[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Secure coding guidelines
- From: "Chris Weber" <chris@xxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Secure coding guidelines
- Date: Fri, 11 Aug 2006 15:27:45 -0700
------=_NextPart_000_0010_01C6BD5A.B6E27AC0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Ya, HE is worth grabbing. Also, I had the chance to review Hunting Security
Bugs written by the MS Office security test team
http://www.microsoft.com/MSPress/books/8485.asp
Coming out in a couple weeks.... Covers much more than just web apps but
goes into great detail about testing methods. I guess that's not coding
guidelines directly eh, but indirectly...
_____
From: Matt Fisher [mailto:mfisher@spidynamics.com]
Sent: Friday, August 11, 2006 2:25 PM
To: Lorna Alamri; Anurag Agarwal; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Secure coding guidelines
Anyone mention Hacking Exposed Web Applications Part Deux by Caleb, Joel and
Mike ?
Also, Symantec Press will have a book out soon on testing software. Don't
know the title offhand but I know some of the authors include Chris Wysopal
and Elfriede Dustin.
_____
From: Lorna Alamri [mailto:lalamri@go-integral.com]
Sent: Friday, August 11, 2006 4:51 PM
To: Anurag Agarwal; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Secure coding guidelines
http://java.sun.com/security/seccodeguide.html
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
Books:
"19 Deadly Sins of Software Security"
Michael Howard
"Software Security: Building Security In"
Gary McGraw
"Secure Coding"
Mark M Graff and Kenneth R. Van Wyk
http://www.securecoding.org/companion/tools.php
You could build and implement Secure Software Development Life Cycle
framework and implement systematic changes such as:
* Education of developers around application vulnerabilities
* Peer reviews
* Automated scan tools to be used at all stages of development
* Automated continuous integration builds
* Automated regression testing
* Checkpoints throughout development cycle to inspect the code and
design looking for potential vulnerabilities and determining solutions
_____
From: Anurag Agarwal [mailto:a_agrawwal@yahoo.com]
Sent: Friday, August 11, 2006 1:51 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Secure coding guidelines
How about a list of sites which contains secure coding guidelines for java,
ASP, python, php, etc?
anybody know of any?
anurag
------=_NextPart_000_0010_01C6BD5A.B6E27AC0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40"; xmlns:v =3D=20
"urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Wingdings;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Verdana;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: =
"Times New Roman"; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.EmailStyle18 {
FONT-WEIGHT: normal; COLOR: blue; FONT-STYLE: normal; FONT-FAMILY: =
Verdana; TEXT-DECORATION: none; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Ya, HE is worth grabbing. Also, I had the =
chance to=20
review Hunting Security Bugs written by the MS Office security test=20
team</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><A=20
href=3D"http://www.microsoft.com/MSPress/books/8485.asp";>http://www.micro=
soft.com/MSPress/books/8485.asp</A></FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Coming out in a couple weeks.... Covers =
much more=20
than just web apps but goes into great detail about testing =
methods. I=20
guess that's not coding guidelines directly eh, but=20
indirectly...</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D109372522-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Matt Fisher=20
[mailto:mfisher@spidynamics.com] <BR><B>Sent:</B> Friday, August 11, =
2006 2:25=20
PM<BR><B>To:</B> Lorna Alamri; Anurag Agarwal;=20
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] Secure =
coding=20
guidelines<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D703232221-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Anyone mention Hacking Exposed Web Applications =
Part Deux=20
by Caleb, Joel and Mike ? </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D703232221-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Also, Symantec Press will have a book out soon =
on testing=20
software. Don't know the title offhand but I know some of the =
authors=20
include Chris Wysopal and Elfriede Dustin. </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D703232221-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D703232221-11082006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Lorna Alamri=20
[mailto:lalamri@go-integral.com] <BR><B>Sent:</B> Friday, August 11, =
2006 4:51=20
PM<BR><B>To:</B> Anurag Agarwal; =
websecurity@webappsec.org<BR><B>Subject:</B>=20
