Secure Coding Standards

[rklists at gmail.com (Rohit Lists)]

Most of the SANS classes are network/infrastructure related, but some
of them are made specifically for secure coding in a particular
language. I'm an instructor and courseware developer for Security 541,
the secure coding in Java / JEE class
(http://www.sans.org/ns2008/description.php?tid=1937).

To Jim's point, the guidelines will vary by the application type
although there are a set of topics that apply to most developers (e.g.
numeric overflow, synchronization, error handling, etc.). Whatever you
do end up using make sure that your specific type of application is
included.

Cheers,
-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com

On Sun, Sep 28, 2008 at 1:22 PM, Jim Manico <jim at manico.net> wrote:
> My thoughts...
>
> You standards really need more context - the standards for Java thick client
> vs Java server/web code would be rather different, for example. Make sure
> your guide gives recomendations specific to the context of the application
> type.
>
> On that note, other thoughts....
>
> * Robert Seacord's guide is one of the best guides to secure coding in the
> C++ world but does not address web based or non C++ programming.
>     a) I would also read Ken's book on this topic - great stuff.
>     b) Microsoft books on their trustworthy computing initiative for the
> .NET world are very well written.
> * The SANS's courses and certs are really network/infrastructure centric and
> are not that helpful for the software engineer
> * The Sun link is way to general - nothing specific to really help the
> programmer write secure code.
> * 4-7 are way to general.
>
> In the web world, OWASP is by far the best. See:
> http://www.owasp.org/index.php/Category:OWASP_Guide_Project
>
> - Jim
>
> I am looking for a comprehensive set of secure coding standards to implement
> into my dev organization. These standards should cover Java, Web, and C/C++
> as well as guidelines for using features like encryption, authentication,
> SSO, SSL, etc. I am open to both publicly available standards as well as
> commercially available standards. So far, I found
>
> www.securecoding.cert.org - thanks to Robert C. Seacord,
> http://krvw.com/pipermail/sc-l/2008/001401.html
> http://java.sun.com/security/seccodeguide.html
> http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
> DHS Build Security In (kind of) -
> https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
> SANS Software Security Institute - http://www.sans-ssi.org/
> CERT Top 10 Secure Coding Practices -
> https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
> SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
>  I would greatly appreciate any pointers to other links or to companies who
> have developed and sell these standards.
>
> Thanks in advance.
>
> An0n S3c.
>
>
>
> ________________________________
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security?
> Securing your applications at the source
> http://www.aspectsecurity.com
>
> ---------------------------------------------------------------
> Management, Developers, Security Professionals ...
> ... can only result in one thing. BETTER SECURITY.
> http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> Sept 22nd-25th 2008
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________