RE: Secure Coding Audit

["Michael Silk" <michaels () phg com au>]

Hi Robert,

        Of course, it depends on if your company has implemented some
form of programming standards for security (I hope so! :)).

        If it has, you can simply ensure that they are all doing as
documented.

        But probably this isn't the case ... so all you can do is grab
your favourite security-minded document:

                - "Threats and Countermeasures"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/threatcounter.asp (You can download this).
                -
http://www.technicalinfo.net/papers/ApplicationSecurityAssessments.html
                -
http://www.technicalinfo.net/papers/AssessmentQuestions.html

        And look at each line to see if it meets the guidelines :)

        Of course, if you want the easy way out, you might search for an
automatic auditing tool, but it may not find everything. However, (if
it's a good one) it could highlight potential areas of interest.

-- Michael
 

-----Original Message-----
From: Robert.L.Grill () wellsfargo com
[mailto:Robert.L.Grill () wellsfargo com] 
Sent: Tuesday, 10 August 2004 8:48 AM
To: webappsec () securityfocus com
Subject: Secure Coding Audit

Any good training out there on performing a server side white box code
review on Java or C++ code ?





This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.