Most of the SANS classes are network/infrastructure related, but some of them are made specifically for secure coding in a particular language. I'm an instructor and courseware developer for Security 541, the secure coding in Java / JEE class (http://www.sans.org/ns2008/description.php?tid=1937).
To Jim's point, the guidelines will vary by the application type although there are a set of topics that apply to most developers (e.g. numeric overflow, synchronization, error handling, etc.). Whatever you do end up using make sure that your specific type of application is included. Cheers, -- Rohit Sethi Security Compass http://www.securitycompass.com On Sun, Sep 28, 2008 at 1:22 PM, Jim Manico <[EMAIL PROTECTED]> wrote: > My thoughts... > > You standards really need more context - the standards for Java thick client > vs Java server/web code would be rather different, for example. Make sure > your guide gives recomendations specific to the context of the application > type. > > On that note, other thoughts.... > > * Robert Seacord's guide is one of the best guides to secure coding in the > C++ world but does not address web based or non C++ programming. > a) I would also read Ken's book on this topic - great stuff. > b) Microsoft books on their trustworthy computing initiative for the > .NET world are very well written. > * The SANS's courses and certs are really network/infrastructure centric and > are not that helpful for the software engineer > * The Sun link is way to general - nothing specific to really help the > programmer write secure code. > * 4-7 are way to general. > > In the web world, OWASP is by far the best. See: > http://www.owasp.org/index.php/Category:OWASP_Guide_Project > > - Jim > > I am looking for a comprehensive set of secure coding standards to implement > into my dev organization. These standards should cover Java, Web, and C/C++ > as well as guidelines for using features like encryption, authentication, > SSO, SSL, etc. I am open to both publicly available standards as well as > commercially available standards. So far, I found > > www.securecoding.cert.org - thanks to Robert C. Seacord, > http://krvw.com/pipermail/sc-l/2008/001401.html > http://java.sun.com/security/seccodeguide.html > http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards > DHS Build Security In (kind of) - > https://buildsecurityin.us-cert.gov/daisy/bsi/home.html > SANS Software Security Institute - http://www.sans-ssi.org/ > CERT Top 10 Secure Coding Practices - > https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices > SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ > > I would greatly appreciate any pointers to other links or to companies who > have developed and sell these standards. > > Thanks in advance. > > An0n S3c. > > > > ________________________________ > _______________________________________________ > Secure Coding mailing list (SC-L) [email protected] > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > -- > Jim Manico, Senior Application Security Engineer > [EMAIL PROTECTED] | [EMAIL PROTECTED] > (301) 604-4882 (work) > (808) 652-3805 (cell) > > Aspect Security™ > Securing your applications at the source > http://www.aspectsecurity.com > > --------------------------------------------------------------- > Management, Developers, Security Professionals ... > ... can only result in one thing. BETTER SECURITY. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference > Sept 22nd-25th 2008 > > > _______________________________________________ > Secure Coding mailing list (SC-L) [email protected] > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
