Secure coding¶

Secure coding rules and best practices are guidelines. They require the right secure coding tools to make them happen, and also the right approaches to make them more effective and efficient.

Secure coding awareness training¶

Case studies or scenario-based vulnerable source code examples will have better training effects than simply secure coding rules.

• OWASP Security Knowledge Framework

• Android Application Secure Design and Secure Coding Guidebook

• Find Security Bugs Patterns for Java

• OWASP Teammentor

Tool evaluation¶

When the importance and the challenge of secure coding becomes apparent, people will look for some tools to make the secure coding easier. Some evaluation considerations that have proven useful to others:

After using the code scanning tools for a while, a security team may help to optimise the tools, processes, or rules based on user feedback.

Secure compiling¶

Memory corruption and buffer overflow may result in exploit code injection attacks. For the C/C++ programming language, these can be protected by compiler options:

• SAFECode Development Practices

• OWASP C-based ToolChain Hardening

• Linux Audit ASLR

• MS Security Best Practice for C++

• Secure Compiler and linker flags for GCC

To verify whether the application or the environment has been configured with secure options, these can be useful:

• CheckSec

• BinScope