Re: [SC-L] Language agnostic secure coding guidelines/standards?
I'd like to mention that OWASP is about to release a Beta version of its Application Security Verification Standard (ASVS) - Web Application Edition. This standard (which is language agnostic) provides a checklist of security requirements that web applications should meet and it is organized into increasing levels of difficulty based on the techniques you use to assess the application. The first level is based on what automated code analysis and external scanning tools can find. The second level is based on what human verifiers can find (who may use automated tools to assist them) doing code analysis and/or application penetration testing. There is also a third and fourth level that add additional requirements in the areas of architecture review, threat modeling, and the avoidance of malicious code. I would think that this document would serve as a great reference to pull from in order to gather a set of language independent secure coding guidelines since this is essentially the list of application security best practices that OWASP believes web applications need to meet in order to provide a baseline level of security. These requirements clearly don't include every security issue a web application may need to address but it defines the foundational requirements that we believe every application should meet. An Alpha version of this standard is already publicly available at: http://www.owasp.org/index.php/ASVS And the Beta release is close to completion and should come out sometime this December. I have cc'd Mike Boberski who is the project lead for this OWASP Summer of Code 2008 project. You can contact either of us (as well as Jeff Williams) if you have any questions about this new OWASP Standard as the three of us are the primary authors of this document. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Werner Sent: Friday, November 21, 2008 1:40 AM To: Secure Coding Subject: Re: [SC-L] Language agnostic secure coding guidelines/standards? Hi All Thank you for your replies, they have been very useful and will certainly help identifying things that need to appear in the standard. We're trying to make the standard something that is easily auditable, and have decided to further split items into two categories, those that should checked in development and those that should appear in the project documentation (e.g. things like definitions of log integrity/confidentiality requirements etc). I'm also happy to say that within our organisation we already have secure coding training available for developers, support channels for developers with queries, language specific guidance, automated tools that can be used to detect software flaws as well as an internal auditing and pentesting function. Needless to say it's been a big effort to get all this in place. The policy is an important piece of the puzzle which will hopefully help ensure the training and tools are utilised by developers. These things are all great, but from an organisational perspective one of the most important things for us is the ongoing risk management of identified issues. We have a lot of applications in various stages of development and production, and a lot of developers. Tracking known issues, remediation timelines, and who is responsible for what is also a very big part of it, especially in larger organisations. Again I'm happy to say we have an internally developed system for doing this. Rather than just giving myself a gold star on a mailing list, I would say to the vendors here interoperability is a big thing for us, as no one product does it all to the level we require (and it's unlikely they ever will). We are far more likely to buy things that play nicely with what we have already, and so far, most of the tools we use do. Gold stars all round. Anyway, thanks again for all the information. Cheers, Pete On Thu, Nov 20, 2008 at 8:00 AM, Gary McGraw <[EMAIL PROTECTED]> wrote: > badness-ometer-pedia! most excellent descriptive phrase. You guys should change the official name! > > Incidentally, one of the best uses data like these can be put to is training. > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > > On 11/17/08 4:49 PM, "Steven M. Christey" <[EMAIL PROTECTED]> wrote: > > > > The CWE Research view (CWE-1000) is language-neutral at its higher-level > nodes, and decomposes in some areas into language-specific constructs. > Early experience suggests that this view is not necessarily > developer-friendly, however, because it's not organized around the types > of concepts that developers typically think in. > > http://cwe.mitre.org/data/definitions/1000.html > > (click the Graph tab on the top right of the page to see the
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Hi All Thank you for your replies, they have been very useful and will certainly help identifying things that need to appear in the standard. We're trying to make the standard something that is easily auditable, and have decided to further split items into two categories, those that should checked in development and those that should appear in the project documentation (e.g. things like definitions of log integrity/confidentiality requirements etc). I'm also happy to say that within our organisation we already have secure coding training available for developers, support channels for developers with queries, language specific guidance, automated tools that can be used to detect software flaws as well as an internal auditing and pentesting function. Needless to say it's been a big effort to get all this in place. The policy is an important piece of the puzzle which will hopefully help ensure the training and tools are utilised by developers. These things are all great, but