1、berfore we talking abnout the Source Code review,here's what we want to know about the most popular programming langurages .

  • Web application development :Java C#  NET and PHP
  • Drivers and handware C C#   and assembly language
  • Reverse engineering : Assembly langurage
  • Database : Structured Query LangurageSQL
  • Scripting lanurage: Python Perl and Ruby

2、Secure coding cheklist

  • Authentication and credentials must use TLS and not HTTP cleartext
  • Authentication must be enforced on all page ,except the ones intended to the public
  • the erroe messages pages should not lead to information-gathering disclosure
  • Authenticication logic must be validated on the server
  • Authentication passwords must be saved uner secure hashing algorithms and salting is perferable
  • The password's hashing logic must be on the server side
  • Session must be managed on the server side
  • Session idetifier must be random
  • Any cryptographic functionality to protect data shold be implemented on the server side
  • All data validation must be performed on the server side
  • Encode data before validation
  • All validation failures should be rejected in a custom error message
  • Conduct all the encoding logic on the server side
  • Sanitize all the output of understed data foe SQl ,XML LDAP and operating system commands
  • Do not disclose sensitive information in the error messages, including debuffing information such as stack track
  • Use custom reeor messages and error pages
  • Temporary sensitive data must be stored in a secure location ,and those itmes must be purged as soon as possible
  • Remove comments in the source code that may reveal critical information about the application
  • Sensitive information should should not be used in the query sting
  • Data int the  transit must be encrypted with the lasest and greatest TLS algorithms
  • Make sure that you remove test codes before deployment

3、Rest API ststus return code (this chapter I've already written about  on my previous blog )

  • 200   the action is ok
  • 202  the request to create
  • 204 the post request did not include a client-generated id
  • 400 the request is malformed
  • 401 Wrong authentication ID or credentials
  • 403 an authenticated user does not have permission to access the resource
  • 404 requesting a nonexistant resource
  • 405  Unexpected Http method in the request
  • this error may occur when a dos attack is deleted

4、Passive information gathering reconnaissance ----OSINT

OSINT it mean's  Open Source Intelligence ,let's see the Web search engines

besides baidu and google 、yahu . i often use the http://yandex.com  and  http://duckduckgo.com  as follow

Source Code Review的更多相关文章

  1. 15个最佳的代码评审(Code Review)工具

    代码评审可以被看作是计算机源代码的测试,它的目的是查找和修复引入到开发阶段的应用程序的错误,提高软件的整体素质和开发者的技能.代码审查程序以各种形式,如结对编程,代码抽查等.在这个列表中,我们编制了1 ...

  2. source code analyzer 功能强大的C/C++源代码分析软件 Celerity CRACK 破解版

    特色 迅捷是一个功能强大的C/C++源代码分析软件.可以处理数百万行的源程序代码.支持标准及K&R风格的C/C++.对每一个打开的源代码工程,通过建立一个包含丰富交叉引用关系的数据库,显示其所 ...

  3. 谈一下我们是如何开展code review的

    众所周知,代码审查是软件开发过程中十分重要的环节,楼主结合自己的实际工作经验,和大家分享一下在实际工作中代码审查是如何开展的, 笔者水平有限,若有错误和纰漏,还请大家指正. 代码审查的阻力 我想不通公 ...

  4. [行业关键词] review code review

    意思是   代码评审  或是 代码回顾 代码评审是指在软件开发过程中,通过对源代码进行系统性检查的过程.通常的目的是查找系统缺陷,保证软件总体质量和提高开发者自身水平. Code Review是轻量级 ...

  5. Code Review Checklist

    左按:当年需要一份详细的代码评审清单作参考,翻译了此文. 版权声明:本文为博主原创文章,未经博主允许不得转载.   目录(?)[-] General Code Smoke Test 通用测试 Comm ...

  6. 基于GitLab的Code Review教程

    一.前言 1.本文主要内容 GitLab Code Review机制说明 Git Workflow 与 Git Code Review Workflow GitLab Code Review 配置说明 ...

  7. Spring 4 MVC example with Maven - [Source Code Download]

    In this tutorial, we show you a Spring 4 MVC example, using Maven build tool. Technologies used : Sp ...

  8. Tree - AdaBoost with sklearn source code

    In the previous post we addressed some issue of decision tree, including instability, lack of smooth ...

  9. 项目管理系列--好用的代码评审(Code Review)工具

    1. Gerrit Gerrit is a web based code review system, facilitating online code reviews for projects us ...

随机推荐

  1. Java socket详解(转)

    一:socket通信基本原理. 首先socket 通信是基于TCP/IP 网络层上的一种传送方式,我们通常把TCP和UDP称为传输层. 如上图,在七个层级关系中,我们将的socket属于传输层,其中U ...

  2. [转帖]如何重置CentOS/RHEL 7中遗忘的根用户帐户密码

    如何重置CentOS/RHEL 7中遗忘的根用户帐户密码 https://www.cnblogs.com/swordxia/p/4389466.html 作者的blog质量很高呢 没看完 但是感觉 很 ...

  3. win10启动nginx但是访问不了

    首先验证配置,是否正常:nginx -t 我这里配置正常. 我的原因是设置了代理,打开IE浏览器,设置>Internet选项>连接>局域网设置>代理删除.

  4. flex布局应用

    flex介绍  http://www.ruanyifeng.com/blog/2015/07/flex-grammar.html 了解了flex布局之后,发现其功能非常强大. 当指定一个div dis ...

  5. shell实战之日志备份

    util.sh #!/bin/bash - # Read config # kay # Version: 1.0 # // # configuration file path config=${log ...

  6. 深入理解JVM(1)——栈和局部变量操作指令

    将常量压入栈的指令 aconst_null 将null对象引用压入栈iconst_m1 将int类型常量-1压入栈iconst_0 将int类型常量0压入栈iconst_1 将int类型常量1压入栈i ...

  7. Notepad++ 的函数参数提示错误的问题终于解决了

    看第3张图片,明明我输入的是 print_double(), 提示的却是 print() 函数的参数. 这个问题困扰了我半年,今天晚上找到解决问题的办法:

  8. 关于进程、线程、应用程序域(AppDomain)

    什么是进程?什么是线程?什么是应用程序集?及三者之间的关系(以下做一些简单的概念性的理解) 三者共同的基础对象!!!——应用程序 1.进程是操作系统用于隔离众多正在运行的应用程序的机制,进程的缺点是降 ...

  9. Python:正则表达式详解

    正则表达式是一个很强大的字符串处理工具,几乎任何关于字符串的操作都可以使用正则表达式来完成,作为一个爬虫工作者,每天和字符串打交道,正则表达式更是不可或缺的技能,正则表达式的在不同的语言中使用方式可能 ...

  10. [物理学与PDEs]第3章第3节 电导率 $\sigma$ 为无穷时的磁流体力学方程组 3.3 磁场线``冻结''原理

    磁场线``冻结''原理: 在 $\sigma=\infty$ 时, 初始时刻分布在同一磁场线上的质点, 在运动过程中会一直保持在同一磁场线上, 即磁场线好像``冻结''在物质上. 事实上, $\cfr ...