Secure Coding mailing list archives

Language agnostic secure coding guidelines/standards?

From: securecoding at nxtg.net (AF)
Date: Thu, 13 Nov 2008 14:27:12 -0000

Pete Werner wrote:

Hi all
I've been tasked with developing a secure coding standard for my
employer. This will be a policy tool used to get developers to fix
issues in their code after an audit, and also hopefully be of use to
developers as they work to ensure they are compliant. The kicker is it
needs to cover things ranging from cobol running on a mainframe, in
house network monitoring software in c and perl through to web and
desktop applications in java or .net.
I've been doing some searching to see if there is anything similar
online, but everything i've found is mostly focussed on web
applications or language/platform specific. Does anyone know of
something that may be what I'm looking for?
It's basically going to be a checklist where every item will be
something that can be audited, and the things that aren't relevant to
a given application can be ignored. The broad sections I have so far
are:
Input/Output handling
Session Control and Management
Memory allocation and Management
Authentication Management
Authorisation Management
Data Protection
Logging and Auditing
Application Errors and Exceptions
Thanks in advance
Pete



Hi Pete,

You are right when it comes to being agnostic, many
checklists and guides found on the web are webapp-oriented.

The security frames, however, mostly remain the same
for software, whether it is web-based or desktop-based,
such as:

- authentication
- authorisation
- data validation
- session management
- logging
- error handling
- cryptography
- ...


The proposition is that you might consider the OWASP's
"code review" or "testing" guides checkpoints (more than
60 controls are included) and derive their "architecture-agnostic"
counterpart.

You can then add the remaining frames, less found on
webapp-security guidances, such as memory management
or multithreading, from other sources.

This strategy would (I hope) help you build a first version
of your corporate secure coding guideline in a checklist
form.

I hope it helps...

regards,
A


ps: http://www.owasp.org/, the guides links are
shown in the upper right quick access projects links

Current thread:

Language agnostic secure coding guidelines/standards? Pete Werner (Nov 12)
- Language agnostic secure coding guidelines/standards? AF (Nov 13)
- Language agnostic secure coding guidelines/standards? McGovern, James F (HTSC, IT) (Nov 13)
- Language agnostic secure coding guidelines/standards? Andrew van der Stock (Nov 13)
  - Language agnostic secure coding guidelines/standards? John Steven (Nov 13)
  - Language agnostic secure coding guidelines/standards? Steven M. Christey (Nov 17)
    - Language agnostic secure coding guidelines/standards? Gary McGraw (Nov 19)
    - Language agnostic secure coding guidelines/standards? Pete Werner (Nov 20)
    - Language agnostic secure coding guidelines/standards? Dave Wichers (Nov 21)
- Language agnostic secure coding guidelines/standards? Robert Seacord (Nov 14)
- <Possible follow-ups>
- Language agnostic secure coding guidelines/standards? David A. Wheeler (Nov 14)