A.3 Web Sites and Online Resources

Of the hundreds (now, perhaps, thousands) of sites on the Web that address some facet of secure coding, the ones we have listed below are those we recommend you check first.

AusCERT Secure Programming Checklist


Secure programming information from the Australian Computer Emergency Response Team, AusCERT.

FreeBSD Security Information


Security tips specific to the FreeBSD operating system.

Institute for Security and Open Methodologies

http://www.isecom.org/ (formerly www.Ideahamster.org/)

Contains, among other things, a repository of secure programming guidelines and testing methodologies. Included in this set is "The Secure Programming Standards Methodology Manual" by Victor A. Rodriguez.

International Systems Security Engineering Association (ISSEA)


A not-for-profit professional organization "dedicated to the adoption of systems security engineering as a defined and measurable discipline."

Packetstorm Tutorials List


A useful list of tutorials on various programming languages, testing methodologies, and more.

Secure, Efficient, and Easy C Programming


A useful "howto" document by Timo Sirainen with tips and examples of secure C coding.

Secure Programming for Linux and Unix HOWTO


David Wheeler's "Howto" page for secure programming information specific to Linux and Unix. Not an FAQ, but a substantial online book with accurate and far-ranging advice. Includes specific secure programming tips for Ada95, C, C++, Java, Perl, and Python.

Systems Security Engineering?Capability Maturity Model


Information on the Software Engineering Institute-derived SSE-CMM, which measures the maturity level of system security engineering processes (and provides guidelines to which to aspire).

Secure Unix Programming FAQ


Another document with secure programming tips that are specific to Unix and Unix-like environments.

Windows Security


A repository of information on Microsoft Windows security issues.

Writing Safe Setuid Programs


Home page of Professor Matt Bishop at the University of California at Davis. Contains numerous highly useful and informative papers, including his "Writing Safe Setuid Programs" paper.

The World Wide Web Security FAQ


Security and secure coding tips specific to web environments.

The Open Web Application Security Project


Useful web site with tips, tools, and information on developing secure web-based applications.