Secure Coding mailing list archives
Secure Coding Standards
From: rklists at gmail.com (Rohit Lists)
Date: Mon, 29 Sep 2008 12:14:49 -0400
Most of the SANS classes are network/infrastructure related, but some of them are made specifically for secure coding in a particular language. I'm an instructor and courseware developer for Security 541, the secure coding in Java / JEE class (http://www.sans.org/ns2008/description.php?tid=1937). To Jim's point, the guidelines will vary by the application type although there are a set of topics that apply to most developers (e.g. numeric overflow, synchronization, error handling, etc.). Whatever you do end up using make sure that your specific type of application is included. Cheers, -- Rohit Sethi Security Compass http://www.securitycompass.com On Sun, Sep 28, 2008 at 1:22 PM, Jim Manico <jim at manico.net> wrote:
My thoughts... You standards really need more context - the standards for Java thick client vs Java server/web code would be rather different, for example. Make sure your guide gives recomendations specific to the context of the application type. On that note, other thoughts.... * Robert Seacord's guide is one of the best guides to secure coding in the C++ world but does not address web based or non C++ programming. a) I would also read Ken's book on this topic - great stuff. b) Microsoft books on their trustworthy computing initiative for the .NET world are very well written. * The SANS's courses and certs are really network/infrastructure centric and are not that helpful for the software engineer * The Sun link is way to general - nothing specific to really help the programmer write secure code. * 4-7 are way to general. In the web world, OWASP is by far the best. See: http://www.owasp.org/index.php/Category:OWASP_Guide_Project - Jim I am looking for a comprehensive set of secure coding standards to implement into my dev organization. These standards should cover Java, Web, and C/C++ as well as guidelines for using features like encryption, authentication, SSO, SSL, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found www.securecoding.cert.org - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html http://java.sun.com/security/seccodeguide.html http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards DHS Build Security In (kind of) - https://buildsecurityin.us-cert.gov/daisy/bsi/home.html SANS Software Security Institute - http://www.sans-ssi.org/ CERT Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ I would greatly appreciate any pointers to other links or to companies who have developed and sell these standards. Thanks in advance. An0n S3c. ________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ -- Jim Manico, Senior Application Security Engineer jim.manico at aspectsecurity.com | jim at manico.net (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security? Securing your applications at the source http://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Secure Coding Standards anon sec (Sep 27)
- Secure Coding Standards Bedirhan Urgun (Sep 28)
- Secure Coding Standards anon sec (Sep 28)
- Secure Coding Standards Jim Manico (Sep 28)
- Secure Coding Standards Jim Manico (Sep 28)
- Secure Coding Standards anon sec (Sep 28)
- Secure Coding Standards Rohit Lists (Sep 29)
- Secure Coding Standards Jim Manico (Sep 28)
- Secure Coding Standards Cassidy, Colin (GE Infra, Energy) (Sep 29)
- Secure Coding Standards Robert C. Seacord (Sep 29)
- Secure Coding Standards Robert Martin (Sep 29)
- Secure Coding Standards Bedirhan Urgun (Sep 28)