subject:"\[SC\-L\] Secure Coding Standards"

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread Cassidy, Colin (GE Infra, Energy)

Hi,
 
Something you may want to consider is how you plan on rolling this out
within your organisation, where I work we have a strong culture of using
and following coding standards and guidelines, so rolling out secure
coding guidelines was not that difficult.
 
That said we started small with a few key points to consider
- buffer overflows
- input validation
- integer overflow
- variable initialisation
- memory management
- race conditions
- error handling / logging
- functions to avoid
 
Then we ran an introductory training course to quickly run through these
points.  The focus on the training was not to tout secure coding as
something new, but that secure coding was better quality code, and that
everyone's job is to write the best quality code that they can.
 
It really helps if any bad examples you use are taken from your
existing code base :)
 
Plan on updating your guidelines, we are now looking at updating our
guidelines and following up with new training.  Our guidelines are
heavily C focussed, but we are moving more to C# which changes things
quite dramatically, and we are looking to roll out these guidelines to
other development teams so we also need to look at their practices and f
adjust the guidelines accordingly.
 
Also, depending on your organisations code review practices, look at
providing guidance in what to look for if you are performing a secure
code review.
 
Hope this helps,
 
CJC


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of anon sec
Sent: 27 September 2008 20:58
To: sc-l@securecoding.org
Subject: [SC-L] Secure Coding Standards


I am looking for a comprehensive set of secure coding standards
to implement into my dev organization. These standards should cover
Java, Web, and C/C++ as well as guidelines for using features like
encryption, authentication, SSO, SSL, etc. I am open to both publicly
available standards as well as commercially available standards. So far,
I found 

1.  www.securecoding.cert.org
http://www.securecoding.cert.org/  - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html 
2.  http://java.sun.com/security/seccodeguide.html 
3.
http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards 
4.  DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html 
5.  SANS Software Security Institute -
http://www.sans-ssi.org/ 
6.  CERT Top 10 Secure Coding Practices -
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secu
re+Coding+Practices 
7.  SANS GIAC Secure Software Programmer -
http://www.sans.org/gssp/

 I would greatly appreciate any pointers to other links or to
companies who have developed and sell these standards.
 
Thanks in advance. 
 
An0n S3c. 

 

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread anon sec

Jim
Thanks. I will add that to the list.
An0n S3c

On Sun, Sep 28, 2008 at 1:45 PM, Jim Manico [EMAIL PROTECTED] wrote:

Andrew van der Stock is also approaching this issue from a high level at

http://www.greebo.net/2008/09/24/coding-standard/

His list looks rather complete.

- Jim

My thoughts...

You standards really need more context - the standards for Java thick
client vs Java server/web code would be rather different, for example. Make
sure your guide gives recomendations specific to the context of the
application type.

On that note, other thoughts

* Robert Seacord's guide is one of the best guides to secure coding in the
C++ world but does not address web based or non C++ programming.
a) I would also read Ken's book on this topic - great stuff.
b) Microsoft books on their trustworthy computing initiative for the
.NET world are very well written.
* The SANS's courses and certs are really network/infrastructure centric
and are not that helpful for the software engineer
* The Sun link is way to general - nothing specific to really help the
programmer write secure code.
* 4-7 are way to general.

In the web world, OWASP is by far the best. See:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

- Jim

I am looking for a comprehensive set of secure coding standards to
implement into my dev organization. These standards should cover Java, Web,
and C/C++ as well as guidelines for using features like encryption,
authentication, SSO, SSL, etc. I am open to both publicly available
standards as well as commercially available standards. So far, I found

1. www.securecoding.cert.org - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
2. http://java.sun.com/security/seccodeguide.html
3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
4. DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
5. SANS Software Security Institute - http://www.sans-ssi.org/
6. CERT Top 10 Secure Coding Practices -

https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

I would greatly appreciate any pointers to other links or to companies who
have developed and sell these standards.

Thanks in advance.

An0n S3c.

--
Jim Manico, Senior Application Security [EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the sourcehttp://www.aspectsecurity.com

---
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER
SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

--
Jim Manico, Senior Application Security [EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the sourcehttp://www.aspectsecurity.com

---
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER
SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread Robert C. Seacord

An0n S3c,

i see you have already found our site, but i should probably take this
opportunity to provide a couple of updates.

first of all, CERT has released the Java Secure Coding Standard in
addition to existing secure coding standards for the C and C++
programming languages. CERT invites the Java community to participate in
this effort by reviewing content in the Java space at
https://www.securecoding.cert.org/confluence/display/java/CERT+Java+Secure+Coding+Standard
and providing comments.