RE: [WEB SECURITY] Secure coding guidelines<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana"><A=20
href=3D"http://java.sun.com/security/seccodeguide.html";>http://java.sun.c=
om/security/seccodeguide.html</A><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana"><A=20
href=3D"https://buildsecurityin.us-cert.gov/daisy/bsi/home.html";>https://=
buildsecurityin.us-cert.gov/daisy/bsi/home.html</A><o:p></o:p></SPAN></FO=
NT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Verdana"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Books:=20
<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><B><FONT face=3DVerdana size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Verdana">“19 Deadly Sins=20
of Software Security"</SPAN></FONT></B><FONT face=3DVerdana =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Verdana"><BR>Michael=20
Howard<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><B><FONT face=3DVerdana size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Verdana">"Software=20
Security: Building Security In"</SPAN></FONT></B><FONT face=3DVerdana =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Verdana"><BR>Gary=20
McGraw<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><B><FONT face=3DVerdana size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Verdana">“Secure=20
Coding”<o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><FONT face=3DVerdana size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Verdana">Mark M Graff and Kenneth =
R. Van=20
Wyk<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana"><A=20
href=3D"http://www.securecoding.org/companion/tools.php";>http://www.secur=
ecoding.org/companion/tools.php</A><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Verdana"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">You could =
build and=20
implement Secure Software Development Life Cycle framework and implement =
systematic changes such as:<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Education =
of=20
developers around application =
vulnerabilities<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Verdana">Peer=20
reviews<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Automated =
scan tools=20
to be used at all stages of development<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Automated =
continuous=20
integration builds<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Automated =
regression=20
testing<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN-LEFT: 75pt; TEXT-INDENT: -0.25in; mso-list: l0 level1 =
lfo2"><![if !supportLists]><FONT=20
face=3DSymbol size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Symbol"><SPAN=20
style=3D"mso-list: Ignore">·<FONT face=3D"Times New Roman" =
size=3D1><SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></FONT></SPAN></SPAN></FONT><![endif]><FONT face=3DVerdana =
color=3Dblue=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Verdana">Checkpoints =
throughout development cycle to inspect the code and design looking for=20
potential vulnerabilities and determining =
solutions<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Verdana"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DVerdana color=3Dblue size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Verdana"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<DIV class=3DMsoNormal style=3D"TEXT-ALIGN: center" align=3Dcenter><FONT =
face=3D"Times New Roman" size=3D3><SPAN style=3D"FONT-SIZE: 12pt">
<HR tabIndex=3D-1 align=3Dcenter width=3D"100%" SIZE=3D2>
</SPAN></FONT></DIV>
<P class=3DMsoNormal><B><FONT face=3DTahoma size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">From:</SPAN></FONT></B><FONT=20
face=3DTahoma size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma"> Anurag=20
Agarwal [mailto:a_agrawwal@yahoo.com] <BR><B><SPAN=20
style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Friday, August 11, 2006 =
1:51=20
PM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">To:</SPAN></B>=20
websecurity@webappsec.org<BR><B><SPAN=20
style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> [WEB SECURITY] Secure =
coding=20
guidelines</SPAN></FONT><o:p></o:p></P></DIV>
<P class=3DMsoNormal><FONT face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN style=3D"FONT-SIZE: =
12pt">How about a=20
list of sites which contains secure coding guidelines for java, ASP, =
python,=20
php, etc?<o:p></o:p></SPAN></FONT></P>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN style=3D"FONT-SIZE: =
12pt">anybody=20
know of any?<o:p></o:p></SPAN></FONT></P>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: =
12pt">anurag<o:p></o:p></SPAN></FONT></P></DIV></DIV></BODY></HTML>
------=_NextPart_000_0010_01C6BD5A.B6E27AC0--
Brought to you by http://www.webappsec.org