from an organisational perspective one of the most important things for us is the ongoing risk management of identified issues. We have a lot of applications in various stages of development and production, and a lot of developers. Tracking known issues, remediation timelines, and who is responsible for what is also a very big part of it, especially in larger organisations. Again I'm happy to say we have an internally developed system for doing this. Rather than just giving myself a gold star on a mailing list, I would say to the vendors here interoperability is a big thing for us, as no one product does it all to the level we require (and it's unlikely they ever will). We are far more likely to buy things that play nicely with what we have already, and so far, most of the tools we use do. Gold stars all round. Anyway, thanks again for all the information. Cheers, Pete On Thu, Nov 20, 2008 at 8:00 AM, Gary McGraw <[EMAIL PROTECTED]> wrote: > badness-ometer-pedia! most excellent descriptive phrase. You guys should > change the official name! > > Incidentally, one of the best uses data like these can be put to is training. > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > > On 11/17/08 4:49 PM, "Steven M. Christey" <[EMAIL PROTECTED]> wrote: > > > > The CWE Research view (CWE-1000) is language-neutral at its higher-level > nodes, and decomposes in some areas into language-specific constructs. > Early experience suggests that this view is not necessarily > developer-friendly, however, because it's not organized around the types > of concepts that developers typically think in. > > http://cwe.mitre.org/data/definitions/1000.html > > (click the Graph tab on the top right of the page to see the breakdown) > > Obviously the CWE is a badness-ometer-pedia but suggests some areas that > your guidelines would hopefully address. > > - Steve > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
badness-ometer-pedia! most excellent descriptive phrase. You guys should change the official name! Incidentally, one of the best uses data like these can be put to is training. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 11/17/08 4:49 PM, "Steven M. Christey" <[EMAIL PROTECTED]> wrote: The CWE Research view (CWE-1000) is language-neutral at its higher-level nodes, and decomposes in some areas into language-specific constructs. Early experience suggests that this view is not necessarily developer-friendly, however, because it's not organized around the types of concepts that developers typically think in. http://cwe.mitre.org/data/definitions/1000.html (click the Graph tab on the top right of the page to see the breakdown) Obviously the CWE is a badness-ometer-pedia but suggests some areas that your guidelines would hopefully address. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
The CWE Research view (CWE-1000) is language-neutral at its higher-level nodes, and decomposes in some areas into language-specific constructs. Early experience suggests that this view is not necessarily developer-friendly, however, because it's not organized around the types of concepts that developers typically think in. http://cwe.mitre.org/data/definitions/1000.html (click the Graph tab on the top right of the page to see the breakdown) Obviously the CWE is a badness-ometer-pedia but suggests some areas that your guidelines would hopefully address. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Pete Werner: > I've been tasked with developing a secure coding standard for my > employer. everything i've found is mostly focussed on web > applications or language/platform specific. Does anyone know of > something that may be what I'm looking for? It's not exactly what you're looking for, but you can take a peek at my book, which is on-line: http://www.dwheeler.com/secure-programs/ It's language agnostic, it provides guidelines for secure coding, and it applies to both web apps & non-web-apps. It _does_ focus on the Unix/Linux platform, as it was intended to... but at this point the majority of it is actually platform-agnostic. It is _NOT_ a checklist, though. Instead of focusing on a checklist for humans, I would suggest using a static analysis tool to implement as much of a "checklist" as possible. Then any checklist you create should only include things that CANNOT be easily automated (e.g., "no default password"). However: TRAIN THE DEVELOPERS FIRST. Use my book, another book, whatever, but TRAIN them. In my experience, just handing a checklist or static analysis tool to developers is ineffective; a security-clueless developer will often not understand what the checklist/tool is saying, or "fix" it in a way that doesn't solve the problem. In contrast, having your developers understand security will mean that even WITHOUT a checklist/tool, they'll produce much better software... and then checklists & tools can actually be helpful. Since today's "average developer" has no clue about security, you MUST train them... you can't assume they start that way. For a funny example where just handing someone a static analysis tool didn't do any good, see: http://www.dwheeler.com/flawfinder/#fool-with-tool In this case, RealNetworks used a static analysis tool (flawfinder), but instead of fixing the vulnerabilities flawfinder found, they just inserted directives to tell flawfinder to stop reporting the vulnerabilities. Of course, this didn't actually FIX the vulnerabilities...! And my thanks to RealNetworks for coming clean about their mistake; I'm sure they're neither the first NOR last, and we can learn from them. