Andrew van der Stock is also approaching this issue from a high level at http://www.greebo.net/2008/09/24/coding-standard/
His list looks rather complete. - Jim > My thoughts... > > You standards really need more context - the standards for Java thick > client vs Java server/web code would be rather different, for example. > Make sure your guide gives recomendations specific to the context of > the application type. > > On that note, other thoughts.... > > * Robert Seacord's guide is one of the best guides to secure coding in > the C++ world but does not address web based or non C++ programming. > a) I would also read Ken's book on this topic - great stuff. > b) Microsoft books on their trustworthy computing initiative for > the .NET world are very well written. > * The SANS's courses and certs are really network/infrastructure > centric and are not that helpful for the software engineer > * The Sun link is way to general - nothing specific to really help the > programmer write secure code. > * 4-7 are way to general. > > In the web world, OWASP is by far the best. See: > http://www.owasp.org/index.php/Category:OWASP_Guide_Project > > - Jim >> I am looking for a comprehensive set of secure coding standards to >> implement into my dev organization. These standards should cover >> Java, Web, and C/C++ as well as guidelines for using features like >> encryption, authentication, SSO, SSL, etc. I am open to both publicly >> available standards as well as commercially available standards. So >> far, I found >> >> 1. www.securecoding.cert.org <http://www.securecoding.cert.org/> - >> thanks to Robert C. Seacord, >> http://krvw.com/pipermail/sc-l/2008/001401.html >> 2. http://java.sun.com/security/seccodeguide.html >> 3. http://wiki.services.openoffice.org/wiki/Cpp_Coding_Standards >> 4. DHS Build Security In (kind of) - >> https://buildsecurityin.us-cert.gov/daisy/bsi/home.html >> 5. SANS Software Security Institute - http://www.sans-ssi.org/ >> 6. CERT Top 10 Secure Coding Practices - >> >> https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices >> 7. SANS GIAC Secure Software Programmer - http://www.sans.org/gssp/ >> >> I would greatly appreciate any pointers to other links or to >> companies who have developed and sell these standards. >> >> Thanks in advance. >> >> An0n S3c. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> _______________________________________________ >> > > > -- > Jim Manico, Senior Application Security Engineer > [EMAIL PROTECTED] | [EMAIL PROTECTED] > (301) 604-4882 (work) > (808) 652-3805 (cell) > > Aspect Security™ > Securing your applications at the source > http://www.aspectsecurity.com > > --------------------------------------------------------------- > Management, Developers, Security Professionals ... > ... can only result in one thing. BETTER SECURITY. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference > Sept 22nd-25th 2008 > > -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
