Of the hundreds (now, perhaps, thousands) of sites on the Web that address some facet of secure coding, the ones we have listed below are those we recommend you check first.
- AusCERT Secure Programming Checklist
-
ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist
Secure programming information from the Australian Computer Emergency Response Team, AusCERT.
- FreeBSD Security Information
-
http://www.freebsd.org/security/security.html
Security tips specific to the FreeBSD operating system.
- Institute for Security and Open Methodologies
-
http://www.isecom.org / (formerly www.Ideahamster.org/)
Contains, among other things, a repository of secure programming guidelines and testing methodologies. Included in this set is "The Secure Programming Standards Methodology Manual" by Victor A. Rodriguez.
- International Systems Security Engineering Association (ISSEA)
-
http://www.issea.org/
A not-for-profit professional organization "dedicated to the adoption of systems security engineering as a defined and measurable discipline."
- Packetstorm Tutorials List
-
http://packetstormsecurity.nl/programming-tutorials/
A useful list of tutorials on various programming languages, testing methodologies, and more.
- Secure, Efficient, and Easy C Programming
-
http://irccrew.org/~cras/security/c-guide.html
A useful "howto" document by Timo Sirainen with tips and examples of secure C coding.
- Secure Programming for Linux and Unix HOWTO
-
http://www.dwheeler.com/secure-programs/
David Wheeler's "Howto" page for secure programming information specific to Linux and Unix. Not an FAQ, but a substantial online book with accurate and far- ranging advice. Includes specific secure programming tips for Ada95, C, C++, Java, Perl, and Python.
- Systems Security EngineeringCapability Maturity Model
-
http://www.sse-cmm.org/
Information on the Software Engineering Institute-derived SSE-CMM, which measures the maturity level of system security engineering processes (and provides guidelines to which to aspire).
- Secure Unix Programming FAQ
-
http://www.whitefang.com/sup/secure-faq.html
Another document with secure programming tips that are specific to Unix and Unix-like environments.
- Windows Security
-
http://www. windowsecurity .com/
A repository of information on Microsoft Windows security issues.
- Writing Safe Setuid Programs
-
http://nob.cs.ucdavis.edu/~ bishop /
Home page of Professor Matt Bishop at the University of California at Davis . Contains numerous highly useful and informative papers, including his "Writing Safe Setuid Programs" paper.
- The World Wide Web Security FAQ
-
http://www.w3.org/Security/Faq/www-security-faq.html
Security and secure coding tips specific to web environments.
- The Open Web Application Security Project
-
http://www.owasp.org/
Useful web site with tips, tools, and information on developing secure web-based applications.