Re: Secure Software Development Checklist

[rohnskii () gmail com]

Mike:

Your task is "bigger than a breadbox", the requirements you describe are varied.

So, first, I think you can forget about a single checklist.  It might start that way, but I think you'll quickly find 
it gets too complex.  So it will end up easier to use if you end up splitting it up.

Second, take detailed inventory of the apps you want to cover

Third, determine the risk/exposure to attack that the apps will be facing.  The simplest split I can think of would be:
1.  100%, absolutely, positively, no doubt about it internal corporate use only, no browser exposure.  Unfortunately, 
this category is most likley to error.  I once wrote an app that I was told was in this category.  One year after it 
was done, we sold it to a third party (who paid handsomely to upgrade it first!)

2. Browser based, internal app

3. Limited external exposure.  "Trusted" clients

4. Wide open, web exposure.

Fourth, determine the vulnerabilities associated with each language.  A compiled language like, say Cobol, isn't 
vulnerable to pointer and buffer overflows like the C family, or XSS attacks like HTML.  This is particularly where I 
think separate check lists will be best.

Fifth, determine legal requirements must be met.  Federal, State/Provincial, Industry all have different requirements.  
You have to come up with an extract of the Highest common denominator (If one says encrypt but other don't care, 
encrypt "wins".  If another requires 7 years archive, vs 1 year, 7 are it ...)  There are bound to be conflicts too, 
PCI comes to mind requiring data purge after 18-24 months vs legislation that requires 7 years of data archiving).

Google for "Standards" and "Best Practices" related to your specific languages.

Here are a few links for you to look at:

http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - Thwarting 
Hacker Techniques Learning Guide
http://searchsecurity.techtarget.com - spend lots of time looking around in this site, it has TONS of good stuff for you
http://www.techtoolblog.com/archives/195-free-online-programming-books - actually now more like 345 links, some good 
stuff

http://freecomputerbooks.com/
http://freecomputerbooks.com/specialSecurityBooksIndex.html

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf - here is one book from NIST, it's only 290 pages.  It 
covers security from A-Z, but there are lots of concepts that you will be able to extract. They have lots more, 
including some checklists you might find handy

http://www.boran.com/security/ - this one looks good for you, has several specific sets technical guidelines, ie check 
out Ch13 Securing Applications

http://blogs.ittoolbox.com/security/adventures - check out this blogger, you'll get lots of points from him

http://www.bitpipe.com/detail/RES/1170683922_906.html - Path to a secure app: Source code security review checklist.  
Techtarget also has lots of good stuff for you

http://searchappsecurity.bitpipe.com/detail/RES/1151505153_648.html?src=DED_sappsec_08_08_06 - Security at the next 
level

http://www1.sans-ssi.org/ - you are going to want to spend lots of time in this site

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1241948,00.html - Developing an app security 
mindset. Good overview.

- http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - thwarting 
hacker techniques learning guide.


http://www.owasp.org/index.php/Main_Page- OWASP Top ten is definitely something you are going to want to look at!




Finally, last but first.  What ever checklists / standards you end up defining, make sure that they  get everyone 
thinking about security by including steps right from the beginning of the design process.  The earlier you start 
considering and building in security, the cheaper and easier it will be to implement.  Retrofitting logic is expensive.

Big topic, HTH