[Owasp-leaders] Secure Coding Cheatsheet

Jim Manico jim.manico at owasp.org
Tue Oct 25 12:25:10 EDT 2011


It's similar - but different. Keith's guide is a fairly large checklist that
covers a wide range of AppSec needs beyond web. It's a solid list of items
to consider.

The Mozilla list is shorter but goes into more explanation of each item -
and is web centric.

I'd love to pull Michaels guide into the cheat sheet project as the lead
cheat-sheet/glossary.

There are also many items from Keith's work that can be converted into a
cheat sheet.

Michael - lets take this offline - and do it! :)

--
Jim Manico
(808) 652-3805

On Oct 25, 2011, at 12:20 PM, Jason Li <li.jason.c at gmail.com> wrote:

FYI - there is already a similar OWASP project to create a concise list of
secure coding practices.

It is lead by Keith Turpin and was donated by Boeing (complete with
copyright assignment and handover):

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

 -Jason

On Tue, Oct 25, 2011 at 12:01 PM, Michael Coates
<michael.coates at owasp.org>wrote:

> Leaders,
>
> A few weeks back I posted[1] on the Mozilla Web Security blog about a
> secure coding guidelines document that we use at Mozilla. I made the post on
> a Friday evening with very little expectations of many hits (you bloggers
> now a friday evening post is the worst time).  To my surprise the developer
> community really got excited and I had 40,000 views of the page over the
> weekend with lots of retweets from developers.
>
> My take away to the positive response was that I believe many developers
> were happy to see a relatively concise document that gave the high points of
> secure development practices.  I'd like to bring this document into the
> OWASP Cheat Sheet Series as the "Secure Coding Cheat Sheet".  This is a
> pretty lofty title so before jumping into the water I wanted to get the
> community's feedback on the idea.  I also understand we have the secure
> coding handbook already. This document is intended to be small and concise
> versus the more in depth information provided in that book.
>
> Here is the link to the current page:
> https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
>
> Here are the objectives of this document:
> - Concise - Less is more. No developer wants to look through 300 pages to
> understand what they need to do. This document is a high level blue print.
> - Describes "What" not "how" - In other words, this document describes to
> the developer that they should be doing X. If they don't know what X is,
> then they need to follow the links to read more.
> - Complete - The document attempts to cover the major areas that developers
> encounter (we may need to add some areas)
>
> Points for consideration:
> - This document was created for Mozilla developers with specific
> recommendations based on Mozilla's controls and risk posture. We'd need to
> change and update some things to be more generic for an OWASP version
> - The document may be a little messy and could use some rewording and
> clarification in an OWASP form
>
>
> So, my question to the community is this, what do you think? How should we
> modify this document if it is to be added as a Secure Coding Cheat Sheet? Is
> that the right title or even the right place in our OWASP projects?
>
>
> [1] -
> http://blog.mozilla.com/webappsec/2011/09/30/mozillas-secure-coding-guidelines-for-web-applications/
>
>
> --
> Michael Coates
> OWASP
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111025/d031dcbe/attachment.html 


More information about the OWASP-Leaders mailing list