Secure Coding mailing list archives
Language agnostic secure coding guidelines/standards?
From: securecoding at nxtg.net (AF)
Date: Thu, 13 Nov 2008 14:27:12 -0000
Pete Werner wrote:
Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete
Hi Pete, You are right when it comes to being agnostic, many checklists and guides found on the web are webapp-oriented. The security frames, however, mostly remain the same for software, whether it is web-based or desktop-based, such as: - authentication - authorisation - data validation - session management - logging - error handling - cryptography - ... The proposition is that you might consider the OWASP's "code review" or "testing" guides checkpoints (more than 60 controls are included) and derive their "architecture-agnostic" counterpart. You can then add the remaining frames, less found on webapp-security guidances, such as memory management or multithreading, from other sources. This strategy would (I hope) help you build a first version of your corporate secure coding guideline in a checklist form. I hope it helps... regards, A ps: http://www.owasp.org/, the guides links are shown in the upper right quick access projects links
Current thread:
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 12)
- Language agnostic secure coding guidelines/standards? AF (Nov 13)
- Language agnostic secure coding guidelines/standards? McGovern, James F (HTSC, IT) (Nov 13)
- Language agnostic secure coding guidelines/standards? Andrew van der Stock (Nov 13)
- Language agnostic secure coding guidelines/standards? John Steven (Nov 13)
- Language agnostic secure coding guidelines/standards? Steven M. Christey (Nov 17)
- Language agnostic secure coding guidelines/standards? Gary McGraw (Nov 19)
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 20)
- Language agnostic secure coding guidelines/standards? Dave Wichers (Nov 21)
- <Possible follow-ups>
- Language agnostic secure coding guidelines/standards? David A. Wheeler (Nov 14)