[Owasp-leaders] Secure Coding Cheatsheet

Bhalla, Nishchal nish at securitycompass.com
Tue Oct 25 16:05:19 EDT 2011

Have you guys see SDElements.com (yeah, I know it is a plug) but that is what the whole product does. Lots of cheatsheets / forgetme not lists / checkslists and sample code. We are realizing a free version out soon too.

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael Coates
Sent: Tuesday, October 25, 2011 12:26 PM
To: Jason Li
Cc: owasp-leaders at lists.owasp.org Owasp; Keith Turpin
Subject: Re: [Owasp-leaders] Secure Coding Cheatsheet

Ah, very interesting. Perhaps these two efforts can work together.

My initial thoughts.

1 - Let's get this data onto a webpage.  Nothing turns away people quicker than having to download a pdf (its odd, it only takes 3 extra seconds but many people will just hit back and look for another source)
2 - The quick reference guide is 20 pages. How do we trim that to be much more "quick" while still keeping all the core info we need.

Michael Coates

On Oct 25, 2011, at 9:19 AM, Jason Li wrote:

FYI - there is already a similar OWASP project to create a concise list of secure coding practices.

It is lead by Keith Turpin and was donated by Boeing (complete with copyright assignment and handover):


On Tue, Oct 25, 2011 at 12:01 PM, Michael Coates <michael.coates at owasp.org<mailto:michael.coates at owasp.org>> wrote:

A few weeks back I posted[1] on the Mozilla Web Security blog about a secure coding guidelines document that we use at Mozilla. I made the post on a Friday evening with very little expectations of many hits (you bloggers now a friday evening post is the worst time).  To my surprise the developer community really got excited and I had 40,000 views of the page over the weekend with lots of retweets from developers.

My take away to the positive response was that I believe many developers were happy to see a relatively concise document that gave the high points of secure development practices.  I'd like to bring this document into the OWASP Cheat Sheet Series as the "Secure Coding Cheat Sheet".  This is a pretty lofty title so before jumping into the water I wanted to get the community's feedback on the idea.  I also understand we have the secure coding handbook already. This document is intended to be small and concise versus the more in depth information provided in that book.

Here is the link to the current page:

Here are the objectives of this document:
- Concise - Less is more. No developer wants to look through 300 pages to understand what they need to do. This document is a high level blue print.
- Describes "What" not "how" - In other words, this document describes to the developer that they should be doing X. If they don't know what X is, then they need to follow the links to read more.
- Complete - The document attempts to cover the major areas that developers encounter (we may need to add some areas)

Points for consideration:
- This document was created for Mozilla developers with specific recommendations based on Mozilla's controls and risk posture. We'd need to change and update some things to be more generic for an OWASP version
- The document may be a little messy and could use some rewording and clarification in an OWASP form

So, my question to the community is this, what do you think? How should we modify this document if it is to be added as a Secure Coding Cheat Sheet? Is that the right title or even the right place in our OWASP projects?

[1] - http://blog.mozilla.com/webappsec/2011/09/30/mozillas-secure-coding-guidelines-for-web-applications/

Michael Coates

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111025/3abc5f5e/attachment-0001.html 

More information about the OWASP-Leaders mailing list