Security Basics mailing list archives
Re: Secure Software Development Checklist
From: rohnskii () gmail com
Date: 1 Nov 2007 22:36:17 -0000
Mike: Your task is "bigger than a breadbox", the requirements you describe are varied. So, first, I think you can forget about a single checklist. It might start that way, but I think you'll quickly find it gets too complex. So it will end up easier to use if you end up splitting it up. Second, take detailed inventory of the apps you want to cover Third, determine the risk/exposure to attack that the apps will be facing. The simplest split I can think of would be: 1. 100%, absolutely, positively, no doubt about it internal corporate use only, no browser exposure. Unfortunately, this category is most likley to error. I once wrote an app that I was told was in this category. One year after it was done, we sold it to a third party (who paid handsomely to upgrade it first!) 2. Browser based, internal app 3. Limited external exposure. "Trusted" clients 4. Wide open, web exposure. Fourth, determine the vulnerabilities associated with each language. A compiled language like, say Cobol, isn't vulnerable to pointer and buffer overflows like the C family, or XSS attacks like HTML. This is particularly where I think separate check lists will be best. Fifth, determine legal requirements must be met. Federal, State/Provincial, Industry all have different requirements. You have to come up with an extract of the Highest common denominator (If one says encrypt but other don't care, encrypt "wins". If another requires 7 years archive, vs 1 year, 7 are it ...) There are bound to be conflicts too, PCI comes to mind requiring data purge after 18-24 months vs legislation that requires 7 years of data archiving). Google for "Standards" and "Best Practices" related to your specific languages. Here are a few links for you to look at: http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - Thwarting Hacker Techniques Learning Guide http://searchsecurity.techtarget.com - spend lots of time looking around in this site, it has TONS of good stuff for you http://www.techtoolblog.com/archives/195-free-online-programming-books - actually now more like 345 links, some good stuff http://freecomputerbooks.com/ http://freecomputerbooks.com/specialSecurityBooksIndex.html http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf - here is one book from NIST, it's only 290 pages. It covers security from A-Z, but there are lots of concepts that you will be able to extract. They have lots more, including some checklists you might find handy http://www.boran.com/security/ - this one looks good for you, has several specific sets technical guidelines, ie check out Ch13 Securing Applications http://blogs.ittoolbox.com/security/adventures - check out this blogger, you'll get lots of points from him http://www.bitpipe.com/detail/RES/1170683922_906.html - Path to a secure app: Source code security review checklist. Techtarget also has lots of good stuff for you http://searchappsecurity.bitpipe.com/detail/RES/1151505153_648.html?src=DED_sappsec_08_08_06 - Security at the next level http://www1.sans-ssi.org/ - you are going to want to spend lots of time in this site http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1241948,00.html - Developing an app security mindset. Good overview. - http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - thwarting hacker techniques learning guide. http://www.owasp.org/index.php/Main_Page- OWASP Top ten is definitely something you are going to want to look at! Finally, last but first. What ever checklists / standards you end up defining, make sure that they get everyone thinking about security by including steps right from the beginning of the design process. The earlier you start considering and building in security, the cheaper and easier it will be to implement. Retrofitting logic is expensive. Big topic, HTH
Current thread:
- Secure Software Development Checklist mikef (Nov 01)
- Re: Secure Software Development Checklist Erin Carroll (Nov 01)
- <Possible follow-ups>
- Re: Secure Software Development Checklist rohnskii (Nov 02)