[Owasp-leaders] Secure Coding Cheatsheet

Jim Manico jim.manico at owasp.org
Tue Oct 25 12:25:10 EDT 2011

It's similar - but different. Keith's guide is a fairly large checklist that
covers a wide range of AppSec needs beyond web. It's a solid list of items
to consider.

The Mozilla list is shorter but goes into more explanation of each item -
and is web centric.

I'd love to pull Michaels guide into the cheat sheet project as the lead

There are also many items from Keith's work that can be converted into a
cheat sheet.

Michael - lets take this offline - and do it! :)

Jim Manico
(808) 652-3805

On Oct 25, 2011, at 12:20 PM, Jason Li <li.jason.c at gmail.com> wrote:

FYI - there is already a similar OWASP project to create a concise list of
secure coding practices.

It is lead by Keith Turpin and was donated by Boeing (complete with
copyright assignment and handover):



On Tue, Oct 25, 2011 at 12:01 PM, Michael Coates
<michael.coates at owasp.org>wrote:

> Leaders,
> A few weeks back I posted[1] on the Mozilla Web Security blog about a
> secure coding guidelines document that we use at Mozilla. I made the post on
> a Friday evening with very little expectations of many hits (you bloggers
> now a friday evening post is the worst time).  To my surprise the developer
> community really got excited and I had 40,000 views of the page over the
> weekend with lots of retweets from developers.
> My take away to the positive response was that I believe many developers
> were happy to see a relatively concise document that gave the high points of
> secure development practices.  I'd like to bring this document into the
> OWASP Cheat Sheet Series as the "Secure Coding Cheat Sheet".  This is a
> pretty lofty title so before jumping into the water I wanted to get the
> community's feedback on the idea.  I also understand we have the secure
> coding handbook already. This document is intended to be small and concise
> versus the more in depth information provided in that book.
> Here is the link to the current page:
> https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
> Here are the objectives of this document:
> - Concise - Less is more. No developer wants to look through 300 pages to
> understand what they need to do. This document is a high level blue print.
> - Describes "What" not "how" - In other words, this document describes to
> the developer that they should be doing X. If they don't know what X is,
> then they need to follow the links to read more.
> - Complete - The document attempts to cover the major areas that developers
> encounter (we may need to add some areas)
> Points for consideration:
> - This document was created for Mozilla developers with specific
> recommendations based on Mozilla's controls and risk posture. We'd need to
> change and update some things to be more generic for an OWASP version
> - The document may be a little messy and could use some rewording and
> clarification in an OWASP form
> So, my question to the community is this, what do you think? How should we
> modify this document if it is to be added as a Secure Coding Cheat Sheet? Is
> that the right title or even the right place in our OWASP projects?
> [1] -
> http://blog.mozilla.com/webappsec/2011/09/30/mozillas-secure-coding-guidelines-for-web-applications/
> --
> Michael Coates
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111025/d031dcbe/attachment.html 

More information about the OWASP-Leaders mailing list