Secure Coding Guideline
Secure coding standards are guidelines, best practices, and coding conventions that can be used by software developers to prevent security vulnerabilities and improve the overall quality of the software during the software design & development phases.
The guidelines are intended as a reference and best practice guidelines complement static code analysis tools like Klocwork or Sonarqube. It can help address code smells and design vulnerabilities which are usually missed during static code analysis. It also ensures adherence to best practices and commonly accepted security standards.
This wiki lists the secure coding guidelines followed within ABB. It also provides references to official and generic security best practices & software coding guidelines categorized based on programming language stacks.
Some coding guidelines are specific to a specific programming language while others are generic. Below is a list of references. 3BSE084586 Secure Coding Guideline is based on observations made during DSAC testing as well as in the security community and provides a set of guidelines regarding fundamental programming errors that can result in dangerous and disruptive software vulnerabilities, and also some language dependent guidelines and is a good input for those who define rules for the static code analysis tools.
When you look to select coding standards for the release you should consider if there are new and better standards/guidelines.
When you select which guidelines to follow think about that they must include the following:
- avoidance of potentially exploitable implementation constructs – implementation design patterns that are known to have security weaknesses;
- avoidance of banned functions and coding constructs/design patterns – software functions and design patterns that should not be used because they have known security weaknesses;
- secure coding practices;
- validation of all inputs that cross trust boundary.
- error handling
Also consider automated tool use and settings (for example, for static analysis tools), so that most checks can be verified automatically.
When the guidelines to be followed have been decided and documented and the static code analysis tool selected the secure coding verification strategy should determine whether the rules will be checked by static code analysis or code review.
ABB Secure Coding Guidelines
Programming Language-Specific Coding Guidelines
C
Security Guidelines
C++
Security Guidelines
Style Guides
.Net/C#
Security Guidelines
Style Guides
Java
Security Guidelines
- Java Security: developers guide - official
- Java Secure coding guidelines
- SEI CERT Coding Standard for Java
Style Guides
JavaScript
Security Guidelines
Style Guides
TypeScript
Style Guides
AngularJS
Security Guidelines
- Official Angular security best practices
- Angular docs on DomSanitizer
- Angular docs on XSRF protection
Style Guides
ReactJS
Security Guidelines
Style Guides
Go
Security Guidelines
Python
Style Guides
Perl
Security Guidelines
Android
Security Guidelines
NodeJS
Security Guidelines
Docker
Security Guidelines
Cloud
REST
Security Best Practices & Guidelines
The below links point to generic security best practice guidelines and recommendations that can be referred to during the software design and development phases.
- SonarSource Security Rules
- Microsoft Secure Development Lifecycle
- Security Knowledge Framework
- CWE/SANS TOP 25 Most Dangerous Software Errors
- CWE Top 25 Vulnerabilities
- OWASP Secure Coding Practices - Quick Reference Guide
- OWASP Cheat Sheets
- Microsoft CVE Vulnerabilities
- Google Web Security Guide
- Google Style guides