

//niccs.us-cert.gov/training/search/sans-institute/secure-coding-net-developing-defensible-applications[HAY HAY HAY]

Code Quality & Secure

1. Readability a.k.a. Understandability [Khả năng đọc hoặc Khả năng hiểu được]
2. Maintainability [Bảo trì]
3. Security [Bảo mật]
4. Speed and Performance [Tốc độ và hiệu suất]
5. Documentation [Tài liệu]
6. Reinventing the Wheel [Phát minh lại bánh xe]
7. Reliability [Độ tin cậy]
8. Scalability [Khả năng mở rộng]
9. Reusability [Tái sử dụng]
10. Patterns [Mẫu]
11. Test Coverage and Test Quality [Phạm vi kiểm tra và chất lượng kiểm tra]
12. Fit for Purpose [Phù hợp cho mục đích]

//www.enosecurity.com/training-tutorials-courses/secure-coding-in-asp-net-training/[Tranining]

Audience / Target Group:

• .NET Application Developers
• C# Programmers
• ASP.NET Developers
• Managers, Architects and Technologists involved in deploying .NET applications

Topics:

• General Web Application Security Concepts
• .NET Framework Security Features
• Input Validation & Encoding
• Input Driven Attacks
• Validation Best Practices
• Output Encoding
• Common Authentication Weaknesses
• Authorization Best Practices
• Controlling Application Access
• Password Security
• Session Hijacking & Trapping
• Protecting User Sessions & Tokens
• Canonicalization Problems
• Parameter Manipulation
• Encryption, Confidentiality & Data Protection
• Cookie-Based Attacks
• Protecting Application Variables
• Error Handling & Logging
• Attacking via Error Messages
• Secure Logging & Error Handling
• Server Configuration & Code Management
• Common App Server Misconfigurations
• Protecting Application Code
• XML Web Services
• Overview of WSDL, SOAP & AJAX Security
• Web Service Attacks
• AJAX Pitfalls
• Web Service Best Practices
• Application Threat Modeling
• Application Context
• Identifying Attacks, Vulnerabilities & Countermeasures
• Threat Modeling Tools
• Cache Control Issues
• SSL Best Practices

//forums.asp.net/t/1926690.aspx?Secure+Coding+best+practices+guideline

//download.microsoft.com/documents/uk/msdn/security/The Developer Highway Code.pdf

//www.evoketechnologies.com/blog/code-review-checklist-perform-effective-code-reviews/

//nyu-cds.github.io/effective-code-reviews/01-intro/

//nyu-cds.github.io/effective-code-reviews/02-best-practices/

//nyu-cds.github.io/effective-code-reviews/03-checklist/

Security Code Review

//www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf

RESTful API Lifecycle Management

//dzone.com/refcardz/restful-api-lifecycle-management

LINQ

//msdn.microsoft.com/en-us/library/bb308959.aspx

Code Review Checklist &Guidelines for CSharp Developers

//www.codeproject.com/Reference/593751/Code-Review-Checklist-and-Guidelines-for-Csharp-De

Code Review Guidelines

//www.codeproject.com/Articles/524235/Codeplusreviewplusguidelines

Assign Severity to Review Finding

The severity to find issues with code should go as below. Reviewer must focus on issues with High severity first and then to Medium severity and then Low severity issues.

1. Naming Conventions and Coding style = Low
2. Control Structures and Logical issues = Medium or High
3. Redundant Code = High
4. Performance Issues = High
5. Security Issues = High
6. Scalability Issues= High
7. Functional Issues =High
8. Error Handling = High
9. Reusability = Medium

//weblogs.asp.net/tgraham/44763

In my previous blog post, we discussed about 10 Simple Code Review Tips for Effective Code Reviews. Now, lets take this topic further and explore the code review checklist, which would help to perform effective code reviews to deliver best quality software.

This code review checklist also helps the code reviewers and software developers [during self code review] to gain expertise in the code review process, as these points are easy to remember and follow during the code review process.

Lets first begin with the basic code review checklist and later move on to the detailedcode review checklist.

BasicCode Review Checklist

Lets discuss aboutthe basic code review checklist, which can be very handy if you are a beginner in code reviews and/or during initial code reviews.

Whilereviewingthecode,askyourselfthefollowingbasicquestions:

1. AmIabletounderstandthecodeeasily?
2. Isthecodewrittenfollowingthecodingstandards/guidelines?
3. Isthesamecodeduplicatedmorethantwice?
4. CanIunit test/debugthecodeeasilytofindtherootcause?
5. Isthisfunctionorclasstoobig?Ifyes,isthefunctionorclasshavingtoomanyresponsibilities?

If you feel that the answer is not satisfactory to any of the above questions, then you can suggest/recommend code changes.

DetailedCodeReviewChecklist

The following code review checklist gives an idea about the various aspects you need to consider while reviewing the code:

1.Codeformatting

Whilegoingthroughthecode, check the code formatting to improve readability and ensure that there are no blockers:

a]Usealignments[leftmargin],properwhitespace. Also ensure that code block starting point and ending point areeasilyidentifiable.

b]Ensurethatpropernamingconventions[Pascal,CamelCase etc.]havebeenfollowed.

c] Code should fit in the standard 14 inch laptop screen. There shouldnt be a need to scroll horizontally to view the code. In a 21 inch monitor, other windows [toolbox, properties etc.] can be opened while modifying code, so always write code keeping in view a14 inch monitor.

d] Removethecommentedcodeasthisisalwaysablocker, while going through the code. Commented code can be obtained from Source Control[likeSVN], ifrequired.

