Secure Coding Standards

[rcs at cert.org (Robert C. Seacord)]

An0n S3c,

i see you have already found our site, but i should probably take this
opportunity to provide a couple of updates.

first of all, CERT has released the Java Secure Coding Standard in
addition to existing secure coding standards for the C and C++
programming languages. CERT invites the Java community to participate in
this effort by reviewing content in the Java space at
https://www.securecoding.cert.org/confluence/display/java/CERT+Java+Secure+Coding+Standard
and providing comments.

second, The CERT C Secure Coding Standard is being published by
Addison-Wesley and has already gone to the printer (it should be
available in October).  this book is the first official release of the
standard and has the advantage over the wiki version that we are not
changing it all the time, so you can actually implement it.  8^) 
anyway, you can read more (and preorder!) the book version here:
http://www.amazon.com/Secure-Coding-Standard-Software-Engineering/dp/0321563212

another idea is to look a little further from strictly security related
coding standards.  another good C++ standard is JSF++
http://www.jsf.mil/downloads/documents/JSF_AV_C++_Coding_Standards_Rev_C.doc. 
you may also want to look at the various MISRA standards.

thanks,
rCs
> I am looking for a comprehensive set of secure coding standards to
> implement into my dev organization. These standards should cover Java,
> Web, and C/C++ as well as guidelines for using features like
> encryption, authentication, SSO, SSL, etc. I am open to both publicly
> available standards as well as commercially available standards. So
> far, I found
>
>    1. www.securecoding.cert.org <http://www.securecoding.cert.org/> -
>       thanks to Robert C. Seacord,
>       http://krvw.com/pipermail/sc-l/2008/001401.html
>    2. http://java.sun.com/security/seccodeguide.html
>    3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
>    4. DHS Build Security In (kind of) -
>       https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
>    5. SANS Software Security Institute - http://www.sans-ssi.org/
>    6. CERT Top 10 Secure Coding Practices -
>       https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
>    7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
>  I would greatly appreciate any pointers to other links or to
> companies who have developed and sell these standards.
>  
> Thanks in advance.
>  
> An0n S3c.
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>   


-- 
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC 

Work: 412-268-7608
FAX: 412-268-6989