Re: [SC-L] Secure Coding Standards
The ones I know of from the OWASP (may not be called standard, not sure); http://www.owasp.org/index.php/Category:OWASP_Guide_Project (a little bit old, new version pending)http://www.owasp.org/index.php/OWASP_Backend_Security_Project (an owasp SoC '08 project, not finished yet but seems rather comprehensive) http://www.owasp.org/index.php/Category:Countermeasure (sporadic) cheers,Bedirhan Urgunhttp://www.webguvenligi.orghttp://www.owasp.org/index.php/Turkey Date: Sat, 27 Sep 2008 15:57:40 -0400From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [SC-L] Secure Coding Standards I am looking for a comprehensive set of secure coding standards to implement into my dev organization. These standards should cover Java, Web, and C/C++ as well as guidelines for using features like encryption, authentication, SSO, SSL, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found www.securecoding.cert.org - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html http://java.sun.com/security/seccodeguide.html http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards DHS Build Security In (kind of) - https://buildsecurityin.us-cert.gov/daisy/bsi/home.html SANS Software Security Institute - http://www.sans-ssi.org/ CERT Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ I would greatly appreciate any pointers to other links or to companies who have developed and sell these standards. Thanks in advance. An0n S3c. _ Get more out of the Web. Learn 10 hidden secrets of Windows Live. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Coding Standards
Thanks. The OWASP Developer Guide Version 3 looks promising. Thanks again An0n S3c http://an0ns3c.blogspot.com On Sun, Sep 28, 2008 at 10:23 AM, Bedirhan Urgun [EMAIL PROTECTED] wrote: The ones I know of from the OWASP (may not be called standard, not sure); http://www.owasp.org/index.php/Category:OWASP_Guide_Project (a little bit old, new version pending) http://www.owasp.org/index.php/OWASP_Backend_Security_Project (an owasp SoC '08 project, not finished yet but seems rather comprehensive) http://www.owasp.org/index.php/Category:Countermeasure (sporadic) cheers, Bedirhan Urgun http://www.webguvenligi.org http://www.owasp.org/index.php/Turkey -- Date: Sat, 27 Sep 2008 15:57:40 -0400 From: [EMAIL PROTECTED] To: sc-l@securecoding.org Subject: [SC-L] Secure Coding Standards I am looking for a comprehensive set of secure coding standards to implement into my dev organization. These standards should cover Java, Web, and C/C++ as well as guidelines for using features like encryption, authentication, SSO, SSL, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found 1. www.securecoding.cert.org - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html 2. http://java.sun.com/security/seccodeguide.html 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards 4. DHS Build Security In (kind of) - https://buildsecurityin.us-cert.gov/daisy/bsi/home.html 5. SANS Software Security Institute - http://www.sans-ssi.org/ 6. CERT Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ I would greatly appreciate any pointers to other links or to companies who have developed and sell these standards. Thanks in advance. An0n S3c. -- Get more out of the Web. Learn 10 hidden secrets of Windows Live. Learn Nowhttp://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_getmore_092008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Coding Standards
Andrew van der Stock is also approaching this issue from a high level at http://www.greebo.net/2008/09/24/coding-standard/ His list looks rather complete. - Jim My thoughts... You standards really need more context - the standards for Java thick client vs Java server/web code would be rather different, for example. Make sure your guide gives recomendations specific to the context of the application type. On that note, other thoughts * Robert Seacord's guide is one of the best guides to secure coding in the C++ world but does not address web based or non C++ programming. a) I would also read Ken's book on this topic - great stuff. b) Microsoft books on their trustworthy computing initiative for the .NET world are very well written. * The SANS's courses and certs are really network/infrastructure centric and are not that helpful for the software engineer * The Sun link is way to general - nothing specific to really help the programmer write secure code. * 4-7 are way to general. In the web world, OWASP is by far the best. See: http://www.owasp.org/index.php/Category:OWASP_Guide_Project - Jim I am looking for a comprehensive set of secure coding standards to implement into my dev organization. These standards should cover Java, Web, and C/C++ as well as guidelines for using features like encryption, authentication, SSO, SSL, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found 1. www.securecoding.cert.org http://www.securecoding.cert.org/ - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html 2. http://java.sun.com/security/seccodeguide.html 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards 4. DHS Build Security In (kind of) - https://buildsecurityin.us-cert.gov/daisy/bsi/home.html 5. SANS Software Security Institute - http://www.sans-ssi.org/ 6. CERT Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ I would greatly appreciate any pointers to other links or to companies who have developed and sell these standards. Thanks in advance. An0n S3c. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___