2.Architecture

a]Thecode should follow thedefinedarchitecture.

1. SeparationofConcernsfollowed
   • Splitintomultiplelayersandtiersasperrequirements[Presentation,Business and Datalayers].
   • Splitintorespectivefiles[HTML,JavaScriptandCSS].

1. Codeisinsyncwithexistingcodepatterns/technologies.
2. Design patterns: Use appropriate design pattern [if it helps],after completely understanding the problem and context.

3.Codingbestpractices

1. Nohardcoding,useconstants/configurationvalues.
2. Groupsimilarvaluesunderanenumeration[enum].
3. Comments Do not write comments for what you are doing, instead write comments on why you are doing. Specify aboutany hacks, workaround and temporary fixes. Additionally, mention pending tasks in your to-do comments, which can be tracked easily.
4. Avoidmultipleif/elseblocks.
5. Useframeworkfeatures,whereverpossibleinsteadofwritingcustomcode.

4.NonFunctionalrequirements

a] Maintainability [Supportability] The application should require the least amount of effort to support in near future. It should be easy to identify and fix adefect.

1. Readability:Code should beself-explanatory.Get a feel of story reading, while going through the code. Use appropriate name for variables, functions and classes. If you are taking more time to understand the code, then either code needs refactoring or at least comments have to be written to make it clear.
2. Testability:The code should be easy to test. Refactor into a separate function [if required]. Use interfaces while talking to other layers, as interfaces can be mocked easily. Try to avoid static functions, singleton classes as these are not easily testable by mocks.
3. Debuggability:Provide support to log the flow of control, parameter data and exception details to find the root cause easily. If you are usingLog4Netlike component then add support for database logging also, as querying the log table is easy.
4. Configurability:Keeptheconfigurablevaluesin place[XMLfile,databasetable]sothatno code changesarerequired, if the data is changed frequently.

b]Reusability

1. DRY [Do not Repeat Yourself] principle: The same code should not be repeated more than twice.
2. Considerreusableservices,functionsandcomponents.
3. Considergenericfunctionsandclasses.

c]Reliability Exceptionhandlingandcleanup[dispose]resources.

d]Extensibility Easy to add enhancements with minimal changes to the existing code. One component shouldbe easily replaceable by a better component.

e]Security Authentication, authorization, input data validation against security threats such asSQL injectionsandCross Site Scripting[XSS], encrypting the sensitive data [passwords, credit card information etc.]

f]Performance

1. Useadatatypethatbestsuitstheneeds such as StringBuilder,genericcollectionclasses.
2. Lazyloading,asynchronousandparallelprocessing.
3. Cachingandsession/applicationdata.

g]Scalability Considerifitsupportsalargeuserbase/data?Canthisbedeployedintowebfarms?

h]Usability Put yourself in the shoes of aend-user and ascertain, ifthe user interface/API is easy to understand and use. If you are not convinced with the user interface design, then start discussing yourideas with the business analyst.

5.Object-OrientedAnalysisandDesign[OOAD]Principles

1. Single Responsibility Principle [SRS]:Do not placemore than one responsibility into a single class or function, refactor into separate classes and functions.
2. Open Closed Principle:While adding new functionality, existing code should not be modified.New functionality should be written in new classes and functions.
3. Liskov substitutability principle:The child class should not change the behavior [meaning] of the parent class. The child class can be used as a substitute for a base class.
4. Interface segregation:Do not create lengthy interfaces, instead split them into smaller interfaces based on the functionality. The interface should not contain any dependencies [parameters], which are not required for the expected functionality.
5. Dependency Injection:Do not hardcode the dependencies, instead inject them.

In most cases the principles are interrelated, following one principle automatically satisfies other principles. For e.g: if the Single Responsibility Principle is followed, then Reusability and Testability will automatically increase.

In a few cases, one requirement may contradict with other requirement. So need to trade-off based on the importance of the weight-age, e.g. Performance vsSecurity. Too many checks and logging at multiple layers [UI, Middle tier, Database] would decrease the performance of an application. But few applications, especially relating to finance and banking require multiple checks, audit logging etc. So it is ok to compromise a little on performance to provide enhanced security.

ToolsforCodeReviews

1. The first step while assessing the code quality of the entire project is through a static code analysis tool. Use the tools [based on technology] such asSonarQube,NDepend,FxCop, TFS code analysis rules. There is a myth that static code analysis tools are only for managers.
2. Use plug-ins such asResharper, which suggests the best practices in Visual studio.
3. To track the code review comments use the tools likeCrucible,Bitbucketand TFS code review process.

Conclusion

The above code review checklist is not exhaustive, but provides adirection to the code reviewer to conduct effective code reviews anddeliver good quality code. Initially, it would take some time to review the code from various aspects. After a bit of practice, code reviewers can performeffective code reviews, without much effort and time. If you would like to become an expert code reviewer, this code review checklist serves as a greatstarting point.Happy Code Reviewing!

Video liên quan