This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Secure Coding Practices - Quick Reference Guide"

From OWASP
Jump to: navigation, search
m (Added link to a related project)
 
(35 intermediate revisions by 8 users not shown)
Line 2: Line 2:
 
== Welcome to the Secure Coding Practices Quick Reference Guide Project ==
 
== Welcome to the Secure Coding Practices Quick Reference Guide Project ==
  
The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 12 pages long, it is easy to read and digest.
+
 
 +
The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.
  
 
The focus is on secure coding requirements, rather then on vulnerabilities and exploits. It includes an introduction to Software Security Principles and a glossary of key terms.
 
The focus is on secure coding requirements, rather then on vulnerabilities and exploits. It includes an introduction to Software Security Principles and a glossary of key terms.
Line 10: Line 11:
 
=== Sections of the Guide: ===
 
=== Sections of the Guide: ===
  
 +
* Table of contents
 
* Introduction
 
* Introduction
* Table of contents
 
 
* Software Security Principles Overview
 
* Software Security Principles Overview
 
* Secure Coding Practices Checklist  
 
* Secure Coding Practices Checklist  
Line 18: Line 19:
  
  
'''Download the current 1.1 release:'''
+
 
 +
'''Download the current v2 (Stable) release:'''
 
   
 
   
[http://www.owasp.org/images/7/75/OWASP_SCP_Quick_Reference_Guide_v1-1.pdf PDF Version]
+
* [[Media:OWASP_SCP_Quick_Reference_Guide_v2.pdf|English version PDF]]
 +
* [[Media:OWASP_SCP_Quick_Reference_Guide_v2.doc|English version MS Word]]
 +
 
 +
 
 +
 
 +
'''Translations:'''
 +
 
 +
* [[Media:OWASP_SCP_v1.3_pt-BR.pdf|Brazilian Portuguese Translation PDF]]
 +
* [[Media:OWASP_SCP_v1.3_pt-PT.pdf|Portugal Portuguese Translation PDF]]
 +
* [[Media:2011%EB%85%846%EC%9B%94_OWASP_%EC%8B%9C%ED%81%90%EC%96%B4%EC%BD%94%EB%94%A9%EA%B7%9C%EC%B9%99_v2_KOR.pdf|Korean Translation PDF]]
 +
* [[Media:OWASP_SCP_Quick_Reference_Guide_SPA.doc|Spanish Translation doc]]
 +
* [[Media:OWASP_SCP_Quick_Reference_Guide_%28Chinese%29.pdf|Chinese Translation PDF]]
 +
 
 +
 
 +
'''Related Presentations:'''<br>
 +
This slide deck incorporates many concepts from the Quick reference guide, but also utilizes other OWASP resources.<br>
 +
[https://www.owasp.org/images/b/ba/Web_Application_Development_Dos_and_Donts.ppt Web Application Development Dos and Donts - Presentation from the Royal Bank of Scotland]
 +
 
 +
 
 +
'''Related Projects:'''<br>
 +
[https://github.com/Checkmarx/Go-SCP Go programming language secure coding practices guide, based on the OWASP Secure Coding Practices]
  
  
 
'''Project Feedback and Disposition History'''
 
'''Project Feedback and Disposition History'''
  
[http://www.owasp.org/images/6/64/SCP-QRG_Revisions_History.xls XLS Spreadsheet]  
+
[http://www.owasp.org/images/6/64/SCP-QRG_Revisions_History.xls XLS Feedback Spreadsheet]  
  
  
Line 49: Line 71:
 
