...
As you read these, you'll find a number of common themes.
The SAFECode document lays things out very nicely into separate practices for Design, Coding, and Testing & Validation. Under Design, they discuss: Secure Design Principles, Threat modeling, Encryption Strategy, Standardize Identity and Access, and Establish Log and Audit Practices. Under Coding, they discuss: Coding Standards, Using safe functions only, Using code analysis tools, Handling data safely, and Error Handling. And under Testing, they discuss both Automated and Manual Testing.
The other documents are oriented specifically to coding. For example, OWASP has some nice good checklists in these categories:
| OWASP Coding Practice Checklists | ||
|---|---|---|
| Input Validation | Error Handling and Logging | Cryptographic Practices |
| Output Encoding | Data Protection | Memory Management |
| Authentication and Password Management | Communication Security | File Management |
| Session Management | System Configuration | General Coding Practices |
| Access Control | Database Security | |
| Cryptographic Practices | File Management | |
| Memory Management | General Coding Practices | |
InvokingĀ External Processes
...
- Use full paths for the programs you are executing. Note: While this can be done for shell scripts, this is most useful for non-shell scripts. For example,
- shell (but see the note above):
/bin/ls -l file
- python:
subprocess.Popen(["/bin/ls", "-l", "file"], ...)
...