Secure Coding Standards

[ramartin at mitre.org (Robert Martin)]

As a compliment to coding standards you may want to consider using the 
Common Weakness Enumeration (CWE) as a target list of coding, design and 
implementation issues you are trying to minimize through use of those 
coding standards.

Using the CWEs can also help you to drive and correlate your test 
program into a cross checking of the issues you care about to assure 
yourself that they were actually addressed by your development 
standards.  Many of the testing approaches, whether they be from manual 
reviews, penetration testing/black box testing, or from white box 
testing/code assessments are easily correlated with CWEs either because 
the vendors are already tagging their finding with CWEs or because your 
testers can easily match their testing to the CWEs that their testing 
uncover.

Several large commercial development vendors are using CWE as a 
framework for targeting and tracking their application security reviews 
both as a way of articulating their goals about which kinds of issues 
they want to address as well as a way to document and track their progress.

Many of the coding standards efforts you listed, as well as the OWASP 
efforts, have already mapped (or are in the process of mapping) their 
coding standards/guidance to the CWEs that the individual rules address.

Regards,

Bob

anon sec wrote:
> I am looking for a comprehensive set of secure coding standards to implement
> into my dev organization. These standards should cover Java, Web, and C/C++
> as well as guidelines for using features like encryption, authentication,
> SSO, SSL, etc. I am open to both publicly available standards as well as
> commercially available standards. So far, I found
>
>    1. www.securecoding.cert.org - thanks to Robert C. Seacord,
>    http://krvw.com/pipermail/sc-l/2008/001401.html
>    2. http://java.sun.com/security/seccodeguide.html
>    3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
>    4. DHS Build Security In (kind of) -
>    https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
>    5. SANS Software Security Institute - http://www.sans-ssi.org/
>    6. CERT Top 10 Secure Coding Practices -
>    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
>    7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
>  I would greatly appreciate any pointers to other links or to companies who
> have developed and sell these standards.
>
> Thanks in advance.
>
> An0n S3c.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________