SECURITY RESOURCES > FAQs
Failure to define clear and detailed security requirements is one of the most common issues in the security assurance process. Organizations should establish secure programming requirements and standards even in the absence of mandatory or even generally accepted standards for system and program security.
Millions of references to secure programming standards are available via a Web search. Refining the search and discovery techniques will help identify those secure programming practices and techniques most applicable to the organization and its objectives.
Organization should also ensure that all developers are trained in secure programming, and that programming guidelines and standard libraries that utilize security functions are established. Finally, supporting tools and technologies need to be put in place to identify and diagnose vulnerabilities. For more information on specific vulnerabilities, please refer to The Path to a Secure Application: A Source Code Security Review Checklist.
Default secure programming standards can be adopted as a by-product of implementing an automated code analysis tool. These tools include libraries of common design and coding flaws as well as information about techniques and practices necessary to prevent and remediate them.
A process to establish and maintain secure programming standards could begin concurrently with the project to assess available scanning tools and select the one most suited to the organization's needs. The same knowledge needed for tool selection can contribute toward the establishment of secure programming requirements, as well as standards for processes and practices. A key ingredient is efficiency. Efficient security practices and standards are effective, affordable, and tailored to the organization's needs and activities.
The default responsibility for preventing security vulnerabilities in source code often falls to the system development team. However, no matter how hard you try to write or approve only secure code, we cannot forget that security holes, or "bugs," can be introduced even when secure programming is practiced. Still it is important, to the extent possible, to minimize the introduction of security vulnerabilities in code.
The Ounce Labs Secure Foundations Initiative supports leading university programs in teaching secure programming best practices as part of comprehensive computer science curricula. Ounce Labs is committed to helping the next generation of programmers and security analysts develop the secure programming and design skills they need to ensure tomorrow's software is written securely from the start. Learn more about Secure Foundations.