NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2008-q4

Re: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard

From: Robert Seacord (rcscert.org)
Date: Wed Dec 17 2008 - 09:09:39 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marius,

You can also look at www.securecoding.cert.org. This is a wiki, where we (CERT and the community) are developing secure coding standards for C, C++, and Java). We also have a project on secure design patterns, which is not public yet but will hopefully be made public early next year. Anyone can create an account and comment on any of the publically available coding standards.

As I mentioned in the article, we are also working on a security annex for the next revision of the C standard. I would love to see more involvement from the security community in the evolution of the C programming language. In particular, I am planning to circulate a draft proposal for this annex in January.

Thanks,
rCs

-----Original Message-----
From: wishi [mailto:broucegmx.net]
Sent: Wednesday, December 17, 2008 9:22 AM
To: Robert Seacord
Subject: Re: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard

Robert Seacord schrieb:
> informIT published an interview with me written by David Chisnall:
>
> http://www.informit.com/articles/article.aspx?p=1315064
>
> David asked some interesting questions about security and the future of the C programming language.
>
> rCs
>

Interesting article. I recently searched for detailed information regarding secure programming in C.
I found (http://www.cert.org/secure-coding/) which focuses white papers or books by Gary McGraw and Robert Seacord.

I personally think that secure coding, especially in C, is essential and extremely important, because ~60% of all exploits I see are buffer overruns. Which is a problem, that's not solving itself.

Does anyone know where to find more information how to write secure code and how to develop "bulletproof program concepts"? I never found anything focusing this aspect on a pure technical level.

Many courses, lots of material, teaches exploiting techniques. Most often this isn't very constructive, because the answers to these exploitations isn't better code. Firewalls i. e. are a network based answer to a pure software based problem ;).

Thanks,
Marius
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]