mailing list archives
Re: Secure Software Development Checklist
From: rohnskii () gmail com
Date: 1 Nov 2007 22:36:17 -0000
Your task is "bigger than a breadbox", the requirements you describe are varied.
So, first, I think you can forget about a single checklist. It might start that way, but I think you'll quickly find
it gets too complex. So it will end up easier to use if you end up splitting it up.
Second, take detailed inventory of the apps you want to cover
Third, determine the risk/exposure to attack that the apps will be facing. The simplest split I can think of would be:
1. 100%, absolutely, positively, no doubt about it internal corporate use only, no browser exposure. Unfortunately,
this category is most likley to error. I once wrote an app that I was told was in this category. One year after it
was done, we sold it to a third party (who paid handsomely to upgrade it first!)
2. Browser based, internal app
3. Limited external exposure. "Trusted" clients
4. Wide open, web exposure.
Fourth, determine the vulnerabilities associated with each language. A compiled language like, say Cobol, isn't
vulnerable to pointer and buffer overflows like the C family, or XSS attacks like HTML. This is particularly where I
think separate check lists will be best.
Fifth, determine legal requirements must be met. Federal, State/Provincial, Industry all have different requirements.
You have to come up with an extract of the Highest common denominator (If one says encrypt but other don't care,
encrypt "wins". If another requires 7 years archive, vs 1 year, 7 are it ...) There are bound to be conflicts too,
PCI comes to mind requiring data purge after 18-24 months vs legislation that requires 7 years of data archiving).
Google for "Standards" and "Best Practices" related to your specific languages.
Here are a few links for you to look at:
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - Thwarting
Hacker Techniques Learning Guide
http://searchsecurity.techtarget.com - spend lots of time looking around in this site, it has TONS of good stuff for you
http://www.techtoolblog.com/archives/195-free-online-programming-books - actually now more like 345 links, some good
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf - here is one book from NIST, it's only 290 pages. It
covers security from A-Z, but there are lots of concepts that you will be able to extract. They have lots more,
including some checklists you might find handy
http://www.boran.com/security/ - this one looks good for you, has several specific sets technical guidelines, ie check
out Ch13 Securing Applications
http://blogs.ittoolbox.com/security/adventures - check out this blogger, you'll get lots of points from him
http://www.bitpipe.com/detail/RES/1170683922_906.html - Path to a secure app: Source code security review checklist.
Techtarget also has lots of good stuff for you
http://searchappsecurity.bitpipe.com/detail/RES/1151505153_648.html?src=DED_sappsec_08_08_06 - Security at the next
http://www1.sans-ssi.org/ - you are going to want to spend lots of time in this site
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1241948,00.html - Developing an app security
mindset. Good overview.
- http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1099349,00.html?track=NL-102&ad=537884 - thwarting
hacker techniques learning guide.
http://www.owasp.org/index.php/Main_Page- OWASP Top ten is definitely something you are going to want to look at!
Finally, last but first. What ever checklists / standards you end up defining, make sure that they get everyone
thinking about security by including steps right from the beginning of the design process. The earlier you start
considering and building in security, the cheaper and easier it will be to implement. Retrofitting logic is expensive.
Big topic, HTH