My thoughts...
You standards really need more context - the standards for Java thick
client vs Java server/web code would be rather different, for example.
Make sure your guide gives recomendations specific to the context of the
application type.
On that note, other thoughts....
* Robert Seacord's guide is one of the best guides to secure coding in
the C++ world but does not address web based or non C++ programming.
a) I would also read Ken's book on this topic - great stuff.
b) Microsoft books on their trustworthy computing initiative for the
.NET world are very well written.
* The SANS's courses and certs are really network/infrastructure centric
and are not that helpful for the software engineer
* The Sun link is way to general - nothing specific to really help the
programmer write secure code.
* 4-7 are way to general.
In the web world, OWASP is by far the best. See:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
- Jim
> I am looking for a comprehensive set of secure coding standards to
> implement into my dev organization. These standards should cover Java,
> Web, and C/C++ as well as guidelines for using features like
> encryption, authentication, SSO, SSL, etc. I am open to both publicly
> available standards as well as commercially available standards. So
> far, I found
>
> 1. www.securecoding.cert.org <http://www.securecoding.cert.org/> -
> thanks to Robert C. Seacord,
> http://krvw.com/pipermail/sc-l/2008/001401.html
> 2. http://java.sun.com/security/seccodeguide.html
> 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
> 4. DHS Build Security In (kind of) -
> https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
> 5. SANS Software Security Institute - http://www.sans-ssi.org/
> 6. CERT Top 10 Secure Coding Practices -
>
> https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
> 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/
>
> I would greatly appreciate any pointers to other links or to
> companies who have developed and sell these standards.
>
> Thanks in advance.
>
> An0n S3c.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
