[SC-L] Language agnostic secure coding guidelines/standards?
AF
securecoding at nxtg.net
Thu Nov 13 09:27:12 EST 2008
Pete Werner wrote:
> Hi all
> I've been tasked with developing a secure coding standard for my
> employer. This will be a policy tool used to get developers to fix
> issues in their code after an audit, and also hopefully be of use to
> developers as they work to ensure they are compliant. The kicker is it
> needs to cover things ranging from cobol running on a mainframe, in
> house network monitoring software in c and perl through to web and
> desktop applications in java or .net.
> I've been doing some searching to see if there is anything similar
> online, but everything i've found is mostly focussed on web
> applications or language/platform specific. Does anyone know of
> something that may be what I'm looking for?
> It's basically going to be a checklist where every item will be
> something that can be audited, and the things that aren't relevant to
> a given application can be ignored. The broad sections I have so far
> are:
> Input/Output handling
> Session Control and Management
> Memory allocation and Management
> Authentication Management
> Authorisation Management
> Data Protection
> Logging and Auditing
> Application Errors and Exceptions
> Thanks in advance
> Pete
>
Hi Pete,
You are right when it comes to being agnostic, many
checklists and guides found on the web are webapp-oriented.
The security frames, however, mostly remain the same
for software, whether it is web-based or desktop-based,
such as:
- authentication
- authorisation
- data validation
- session management
- logging
- error handling
- cryptography
- ...
The proposition is that you might consider the OWASP's
"code review" or "testing" guides checkpoints (more than
60 controls are included) and derive their "architecture-agnostic"
counterpart.
You can then add the remaining frames, less found on
webapp-security guidances, such as memory management
or multithreading, from other sources.
This strategy would (I hope) help you build a first version
of your corporate secure coding guideline in a checklist
form.
I hope it helps...
regards,
A
ps: http://www.owasp.org/, the guides links are
shown in the upper right quick access projects links
More information about the SC-L
mailing list