...
- Open Web Application Security Project (OWASP) Secure Coding Practices Quick Reference Guide
- Software Assurance Forum for Excellence in Code (SAFECode) Fundamental Practices for Secure Software Development
- Oracle Secure Coding Guidelines for Java
- CMU Software Engineering Institute (SEI) CERT Coding Standards (C, C++, Android, Java, Perl)
- Apple Shell Script Security
As you read these, you'll find a number common themes. I particularly like how the SAFECode lays things out into separate practices for Design, Coding, and Testing & Validation. Under Design, they discuss: Secure Design Principles, Threat modeling, Encryption Strategy, Standardize Identity and Access, and Establish Log and Audit Practices. Under Coding, they discuss: Coding Standards, Using safe functions only, Using code analysis tools, Handling data safely, and Error Handling. And under Testing, they discuss both Automated and Manual Testing. OWASP concentrates on coding practices, with checklists in these categories:
| OWASP Coding Practice Checklists | |
|---|---|
| Input Validation | Error Handling and Logging |
| Output Encoding | Data Protection |
| Authentication and Password Management | Communication Security |
| Session Management | System Configuration |
| Access Control | Database Security |
| Cryptographic Practices | File Management |
| Memory Management | General Coding Practices |
InvokingĀ External Processes
...