This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
security:securecode [2015/04/10 14:35] Luke Hinds [CERT] |
security:securecode [2015/04/29 12:21] (current) Marcel Winandy Added link to IEEE CSD Avoiding Top 10 Security Flaws |
||
---|---|---|---|
Line 2: | Line 2: | ||
In order to insure limited exposure to security exploits within the opnfv platform, we recommend developers learn and implement secure coding practices. | In order to insure limited exposure to security exploits within the opnfv platform, we recommend developers learn and implement secure coding practices. | ||
+ | |||
+ | The following contains recommendations from CWE/SANS, The OpenStack Security Group (very good python resource) and CERT, OWASP. | ||
+ | |||
+ | If anyone has other resources or contributions they feel are useful additions, please make recommendations to the opnfv security group. | ||
===== Gerrit Security Impact Code Review ===== | ===== Gerrit Security Impact Code Review ===== | ||
- | We also strongly recommend to make use of the Gerrit secure code review tag we have. Any commit or comment to gerrit with the words 'SecurityImpact' will automatically email the security group for comment. | + | We also strongly recommend to make use of the Gerrit secure code review tag we have. Any commit (or commit amend) with the words 'SecurityImpact' will automatically email the security group for gerrit based review. |
+ | |||
+ | ==== Help review! ==== | ||
+ | |||
+ | You can never have enough eyes, doing security code reviews. If you have an interest in helping review code, please sign up to the [[https://lists.opnfv.org/mailman/listinfo|opnfv-security list]] | ||
+ | |||
+ | |||
+ | ===== CWE/SANS Top 25 ===== | ||
- | ===== CWE/SANS Top 25 Most Dangerous Programming Errors ===== | + | A very good reference for those new (and old) to secure coding conventions, is the CWE/SANS Top 25 Most Dangerous Programming Errors. The CWE give real world examples, of exactly how insecure code can be exploited. |
- | A good standard to start with, for those new to secure coding, is the CWE/SANS Top 25 Most Dangerous Programming Errors | + | Below is a simplified list, with a link to the CWE page that contains greater detail. |
==== Improper Input Validation ==== | ==== Improper Input Validation ==== | ||
Line 171: | Line 182: | ||
http://cwe.mitre.org/data/definitions/602.html | http://cwe.mitre.org/data/definitions/602.html | ||
- | + | ===== Other useful reference sources ===== | |
- | + | ||
- | + | ||
- | ===== Other very useful Reference Sources ===== | + | |
You may find the following resources also very helpful. | You may find the following resources also very helpful. | ||
- | ===== OSSG ===== | + | ==== OSSG Developer Guidelines ==== |
- | The OSSG (OpenStack Security Group) have authored a very good set of guidelines (mostly speficic to python). These can be found on Robert Clarks [[https://github.com/openstack-security/Developer-Guidance|on the following github repository]] | + | The OSSG (OpenStack Security Group) have authored a very good set of guidelines (mostly specific to python). These can be found on Robert Clarks [[https://github.com/openstack-security/Developer-Guidance|Github repository]] |
==== OWASP ==== | ==== OWASP ==== | ||
Line 194: | Line 202: | ||
Last, but not least, [[https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents|the OWASP top ten]] (a need of an update, but still relevant) | Last, but not least, [[https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents|the OWASP top ten]] (a need of an update, but still relevant) | ||
- | ==== CWE/SANS Top 25 ==== | ||
- | Even though not updated for a few years, the CWE/SANS top 25 list is still very relevant. Jump over to the [[http://cwe.mitre.org/top25/index.html|CWE site]] for examples of vulnerabilities as a direct result of insecure coding | + | ==== CERT ==== |
- | + | ||
- | ===== CERT ===== | + | |
The CERT standards are a very good free resource. Languages covered are C, C++, Java, Perl. It is currently hosted on a confluence space at cert [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards |over here]] | The CERT standards are a very good free resource. Languages covered are C, C++, Java, Perl. It is currently hosted on a confluence space at cert [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards |over here]] | ||
- | ===== safecode ===== | + | ==== safecode ==== |
The [[http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf|Safe Code Development Practices guide]] | The [[http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf|Safe Code Development Practices guide]] | ||
+ | |||
+ | ==== IEEE Computer Society's Center for Secure Design (CSD) ==== | ||
+ | |||
+ | [[http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html|Avoiding the Top 10 Security Flaws]] |