An0n S3c, i see you have already found our site, but i should probably take this opportunity to provide a couple of updates.
first of all, CERT has released the Java Secure Coding Standard in addition to existing secure coding standards for the C and C++ programming languages. CERT invites the Java community to participate in this effort by reviewing content in the Java space at https://www.securecoding.cert.org/confluence/display/java/CERT+Java+Secure+Coding+Standard and providing comments. second, The CERT C Secure Coding Standard is being published by Addison-Wesley and has already gone to the printer (it should be available in October). this book is the first official release of the standard and has the advantage over the wiki version that we are not changing it all the time, so you can actually implement it. 8^) anyway, you can read more (and preorder!) the book version here: http://www.amazon.com/Secure-Coding-Standard-Software-Engineering/dp/0321563212 another idea is to look a little further from strictly security related coding standards. another good C++ standard is JSF++ http://www.jsf.mil/downloads/documents/JSF_AV_C++_Coding_Standards_Rev_C.doc. you may also want to look at the various MISRA standards. thanks, rCs > I am looking for a comprehensive set of secure coding standards to > implement into my dev organization. These standards should cover Java, > Web, and C/C++ as well as guidelines for using features like > encryption, authentication, SSO, SSL, etc. I am open to both publicly > available standards as well as commercially available standards. So > far, I found > > 1. www.securecoding.cert.org <http://www.securecoding.cert.org/> - > thanks to Robert C. Seacord, > http://krvw.com/pipermail/sc-l/2008/001401.html > 2. http://java.sun.com/security/seccodeguide.html > 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards > 4. DHS Build Security In (kind of) - > https://buildsecurityin.us-cert.gov/daisy/bsi/home.html > 5. SANS Software Security Institute - http://www.sans-ssi.org/ > 6. CERT Top 10 Secure Coding Practices - > > https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices > 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ > > I would greatly appreciate any pointers to other links or to > companies who have developed and sell these standards. > > Thanks in advance. > > An0n S3c. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
