Secure Coding mailing list archives
Language agnostic secure coding guidelines/standards?
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Thu, 13 Nov 2008 09:33:49 -0500
Awhile back, I got asked the same question and realized that at some level the question is flawed. Many large enterprises have standards documents that sit on the shelf and the need to create more didn't feel right. Instead, we feel to the posture that we should inverse the problem and instead find a tool that automates the code review process (aka static analysis) where we can not only measure compliance to the standard but get the standards off the shelf. In terms of products, check out Ounce Labs, Coverity, Klocwork, etc. Most will have coverage for C, Java, .NET, etc. The challenge with some of the other languages you have is that pretty much no one in the security community has ever spent much time analyzing the weaknesses in COBOL. There is some stuff out there, but it is light when compared to Java... -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Pete Werner Sent: Wednesday, November 12, 2008 7:22 PM To: Secure Coding Subject: [SC-L] Language agnostic secure coding guidelines/standards? Hi all I've been tasked with developing a secure coding standard for my employer. This will be a policy tool used to get developers to fix issues in their code after an audit, and also hopefully be of use to developers as they work to ensure they are compliant. The kicker is it needs to cover things ranging from cobol running on a mainframe, in house network monitoring software in c and perl through to web and desktop applications in java or .net. I've been doing some searching to see if there is anything similar online, but everything i've found is mostly focussed on web applications or language/platform specific. Does anyone know of something that may be what I'm looking for? It's basically going to be a checklist where every item will be something that can be audited, and the things that aren't relevant to a given application can be ignored. The broad sections I have so far are: Input/Output handling Session Control and Management Memory allocation and Management Authentication Management Authorisation Management Data Protection Logging and Auditing Application Errors and Exceptions Thanks in advance Pete ________________ ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
Current thread:
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 12)
- Language agnostic secure coding guidelines/standards? AF (Nov 13)
- Language agnostic secure coding guidelines/standards? McGovern, James F (HTSC, IT) (Nov 13)
- Language agnostic secure coding guidelines/standards? Andrew van der Stock (Nov 13)
- Language agnostic secure coding guidelines/standards? John Steven (Nov 13)
- Language agnostic secure coding guidelines/standards? Steven M. Christey (Nov 17)
- Language agnostic secure coding guidelines/standards? Gary McGraw (Nov 19)
- Language agnostic secure coding guidelines/standards? Pete Werner (Nov 20)
- Language agnostic secure coding guidelines/standards? Dave Wichers (Nov 21)
- <Possible follow-ups>
- Language agnostic secure coding guidelines/standards? David A. Wheeler (Nov 14)