* Walt Pietrowski
 
* Walt Pietrowski
 
* Catherine Spencer
 
* Catherine Spencer
* Caleb McGary
+
* [mailto:[email protected] Caleb McGary]
* Brad Causey
+
* [mailto:[email protected] Brad Causey]
* Ludovic Petit
+
* [mailto:[email protected] Ludovic Petit]
* Michael Scovetta
+
* [mailto:[email protected] Michael V. Scovetta]
* Jim Manico
+
* [mailto:[email protected] Jim Manico]
 +
* Jason Coleman
 +
* [mailto:[email protected] Anurag Agarwal]
 +
* [mailto:[email protected] Andrew Petukhov]
 +
<br>
 +
'''Translation Contributors'''<br> <br>
 +
'''Portuguese Translation'''<BR>
 +
* [mailto:[email protected] Tarcizio Vieira Neto]
 +
* [mailto:[email protected] Sílvio Correia Filho]
 +
* [mailto:[email protected] Leandro Gomes]
 +
'''Korean Translation'''<br>
 +
* OWASP Korea chapter
 +
'''Spanish Translation'''<br>
 +
* Canedo,Gerardo
 +
* Flores,Mauro
 +
* [[user:Alberto_Daniel_Hill|Hill,Alberto]]
 +
* Martinez,Mateo
 +
* Papaleo,Mauricio
 +
* Soarez,Nicolás
 +
* Targetta, Cecilia
 +
'''Chinese Translation'''<br>
 +
* [mailto:[email protected] Jie Wang]
 +
* Yongliang He
 +
* Henghui Lin
  
  
Line 62: Line 107:
  
  
[[Category:OWASP_Project|Secure Coding Practices - Quick Reference Guide]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]
+
[[Category:OWASP_Project|Secure Coding Practices - Quick Reference Guide]] [[Category:OWASP_Document]] [[Category:OWASP Best Practices]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document|OWASP Release Quality Document]]
 +
[[Category:SAMM-SR-1]]

Latest revision as of 12:20, 6 July 2017

Main

Welcome to the Secure Coding Practices Quick Reference Guide Project

The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.

The focus is on secure coding requirements, rather then on vulnerabilities and exploits. It includes an introduction to Software Security Principles and a glossary of key terms.

It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.

Sections of the Guide:

  • Table of contents
  • Introduction
  • Software Security Principles Overview
  • Secure Coding Practices Checklist
  • Links to useful resources
  • Glossary of important terminology


Download the current v2 (Stable) release:


Translations:


Related Presentations:
This slide deck incorporates many concepts from the Quick reference guide, but also utilizes other OWASP resources.
Web Application Development Dos and Donts - Presentation from the Royal Bank of Scotland


Related Projects:
Go programming language secure coding practices guide, based on the OWASP Secure Coding Practices


Project Feedback and Disposition History

XLS Feedback Spreadsheet



Feedback and Participation:

I hope you find the OWASP Secure Coding Practices Quick Reference Guide Project useful. Please contribute to the Project by sending your comments, questions, and suggestions to [email protected].


Project mailing list and archives: subscription page.



Project Contributors:

If you contribute to this Project, please add your name here
Project Lead:

Contributors:


Translation Contributors

Portuguese Translation

Korean Translation

  • OWASP Korea chapter

Spanish Translation

  • Canedo,Gerardo
  • Flores,Mauro
  • Hill,Alberto
  • Martinez,Mateo
  • Papaleo,Mauricio
  • Soarez,Nicolás
  • Targetta, Cecilia

Chinese Translation


Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Secure Coding Practices - Quick Reference Guide (home page)
Purpose: This document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.
License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: View
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
current release
SCP v2 - 8 November 2010 - (download)
Release description:
  • Sections of the guide were re-ordered, renamed and new sections were added to map more closely to the ASVS. However input and output handling was left at the beginning, as apposed to be lower in the list as it is with ASVS, since this is the source of the most common vulnerabilities and ones that effect even very simple applications.
  • Entirely new sections include:
    • Cryptographic Practices,
    • Error Handling and Logging".
  • The guide's "Data Validation" section was split to match ASVS and is now represented as two separate sections "Input Validation" and "Output Encoding",
  • The guide's "Authorization and Access Management" section was renamed to Access Control,
  • The guide's "Sensitive Information Storage or Transmission" section was split to match ASVS and is now two new sections "Data Protection" and "Communication Security",
  • Additional practices were added to most sections to account for requirements in ASVS that the guide did not specifically cover and some rewording of existing practices was also done.
  • Additional terms were added to the glossary.
  • Several improvements were made thanks to new contributors.
Rating: Greenlight.pngGreenlight.pngGreenlight.png Stable Release - Assessment Details
last reviewed release
SCP v1.1 - 8 September 2010 - (download)
Release description: The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest. This release is the result of the changes introduced in the previous version (SCP v1) which were the consequence of the assessment process it was submitted to.
Rating: Greenlight.pngGreenlight.pngGreenlight.png Stable Release - Assessment Details


other releases