Secure Coding Guidelines for Developers

[marcialwushu]

Appendix A

Secure Coding Guidelines for Developers

Developers who write applications for the Oracle Solaris operating system need to follow secure coding guidelines. Guidelines exist for secure coding in general, language-specific coding, and Oracle Solaris-specific coding and tools.

The following web sites track coding vulnerabilities and promote secure coding practices:

• Common Weakness Enumeration

• National Vulnerability Database Version 2.2

• CERT Secure Coding Standards

• ISO/IEC JTC 1/SC 22/ WG 23 Programming Language Vulnerabilities

The CERT web site contains computer language references for secure coding practices. These references might include sections about the POSIX APIs, which are part of the API set of Oracle Solaris.

• C – CERT C Secure Coding Standard

  Additional guidelines for secure use of the standard C library functions in Oracle Solaris is provided by C Library Functions (Community Group security funclist).

• C++ – CERT C++ Secure Coding Standard

• Java – CERT Oracle Secure Coding Standard for Java

• Perl – CERT Perl Secure Coding Standard

The Open Web Application Security Project (OWASP) hosts security guidelines for two web scripting languages:

• PHP – OWASP PHP Security Cheat Sheet

• Python – OWASP Python Security website

Oracle Solaris provides specific APIs which can be used to write more secure code and to take advantage of the security and cryptographic features of the Oracle Solaris operating system and Oracle Sun hardware systems. Additionally, the suite of documents for Oracle Solaris Studio include discussions of using the tools securely.

The following guides from Oracle Solaris address secure coding:

• Linker and Libraries Guide

• Oracle Solaris 11.1 Dynamic Tracing Guide

• Resource Management, Oracle Solaris Zones, and Oracle Solaris 10 Zones Developer’s Guide

• Studio 12.3 Security Guide