Hi, Something you may want to consider is how you plan on rolling this out within your organisation, where I work we have a strong culture of using and following coding standards and guidelines, so rolling out secure coding guidelines was not that difficult. That said we started small with a few key points to consider - buffer overflows - input validation - integer overflow - variable initialisation - memory management - race conditions - error handling / logging - functions to avoid Then we ran an introductory training course to quickly run through these points. The focus on the training was not to tout secure coding as something new, but that secure coding was better quality code, and that everyone's job is to write the best quality code that they can. It really helps if any "bad" examples you use are taken from your existing code base :) Plan on updating your guidelines, we are now looking at updating our guidelines and following up with new training. Our guidelines are heavily C focussed, but we are moving more to C# which changes things quite dramatically, and we are looking to roll out these guidelines to other development teams so we also need to look at their practices and f adjust the guidelines accordingly. Also, depending on your organisations code review practices, look at providing guidance in what to look for if you are performing a secure code review. Hope this helps, CJC
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of anon sec Sent: 27 September 2008 20:58 To: sc-l@securecoding.org Subject: [SC-L] Secure Coding Standards I am looking for a comprehensive set of secure coding standards to implement into my dev organization. These standards should cover Java, Web, and C/C++ as well as guidelines for using features like encryption, authentication, SSO, SSL, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found 1. www.securecoding.cert.org <http://www.securecoding.cert.org/> - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html 2. http://java.sun.com/security/seccodeguide.html 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards 4. DHS Build Security In (kind of) - https://buildsecurityin.us-cert.gov/daisy/bsi/home.html 5. SANS Software Security Institute - http://www.sans-ssi.org/ 6. CERT Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secu re+Coding+Practices 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ I would greatly appreciate any pointers to other links or to companies who have developed and sell these standards. Thanks in advance. An0n S3c.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________