second, The CERT C Secure Coding Standard is being published by
Addison-Wesley and has already gone to the printer (it should be
available in October). this book is the first official release of the
standard and has the advantage over the wiki version that we are not
changing it all the time, so you can actually implement it. 8^)
anyway, you can read more (and preorder!) the book version here:
http://www.amazon.com/Secure-Coding-Standard-Software-Engineering/dp/0321563212

another idea is to look a little further from strictly security related
coding standards. another good C++ standard is JSF++
http://www.jsf.mil/downloads/documents/JSF_AV_C++_Coding_Standards_Rev_C.doc.
you may also want to look at the various MISRA standards.

thanks,
rCs
I am looking for a comprehensive set of secure coding standards to
implement into my dev organization. These standards should cover Java,
Web, and C/C++ as well as guidelines for using features like
encryption, authentication, SSO, SSL, etc. I am open to both publicly
available standards as well as commercially available standards. So
far, I found

1. www.securecoding.cert.org http://www.securecoding.cert.org/ -
thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
2. http://java.sun.com/security/seccodeguide.html
3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
4. DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
5. SANS Software Security Institute - http://www.sans-ssi.org/
6. CERT Top 10 Secure Coding Practices -

https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

I would greatly appreciate any pointers to other links or to
companies who have developed and sell these standards.

Thanks in advance.

An0n S3c.

--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC

Work: 412-268-7608
FAX: 412-268-6989

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread Robert Martin

As a compliment to coding standards you may want to consider using the
Common Weakness Enumeration (CWE) as a target list of coding, design and
implementation issues you are trying to minimize through use of those
coding standards.

Using the CWEs can also help you to drive and correlate your test
program into a cross checking of the issues you care about to assure
yourself that they were actually addressed by your development
standards. Many of the testing approaches, whether they be from manual
reviews, penetration testing/black box testing, or from white box
testing/code assessments are easily correlated with CWEs either because
the vendors are already tagging their finding with CWEs or because your
testers can easily match their testing to the CWEs that their testing
uncover.

Several large commercial development vendors are using CWE as a
framework for targeting and tracking their application security reviews
both as a way of articulating their goals about which kinds of issues
they want to address as well as a way to document and track their progress.

Many of the coding standards efforts you listed, as well as the OWASP
efforts, have already mapped (or are in the process of mapping) their
coding standards/guidance to the CWEs that the individual rules address.

Regards,

Bob

anon sec wrote:
I am looking for a comprehensive set of secure coding standards to implement
into my dev organization. These standards should cover Java, Web, and C/C++
as well as guidelines for using features like encryption, authentication,
SSO, SSL, etc. I am open to both publicly available standards as well as
commercially available standards. So far, I found

https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

I would greatly appreciate any pointers to other links or to companies who
have developed and sell these standards.

Thanks in advance.

An0n S3c.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread Rohit Lists

Most of the SANS classes are network/infrastructure related, but some
of them are made specifically for secure coding in a particular
language. I'm an instructor and courseware developer for Security 541,
the secure coding in Java / JEE class
(http://www.sans.org/ns2008/description.php?tid=1937).

To Jim's point, the guidelines will vary by the application type
although there are a set of topics that apply to most developers (e.g.
numeric overflow, synchronization, error handling, etc.). Whatever you
do end up using make sure that your specific type of application is
included.

Cheers,
--
Rohit Sethi
Security Compass
http://www.securitycompass.com

On Sun, Sep 28, 2008 at 1:22 PM, Jim Manico [EMAIL PROTECTED] wrote:
My thoughts...

You standards really need more context - the standards for Java thick client
vs Java server/web code would be rather different, for example. Make sure
your guide gives recomendations specific to the context of the application
type.

On that note, other thoughts

* Robert Seacord's guide is one of the best guides to secure coding in the
C++ world but does not address web based or non C++ programming.
a) I would also read Ken's book on this topic - great stuff.
b) Microsoft books on their trustworthy computing initiative for the
.NET world are very well written.
* The SANS's courses and certs are really network/infrastructure centric and
are not that helpful for the software engineer
* The Sun link is way to general - nothing specific to really help the
programmer write secure code.
* 4-7 are way to general.

In the web world, OWASP is by far the best. See:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

- Jim

I am looking for a comprehensive set of secure coding standards to implement
into my dev organization. These standards should cover Java, Web, and C/C++
as well as guidelines for using features like encryption, authentication,
SSO, SSL, etc. I am open to both publicly available standards as well as
commercially available standards. So far, I found

www.securecoding.cert.org - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
http://java.sun.com/security/seccodeguide.html
http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
SANS Software Security Institute - http://www.sans-ssi.org/
CERT Top 10 Secure Coding Practices -
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

I would greatly appreciate any pointers to other links or to companies who
have developed and sell these standards.

Thanks in advance.

An0n S3c.

