[Owasp-leaders] Secure Coding Cheatsheet

Michael Coates michael.coates at owasp.org
Tue Oct 25 12:01:42 EDT 2011


Leaders,

A few weeks back I posted[1] on the Mozilla Web Security blog about a secure coding guidelines document that we use at Mozilla. I made the post on a Friday evening with very little expectations of many hits (you bloggers now a friday evening post is the worst time).  To my surprise the developer community really got excited and I had 40,000 views of the page over the weekend with lots of retweets from developers.

My take away to the positive response was that I believe many developers were happy to see a relatively concise document that gave the high points of secure development practices.  I'd like to bring this document into the OWASP Cheat Sheet Series as the "Secure Coding Cheat Sheet".  This is a pretty lofty title so before jumping into the water I wanted to get the community's feedback on the idea.  I also understand we have the secure coding handbook already. This document is intended to be small and concise versus the more in depth information provided in that book.

Here is the link to the current page:
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

Here are the objectives of this document:
- Concise - Less is more. No developer wants to look through 300 pages to understand what they need to do. This document is a high level blue print.
- Describes "What" not "how" - In other words, this document describes to the developer that they should be doing X. If they don't know what X is, then they need to follow the links to read more.
- Complete - The document attempts to cover the major areas that developers encounter (we may need to add some areas)

Points for consideration:
- This document was created for Mozilla developers with specific recommendations based on Mozilla's controls and risk posture. We'd need to change and update some things to be more generic for an OWASP version
- The document may be a little messy and could use some rewording and clarification in an OWASP form


So, my question to the community is this, what do you think? How should we modify this document if it is to be added as a Secure Coding Cheat Sheet? Is that the right title or even the right place in our OWASP projects?


[1] - http://blog.mozilla.com/webappsec/2011/09/30/mozillas-secure-coding-guidelines-for-web-applications/


--
Michael Coates
OWASP





More information about the OWASP-Leaders mailing list