This site graciously hosted
by our friends at

1.  Executive Summary

Table of Contents  |  Next Section

This report presents the findings of a survey undertaken to:
  • Evaluate available secure software coding techniques, standards, and tools for potential applicability to high reliability applications.

  • Recommend applicable secure coding techniques, standards and tools for use or potential modification by clients in the development of such applications
The key findings and reccomendations are as follows.
  • No formal standard for secure coding practices has been adopted by any major international standards body or U.S. Government Organization

  • Several existing security and quality assurance standards relate in some way to secure coding. We recommend their consideration, to the extent they are pertinent to corporate goals and operational requirements. Chief among these standards, detailed herein, are:

    • ISO/IEC 15408, Evaluation Criteria for IT Security (the "Common Criteria")
    • BS 7799 from the British Standards Institute, soon to be ISO/IEC 17799
    • The upcoming ISO/IEC 15443, "Information Technology-Security Techniques"

  • The consensus architectural and coding principles which comprise the current state of the practice are summarized in this survey.

  • Several software tools, and suites of tools, are available today to assist the design and development of secure code. While no formal evaluation of any of these tools was undertaken, we did investigate and report in detail on ten of them. Accordingly, we recommend the active consideration of at least the following:

    • For C/C++: ITS4, LCLint, LibSafe, Purify, and StackGuard
    • For Web applications (especially Perl/CGI): AppScan
    • For Java applications: Jtest

  • Many books, and dozens of articles, discuss how to write secure code. In a survey of the literature we present the best works for study in each language and platform under consideration. For general works on the subject, we recommend:

    • Security Engineering: A Guide To Building Dependable Distributed Systems, by Ross J. Anderson, released just in mid-March of 2001
    • Practical UNIX & Internet Security, 2nd Edition, by Simson Garfinkel and Gene Spafford, the accepted classic in the field
    • Secure Programming for Linux and UNIX HOWTO, by David A. Wheeler, self-published on the Web in 2001
Table of Contents  |  Next Section

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.