A Security Practices Evaluation Framework

Apply Secure Coding Standards

Apply (and define, if necessary) security-focused coding standards for each language and component used in building the software.

Description

A secure coding standard consists of security-specific usage rules for the language(s) used to develop the project’s software.

Practice Implementation Questions

  1. Is there a coding standard used by the project?
  2. Are security-specific rules included in the project’s coding standard?
  3. Is logging required by the coding standard?
  4. Are rules for cryptography (encryption and decryption) specified in the coding standard?
  5. Are technology-specific security rules included in the project’s coding standard?
  6. Are good and bad examples of security coding given in the standard?
  7. Are checks of the project coding standards automated?
  8. Are project coding standards enforced?
  9. Are project coding standards revised as needed? On a schedule?

Keywords

avoid, banned, buffer overflow, checklist, code, code review, code review checklist, coding technique, commit checklist, dependency, design pattern, do not use, enforce function, firewall, grant, input validation, integer overflow, logging, memory allocation, methodology, policy, port, security features, security principle, session, software quality, source code, standard, string concatenation, string handling function, SQL Injection, unsafe functions, validate, XML parser

</p>
<p>Links: BSIMM SR 1.4 Use secure coding standards.</p>