Secure Coding mailing list archives
Language agnostic secure coding guidelines/standards?
From: rcs at cert.org (Robert Seacord)
Date: Fri, 14 Nov 2008 10:53:39 -0500
Pete, I think your best bet is the work being done by ISO/IEC JTC 1/SC 22/ WG 23 Programming Language Vulnerabilities. The website for this work is http://www.aitcnet.org/isai/. The latest Editor's draft of PDTR 24772, prepared by John Benito, is N0138 which can be found here: http://www.aitcnet.org/isai/_Mtg_10/_Mtg_9/22-OWGV-N-0138/n0138.pdf This document provides language independent guidance, with language specific annexes. I think this comes closes to what you are looking for. CERT has/is developing language specific standards for C, C++, and Java and are available online at www.securecoding.cert.org. There is also a static version of the C standard which has been published by Addison-Wesley http://www.informit.com/store/product.aspx?isbn=0321563212 if you prefer your standards fixed instead of continually evolving. ;^) Our Java Secure Coding standard is being developed collaboratively with Sun Microsystems. Eventually, I'll probably get an announcement out to that effect. Thanks, rCs -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Pete Werner Sent: Wednesday, November 12, 2008 7:22 PM To: Secure Coding Subject: [SC-L] Language agnostic secure coding guidelines/standards? Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 12)
- Language agnostic secure coding guidelines/standards? AF (Nov 13)
- Language agnostic secure coding guidelines/standards? McGovern, James F (HTSC, IT) (Nov 13)
- Language agnostic secure coding guidelines/standards? Andrew van der Stock (Nov 13)
- Language agnostic secure coding guidelines/standards? John Steven (Nov 13)
- Language agnostic secure coding guidelines/standards? Steven M. Christey (Nov 17)
- Language agnostic secure coding guidelines/standards? Gary McGraw (Nov 19)
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 20)
- Language agnostic secure coding guidelines/standards? Dave Wichers (Nov 21)
- <Possible follow-ups>
- Language agnostic secure coding guidelines/standards? David A. Wheeler (Nov 14)