Hi,
Something you may want to consider is how you plan on rolling this out
within your organisation, where I work we have a strong culture of using
and following coding standards and guidelines, so rolling out secure
coding guidelines was not that difficult.
That said we started small with a few key points to consider
- buffer overflows
- input validation
- integer overflow
- variable initialisation
- memory management
- race conditions
- error handling / logging
- functions to avoid
Then we ran an introductory training course to quickly run through these
points. The focus on the training was not to tout secure coding as
something new, but that secure coding was better quality code, and that
everyone's job is to write the best quality code that they can.
It really helps if any "bad" examples you use are taken from your
existing code base :)
Plan on updating your guidelines, we are now looking at updating our
guidelines and following up with new training. Our guidelines are
heavily C focussed, but we are moving more to C# which changes things
quite dramatically, and we are looking to roll out these guidelines to
other development teams so we also need to look at their practices and f
adjust the guidelines accordingly.
Also, depending on your organisations code review practices, look at
providing guidance in what to look for if you are performing a secure
code review.
Hope this helps,
CJC
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of anon sec
Sent: 27 September 2008 20:58
To: sc-l@securecoding.org
Subject: [SC-L] Secure Coding Standards
I am looking for a comprehensive set of secure coding standards
to implement into my dev organization. These standards should cover
Java, Web, and C/C++ as well as guidelines for using features like
encryption, authentication, SSO, SSL, etc. I am open to both publicly
available standards as well as commercially available standards. So far,
I found
1. www.securecoding.cert.org
<http://www.securecoding.cert.org/> - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
2. http://java.sun.com/security/seccodeguide.html
3.
http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards
4. DHS Build Security In (kind of) -
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
5. SANS Software Security Institute -
http://www.sans-ssi.org/
6. CERT Top 10 Secure Coding Practices -
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secu
re+Coding+Practices
7. SANS GIAC Secure Software Programmer -
http://www.sans.org/gssp/
I would greatly appreciate any pointers to other links or to
companies who have developed and sell these standards.
Thanks in advance.
An0n S3c.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