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Pete, I think your best bet is the work being done by ISO/IEC JTC 1/SC 22/ WG 23 Programming Language Vulnerabilities. The website for this work is http://www.aitcnet.org/isai/. The latest Editor's draft of PDTR 24772, prepared by John Benito, is N0138 which can be found here: http://www.aitcnet.org/isai/_Mtg_10/_Mtg_9/22-OWGV-N-0138/n0138.pdf This document provides language independent guidance, with language specific annexes. I think this comes closes to what you are looking for. CERT has/is developing language specific standards for C, C++, and Java and are available online at www.securecoding.cert.org. There is also a static version of the C standard which has been published by Addison-Wesley http://www.informit.com/store/product.aspx?isbn=0321563212 if you prefer your standards fixed instead of continually evolving. ;^) Our Java Secure Coding standard is being developed collaboratively with Sun Microsystems. Eventually, I'll probably get an announcement out to that effect. Thanks, rCs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Werner Sent: Wednesday, November 12, 2008 7:22 PM To: Secure Coding Subject: [SC-L] Language agnostic secure coding guidelines/standards? Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
All, James McGovern hits the core issue with his post, though I'm not sure how many organizations are self-aware enough to realize it. In practice, his philosophical quandary plays out through a few key questions. Do I: 1) Write technology-specific best-practices or security policy? 2) Couch my standards as "do not" or "do"? 3) Cull best practices from what people do, or set a bar and drive people towards compliance? 4) Spend money on training, or a tool roll-out? See: http://risiko.cigital.com/justiceleague/2007/05/25/a-mini-architecture-for-security-guidance/ http://risiko.cigital.com/justiceleague/2007/05/21/how-to-write-good-security-guidance/ http://risiko.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e2%80%9cspecificity-knob%e2%80%9d/ Though old, these posts still seem to help. More recently, this argument has most frequently taken the form of "language specific guidance or agnostic security guidance?". this has begun to play out in Andrew's post quoted below. Though there's tremendous value in agnostic guidance (especially because it applies well to languages for which specific guidance or tool support doesn't yet exist, and because it withstands time's test slightly better). But, what OWASP has documented is a false victory for the proponents of agnostic guidance--citing its language independence. It, like any decent guidance, IS technology-specific, just not on any particular language. It's closely coupled to both the current web-technology stack as well as a penetration-testing approach (though, frankly that is fine). Move outside of either and you're going to find the guidance wanting. Saying the OWASP guidance is better than language-specific guidance is like getting caught in the rabbit hole of Java's "single language compiled to a virtual ! machine that runs anywhere" vs. .NETs "many languages compiled to a single format that runs one place." High-minded thought about whether or not one should proceed from the top down (from a strong but impractical to apply) governance initiative or from the bottom-up from a base of core scanning capabilities afforded by a security tool has won me little progress. it's frustrating and I give up. We needed a breakthrough, and we've gotten it: As a result, we've built a tool chain that allows us/our clients to rapidly implement automated checks whether they have a static analysis tool, rely on penetration testing, or desire to implement their security testing as part of a broader QA effort. The 'rub' is that we've stayed technology-specific (to the Java EE platform)--so all the appropriate limitations apply... but recently we were able to deploy the static analysis piece of this puzzle (which we call our Assessment Factory) and automate 55% of a corporation's (rather extensive) security standards for that stack in 12mhrs. That's ridiculous (in a good way). So, in my mind, the key is to get specific and do it quickly. Deciding whether or not to get language or technology-stack specific is a red-herring argument. The question should be: are you going to implement your automation with dynamic testing tools, static analysis tools, or say, a requirements management tool such as Archer. If you're going the dynamic route, focus on technology-specific guidance. Download the OWASP security testing guide. Conduct a gap analysis on the guide: what can you automate with your existing test harness? If you don't have a harness, download Selenium. Once the gap analysis is done: get to work automating iteratively. If you're going the static route: focus on language-specific guidance. Begin customizing your tool to find vulnerable constructs in your architectural idiom, and to detect non-compliance to your corporate standards/policy. It's really not as bad as it can seem. You just have to remember you won't achieve 100% coverage in the first month. Though, any seasoned QA professional will tell you--expecting to is ludicrous. John Steven Senior Director; Advanced Technology Consulting Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Andrew van der Stock The OWASP materials are fairly language neutral. The closest document to your current requirements is the Developer Guide. I am also developing a coding standard for Owasp with a likely deliverable date next year. I am looking for volunteers to help with it, so if you want a document that exactly meets your needs ... Please join us! On Nov 12, 2008, at 19:21, "Pete Werner" <[EMAIL PROTECTED]> wrote: > Hi all > > I've been tasked with developing a secure coding standard for my > employer. This will be a policy tool used to get developers to fix > iss
Re: [SC-L] Language agnostic secure coding guidelines/standards?
