Secure Coding Standards

[jim at manico.net (Jim Manico)]

My thoughts...

You standards really need more context - the standards for Java thick
client vs Java server/web code would be rather different, for example.
Make sure your guide gives recomendations specific to the context of the
application type.

On that note, other thoughts....

* Robert Seacord's guide is one of the best guides to secure coding in
the C++ world but does not address web based or non C++ programming.
    a) I would also read Ken's book on this topic - great stuff.
    b) Microsoft books on their trustworthy computing initiative for the
.NET world are very well written.
* The SANS's courses and certs are really network/infrastructure centric
and are not that helpful for the software engineer
* The Sun link is way to general - nothing specific to really help the
programmer write secure code.
* 4-7 are way to general.

In the web world, OWASP is by far the best. See:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

- Jim
> I am looking for a comprehensive set of secure coding standards to
> implement into my dev organization. These standards should cover Java,
> Web, and C/C++ as well as guidelines for using features like
> encryption, authentication, SSO, SSL, etc. I am open to both publicly
> available standards as well as commercially available standards. So
> far, I found
>
>    1. www.securecoding.cert.org <http://www.securecoding.cert.org/> -
>       thanks to Robert C. Seacord,
>       http://krvw.com/pipermail/sc-l/2008/001401.html
>    2. http://java.sun.com/security/seccodeguide.html
>    3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
>    4. DHS Build Security In (kind of) -
>       https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
>    5. SANS Software Security Institute - http://www.sans-ssi.org/
>    6. CERT Top 10 Secure Coding Practices -
>       https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
>    7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
>  I would greatly appreciate any pointers to other links or to
> companies who have developed and sell these standards.
>  
> Thanks in advance.
>  
> An0n S3c.
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>   


-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security?
Securing your applications at the source
http://www.aspectsecurity.com

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  
Sept 22nd-25th 2008


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080928/7b429ab2/attachment.html