Secure Coding Standards

[an0n.s3c at gmail.com (anon sec)]

Jim
Thanks. I will add that to the list.
An0n S3c

On Sun, Sep 28, 2008 at 1:45 PM, Jim Manico <jim at manico.net> wrote:

> Andrew van der Stock is also approaching this issue from a high level at
>
> http://www.greebo.net/2008/09/24/coding-standard/
>
> His list looks rather complete.
>
> - Jim
>
>
> My thoughts...
>
> You standards really need more context - the standards for Java thick
> client vs Java server/web code would be rather different, for example. Make
> sure your guide gives recomendations specific to the context of the
> application type.
>
> On that note, other thoughts....
>
> * Robert Seacord's guide is one of the best guides to secure coding in the
> C++ world but does not address web based or non C++ programming.
>     a) I would also read Ken's book on this topic - great stuff.
>     b) Microsoft books on their trustworthy computing initiative for the
> .NET world are very well written.
> * The SANS's courses and certs are really network/infrastructure centric
> and are not that helpful for the software engineer
> * The Sun link is way to general - nothing specific to really help the
> programmer write secure code.
> * 4-7 are way to general.
>
> In the web world, OWASP is by far the best. See:
> http://www.owasp.org/index.php/Category:OWASP_Guide_Project
>
> - Jim
>
>  I am looking for a comprehensive set of secure coding standards to
> implement into my dev organization. These standards should cover Java, Web,
> and C/C++ as well as guidelines for using features like encryption,
> authentication, SSO, SSL, etc. I am open to both publicly available
> standards as well as commercially available standards. So far, I found
>
>    1. www.securecoding.cert.org - thanks to Robert C. Seacord,
>    http://krvw.com/pipermail/sc-l/2008/001401.html
>    2. http://java.sun.com/security/seccodeguide.html
>    3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
>    4. DHS Build Security In (kind of) -
>    https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
>    5. SANS Software Security Institute - http://www.sans-ssi.org/
>    6. CERT Top 10 Secure Coding Practices -
>    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
>    7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
>  I would greatly appreciate any pointers to other links or to companies who
> have developed and sell these standards.
>
> Thanks in advance.
>
> An0n S3c.
>
>
>
> ------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com <http://www.krvw.com/>)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
>
>
> --
> Jim Manico, Senior Application Security Engineerjim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security?
> Securing your applications at the sourcehttp://www.aspectsecurity.com
>
> ---------------------------------------------------------------
> Management, Developers, Security Professionals ...
> ... can only result in one thing. BETTER SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> Sept 22nd-25th 2008
>
>
>
>
>
> --
> Jim Manico, Senior Application Security Engineerjim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security?
> Securing your applications at the sourcehttp://www.aspectsecurity.com
>
> ---------------------------------------------------------------
> Management, Developers, Security Professionals ...
> ... can only result in one thing. BETTER SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> Sept 22nd-25th 2008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080928/eeb25abf/attachment.html