The OWASP materials are fairly language neutral. The closest document to your current requirements is the Developer Guide. I am also developing a coding standard for Owasp with a likely deliverable date next year. I am looking for volunteers to help with it, so if you want a document that exactly meets your needs ... Please join us! Thanks, Andrew On Nov 12, 2008, at 19:21, "Pete Werner" <[EMAIL PROTECTED]> wrote: > Hi all > > I've been tasked with developing a secure coding standard for my > employer. This will be a policy tool used to get developers to fix > issues in their code after an audit, and also hopefully be of use to > developers as they work to ensure they are compliant. The kicker is it > needs to cover things ranging from cobol running on a mainframe, in > house network monitoring software in c and perl through to web and > desktop applications in java or .net. > > I've been doing some searching to see if there is anything similar > online, but everything i've found is mostly focussed on web > applications or language/platform specific. Does anyone know of > something that may be what I'm looking for? > > It's basically going to be a checklist where every item will be > something that can be audited, and the things that aren't relevant to > a given application can be ignored. The broad sections I have so far > are: > > Input/Output handling > Session Control and Management > Memory allocation and Management > Authentication Management > Authorisation Management > Data Protection > Logging and Auditing > Application Errors and Exceptions > > Thanks in advance > Pete > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com > ) > as a free, non-commercial service to the software security community. > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Awhile back, I got asked the same question and realized that at some level the question is flawed. Many large enterprises have standards documents that sit on the shelf and the need to create more didn't feel right. Instead, we feel to the posture that we should inverse the problem and instead find a tool that automates the code review process (aka static analysis) where we can not only measure compliance to the standard but get the standards off the shelf. In terms of products, check out Ounce Labs, Coverity, Klocwork, etc. Most will have coverage for C, Java, .NET, etc. The challenge with some of the other languages you have is that pretty much no one in the security community has ever spent much time analyzing the weaknesses in COBOL. There is some stuff out there, but it is light when compared to Java... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Werner Sent: Wednesday, November 12, 2008 7:22 PM To: Secure Coding Subject: [SC-L] Language agnostic secure coding guidelines/standards? Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Pete Werner wrote: > Hi all > I've been tasked with developing a secure coding standard for my > employer. This will be a policy tool used to get developers to fix > issues in their code after an audit, and also hopefully be of use to > developers as they work to ensure they are compliant. The kicker is it > needs to cover things ranging from cobol running on a mainframe, in > house network monitoring software in c and perl through to web and > desktop applications in java or .net. > I've been doing some searching to see if there is anything similar > online, but everything i've found is mostly focussed on web > applications or language/platform specific. Does anyone know of > something that may be what I'm looking for? > It's basically going to be a checklist where every item will be > something that can be audited, and the things that aren't relevant to > a given application can be ignored. The broad sections I have so far > are: > Input/Output handling > Session Control and Management > Memory allocation and Management > Authentication Management > Authorisation Management > Data Protection > Logging and Auditing > Application Errors and Exceptions > Thanks in advance > Pete > Hi Pete, You are right when it comes to being agnostic, many checklists and guides found on the web are webapp-oriented. The security frames, however, mostly remain the same for software, whether it is web-based or desktop-based, such as: - authentication - authorisation - data validation - session management - logging - error handling - cryptography - ... The proposition is that you might consider the OWASP's "code review" or "testing" guides checkpoints (more than 60 controls are included) and derive their "architecture-agnostic" counterpart. You can then add the remaining frames, less found on webapp-security guidances, such as memory management or multithreading, from other sources. This strategy would (I hope) help you build a first version of your corporate secure coding guideline in a checklist form. I hope it helps... regards, A ps: http://www.owasp.org/, the guides links are shown in the upper right quick access projects links ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Language agnostic secure coding guidelines/standards?
Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___