--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

---
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

Re: [SC-L] Secure Coding Standards

2008-09-28 Thread Bedirhan Urgun


 
The ones I know of from the OWASP (may not be called standard, not sure);
 
http://www.owasp.org/index.php/Category:OWASP_Guide_Project (a little bit old, 
new version 
pending)http://www.owasp.org/index.php/OWASP_Backend_Security_Project (an owasp 
SoC '08 project, not finished yet but seems rather comprehensive)
http://www.owasp.org/index.php/Category:Countermeasure (sporadic)
 
cheers,Bedirhan 
Urgunhttp://www.webguvenligi.orghttp://www.owasp.org/index.php/Turkey



Date: Sat, 27 Sep 2008 15:57:40 -0400From: [EMAIL PROTECTED]: [EMAIL 
PROTECTED]: [SC-L] Secure Coding Standards

I am looking for a comprehensive set of secure coding standards to implement 
into my dev organization. These standards should cover Java, Web, and C/C++ as 
well as guidelines for using features like encryption, authentication, SSO, 
SSL, etc. I am open to both publicly available standards as well as 
commercially available standards. So far, I found 

www.securecoding.cert.org - thanks to Robert C. Seacord, 
http://krvw.com/pipermail/sc-l/2008/001401.html 
http://java.sun.com/security/seccodeguide.html
http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
DHS Build Security In (kind of) - 
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
SANS Software Security Institute - http://www.sans-ssi.org/
CERT Top 10 Secure Coding Practices - 
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
 I would greatly appreciate any pointers to other links or to companies who 
have developed and sell these standards.
 
Thanks in advance. 
 
An0n S3c. 
 
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Secure Coding Standards

2008-09-28 Thread anon sec

Thanks. The OWASP Developer Guide Version 3 looks promising.

Thanks again

An0n S3c
http://an0ns3c.blogspot.com

On Sun, Sep 28, 2008 at 10:23 AM, Bedirhan Urgun [EMAIL PROTECTED] wrote:


 The ones I know of from the OWASP (may not be called standard, not sure);

 http://www.owasp.org/index.php/Category:OWASP_Guide_Project (a little bit
 old, new version pending)
 http://www.owasp.org/index.php/OWASP_Backend_Security_Project (an owasp
 SoC '08 project, not finished yet but seems rather comprehensive)
 http://www.owasp.org/index.php/Category:Countermeasure (sporadic)

 cheers,
 Bedirhan Urgun
 http://www.webguvenligi.org
 http://www.owasp.org/index.php/Turkey


 --

 Date: Sat, 27 Sep 2008 15:57:40 -0400
 From: [EMAIL PROTECTED]
 To: sc-l@securecoding.org
 Subject: [SC-L] Secure Coding Standards



  I am looking for a comprehensive set of secure coding standards to
 implement into my dev organization. These standards should cover Java, Web,
 and C/C++ as well as guidelines for using features like encryption,
 authentication, SSO, SSL, etc. I am open to both publicly available
 standards as well as commercially available standards. So far, I found

1. www.securecoding.cert.org - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
2. http://java.sun.com/security/seccodeguide.html
3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
4. DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
5. SANS Software Security Institute - http://www.sans-ssi.org/
6. CERT Top 10 Secure Coding Practices -

 https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

  I would greatly appreciate any pointers to other links or to companies who
 have developed and sell these standards.

 Thanks in advance.

 An0n S3c.


 --
 Get more out of the Web. Learn 10 hidden secrets of Windows Live. Learn
 Nowhttp://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_getmore_092008

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Secure Coding Standards

2008-09-28 Thread Jim Manico

Andrew van der Stock is also approaching this issue from a high level at

http://www.greebo.net/2008/09/24/coding-standard/

His list looks rather complete.

- Jim

My thoughts...

You standards really need more context - the standards for Java thick
client vs Java server/web code would be rather different, for example.
Make sure your guide gives recomendations specific to the context of
the application type.

On that note, other thoughts

* Robert Seacord's guide is one of the best guides to secure coding in
the C++ world but does not address web based or non C++ programming.
a) I would also read Ken's book on this topic - great stuff.
b) Microsoft books on their trustworthy computing initiative for
the .NET world are very well written.
* The SANS's courses and certs are really network/infrastructure
centric and are not that helpful for the software engineer
* The Sun link is way to general - nothing specific to really help the
programmer write secure code.
* 4-7 are way to general.

In the web world, OWASP is by far the best. See:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

- Jim
I am looking for a comprehensive set of secure coding standards to
implement into my dev organization. These standards should cover
Java, Web, and C/C++ as well as guidelines for using features like
encryption, authentication, SSO, SSL, etc. I am open to both publicly
available standards as well as commercially available standards. So
far, I found

https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/

I would greatly appreciate any pointers to other links or to
companies who have developed and sell these standards.

Thanks in advance.

An0n S3c.

--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

---
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

---
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

Re: [SC-L] Secure Coding Standards

8 matches

Site Navigation

Mail list logo

Footer information