Pete Werner wrote: > Hi all > I've been tasked with developing a secure coding standard for my > employer. This will be a policy tool used to get developers to fix > issues in their code after an audit, and also hopefully be of use to > developers as they work to ensure they are compliant. The kicker is it > needs to cover things ranging from cobol running on a mainframe, in > house network monitoring software in c and perl through to web and > desktop applications in java or .net. > I've been doing some searching to see if there is anything similar > online, but everything i've found is mostly focussed on web > applications or language/platform specific. Does anyone know of > something that may be what I'm looking for? > It's basically going to be a checklist where every item will be > something that can be audited, and the things that aren't relevant to > a given application can be ignored. The broad sections I have so far > are: > Input/Output handling > Session Control and Management > Memory allocation and Management > Authentication Management > Authorisation Management > Data Protection > Logging and Auditing > Application Errors and Exceptions > Thanks in advance > Pete >
Hi Pete, You are right when it comes to being agnostic, many checklists and guides found on the web are webapp-oriented. The security frames, however, mostly remain the same for software, whether it is web-based or desktop-based, such as: - authentication - authorisation - data validation - session management - logging - error handling - cryptography - ... The proposition is that you might consider the OWASP's "code review" or "testing" guides checkpoints (more than 60 controls are included) and derive their "architecture-agnostic" counterpart. You can then add the remaining frames, less found on webapp-security guidances, such as memory management or multithreading, from other sources. This strategy would (I hope) help you build a first version of your corporate secure coding guideline in a checklist form. I hope it helps... regards, A ps: http://www.owasp.org/, the guides links are shown in the upper right quick access projects links _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________