What industry best practices and standards are appropriate for the development of custom applications? For secure coding practices, the first place I looked was the CERT Secure Coding Initiatives. CERT defines secure coding standards for several commonly used programming languages.
The clearest explanation of how to use CERT’s Secure Coding Standards is the document describing the MITRE CWE and CERT Secure Coding Standards. The Mitre Common Weakness Enumeration (CWE) is a measurable set of software weaknesses that includes categories for architectural, design, low level coding and design errors.
The CWE includes different views of these software weaknesses. One view, CWE-734 enumerates the weaknesses addressed by the CERT C Secure Coding Standards. Adherence to the secure coding standard will avoid these weaknesses. CWE-734 also provides insight into weaknesses not addressed by the CERT C Secure Coding Standard. This insight can be used to identify weaknesses that may need to be addressed elsewhere in the SDLC.
The CWE also provides views for the OWASP Top Ten. See CWE-711, −629 and −809.
No comments:
Post a Comment