Pete, I think your best bet is the work being done by ISO/IEC JTC 1/SC 22/ WG 23 Programming Language Vulnerabilities. The website for this work is http://www.aitcnet.org/isai/.
The latest Editor's draft of PDTR 24772, prepared by John Benito, is N0138 which can be found here: http://www.aitcnet.org/isai/_Mtg_10/_Mtg_9/22-OWGV-N-0138/n0138.pdf This document provides language independent guidance, with language specific annexes. I think this comes closes to what you are looking for. CERT has/is developing language specific standards for C, C++, and Java and are available online at www.securecoding.cert.org. There is also a static version of the C standard which has been published by Addison-Wesley http://www.informit.com/store/product.aspx?isbn=0321563212 if you prefer your standards fixed instead of continually evolving. ;^) Our Java Secure Coding standard is being developed collaboratively with Sun Microsystems. Eventually, I'll probably get an announcement out to that effect. Thanks, rCs -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Werner Sent: Wednesday, November 12, 2008 7:22 PM To: Secure Coding Subject: [SC-L] Language agnostic secure coding guidelines/standards? Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
