Improving Web Application Security: Threats and - CGISecurity

21Code ReviewIn This Chapter●●●●OverviewIdentifying cross-site scripting (XSS), SQL injection, buffer overflow, and othercommon vulnerabilitiesIdentifying poor coding techniques that allow malicious users to launch attacksSecurity questions to ask so that you can locate problems quicklyEvaluating security issues specific to individual .NET Framework technologiesCode reviews should be a regular part of your development process. Security codereviews focus on identifying insecure coding techniques and vulnerabilities thatcould lead to security issues. The review goal is to identify as many potential securityvulnerabilities as possible before the code is deployed. The cost and effort of fixingsecurity flaws at development time is far less than fixing them later in the productdeployment cycle.This chapter helps you review managed ASP.NET Web application code built usingthe Microsoft .NET Framework. In addition, it covers reviewing calls to unmanagedcode. The chapter is organized by functional area, and includes sections that presentgeneral code review questions applicable to all types of managed code as well assections that focus on specific types of code such as Web services, servicedcomponents, data access components, and so on.This chapter shows the questions to ask to expose potential security vulnerabilities.You can find solutions to these questions in the individual building chapters inPart III of this guide. You can also use the code review checklists in the “Checklists”section of the guide to help you during the review process.