Blog | G5 Cyber Security

Secure Coding Standards: Beyond CERT

G5 Cyber Security

TL;DR

Yes! While CERT Secure Coding Standards are excellent, many other valuable resources exist to help you write safer code. This guide covers popular alternatives and how to choose the right one for your project.

1. Why Use Secure Coding Standards?

Secure coding standards aren’t just about ticking boxes; they’re about reducing vulnerabilities in your software. They provide a common set of guidelines that help developers avoid common mistakes, leading to more reliable and secure applications. Using these standards can also simplify security reviews.

2. Alternatives to CERT Secure Coding Standards

  1. OWASP (Open Web Application Security Project): This is a hugely popular resource, especially for web applications.
    • OWASP Top Ten: A list of the ten most critical web application security risks. Understanding these is vital.
    • OWASP Secure Coding Practices: Detailed guidance on preventing vulnerabilities like SQL injection, cross-site scripting (XSS), and more.
  2. SANS Institute: Offers a range of cybersecurity training and resources, including secure coding courses and checklists.
    • SANS Top 25 Most Dangerous Software Errors: A practical list focusing on common programming flaws.
  3. MISRA C/C++: Primarily for safety-critical systems (e.g., automotive, aerospace). Very strict and focuses on code reliability.
    • Focuses heavily on avoiding undefined behaviour in C and C++.
  4. SEI CERT Coding Standards (Java, C++, C#, Python): While you asked about *other* standards, the SEI also provides specific guidance for languages beyond just general C. It’s worth knowing these exist.
  5. Language-Specific Guidelines: Many languages have their own best practices and security recommendations.
    • Python: PEP 8 (style guide) often incorporates security considerations, alongside libraries like Bandit for static analysis.
    • JavaScript: ESLint with security plugins can help identify potential issues.
    • Java: OWASP Java Encoder Project provides tools to mitigate XSS vulnerabilities.

3. Choosing the Right Standard

The best standard depends on your project:

  1. Project Type: Web application? Embedded system? Desktop software? OWASP is great for web apps, MISRA for safety-critical systems.
  2. Programming Language: Choose a standard that covers the languages you’re using.
  3. Risk Tolerance: Higher risk projects require stricter standards (e.g., MISRA).
  4. Team Expertise: Select a standard your team can understand and implement effectively.
  5. Compliance Requirements: Some industries have specific security regulations that dictate which standards you must follow.

4. Implementing Secure Coding Standards

It’s not enough to just *read* the standards; you need to integrate them into your development process.

  1. Training: Ensure developers understand the chosen standard(s).
  2. Static Analysis Tools: Use tools to automatically check code for violations.
    • SonarQube: A popular platform that supports many languages and integrates with various static analysis engines.
    • Bandit (Python): 
      pip install bandit

      Then run it against your codebase: 

      bandit -r ./your_project_directory
    • ESLint (JavaScript): Configure with security plugins.
  3. Code Reviews: Have peers review code specifically for security vulnerabilities.
  4. Automated Testing: Include security tests in your CI/CD pipeline.
  5. Regular Updates: Standards evolve, so keep them updated and retrain developers as needed.

5. Combining Standards

You don’t have to pick just one! You can combine elements from different standards to create a custom set of guidelines tailored to your specific needs. For example, you might use OWASP Top Ten for general web app security and supplement it with language-specific best practices.

Exit mobile version