Source Code Review

1、berfore we talking abnout the Source Code review,here's what we want to know about the most popular programming langurages .

2、Secure coding cheklist

Authentication and credentials must use TLS and not HTTP cleartext
Authentication must be enforced on all page ,except the ones intended to the public
the erroe messages pages should not lead to information-gathering disclosure
Authenticication logic must be validated on the server
Authentication passwords must be saved uner secure hashing algorithms and salting is perferable
The password's hashing logic must be on the server side
Session must be managed on the server side
Session idetifier must be random
Any cryptographic functionality to protect data shold be implemented on the server side
All data validation must be performed on the server side
Encode data before validation
All validation failures should be rejected in a custom error message
Conduct all the encoding logic on the server side
Sanitize all the output of understed data foe SQl ,XML LDAP and operating system commands
Do not disclose sensitive information in the error messages, including debuffing information such as stack track
Use custom reeor messages and error pages
Temporary sensitive data must be stored in a secure location ,and those itmes must be purged as soon as possible
Remove comments in the source code that may reveal critical information about the application
Sensitive information should should not be used in the query sting
Data int the transit must be encrypted with the lasest and greatest TLS algorithms
Make sure that you remove test codes before deployment

3、Rest API ststus return code (this chapter I've already written about on my previous blog )

4、Passive information gathering reconnaissance ----OSINT

OSINT it mean's Open Source Intelligence ,let's see the Web search engines

besides baidu and google 、yahu . i often use the http://yandex.com and http://duckduckgo.com as follow