As a compliment to coding standards you may want to consider using the Common Weakness Enumeration (CWE) as a target list of coding, design and implementation issues you are trying to minimize through use of those coding standards.
Using the CWEs can also help you to drive and correlate your test program into a cross checking of the issues you care about to assure yourself that they were actually addressed by your development standards. Many of the testing approaches, whether they be from manual reviews, penetration testing/black box testing, or from white box testing/code assessments are easily correlated with CWEs either because the vendors are already tagging their finding with CWEs or because your testers can easily match their testing to the CWEs that their testing uncover. Several large commercial development vendors are using CWE as a framework for targeting and tracking their application security reviews both as a way of articulating their goals about which kinds of issues they want to address as well as a way to document and track their progress. Many of the coding standards efforts you listed, as well as the OWASP efforts, have already mapped (or are in the process of mapping) their coding standards/guidance to the CWEs that the individual rules address. Regards, Bob anon sec wrote: > I am looking for a comprehensive set of secure coding standards to implement > into my dev organization. These standards should cover Java, Web, and C/C++ > as well as guidelines for using features like encryption, authentication, > SSO, SSL, etc. I am open to both publicly available standards as well as > commercially available standards. So far, I found > > 1. www.securecoding.cert.org - thanks to Robert C. Seacord, > http://krvw.com/pipermail/sc-l/2008/001401.html > 2. http://java.sun.com/security/seccodeguide.html > 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards > 4. DHS Build Security In (kind of) - > https://buildsecurityin.us-cert.gov/daisy/bsi/home.html > 5. SANS Software Security Institute - http://www.sans-ssi.org/ > 6. CERT Top 10 Secure Coding Practices - > > https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices > 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ > > I would greatly appreciate any pointers to other links or to companies who > have developed and sell these standards. > > Thanks in advance. > > An0n S3c. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
