-
Notifications
You must be signed in to change notification settings - Fork 0
Secure Coding Standards and Checking Compliance
As security is of paramount importance in this project, we define the secure coding standards the implementations should follow.
As the server side will be developed in Java, the secure coding standard followed during development should be the SEI CERT Oracle Coding Standard for Java.
The standard governs various aspects of the code, and ultimately
leads to higher quality systems that are safe, secure, reliable, dependable, robust, resilient, available, and maintainable and can be used as a metric to evaluate source code for these properties (using manual or automated processes). [source]
The server side will be implemented in C. The secure coding standard we decided to follow will be the SEI CERT C Coding Standard.
The standard deals with the security aspects of the low level C code, and its main goal
is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. [source]
The client side application will be an Android application, so the secure coding standard we decided upon will be the Android Secure Coding Standard.
The standard contains rules for both language and API usage, and its goal
is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. [source]
We decided to use an automatic tool to evaluate our compliance to the secure coding standards. The tool of our choice is SonarCloud, which provides an automatic way to check numerous rules of the secure coding standards we use. Moreover, SonarCould implements additional security best practices that can be useful. SonarCloud's main features of interest are:
- Server side (source)
- Support for the language Java
- Support for Spring and Hibernate
- Integration with build tools
- Security oriented checks (see)
- Support for OWASP, SANS, CWE, Misra, CERT standards
- The analysis is CWE Compatible
- Native component (source)
- Support for the language C
- Checking memory usage (memory leak, null pointer dereference, ...)
- Support for SANS, CWE, Misra, CERT standards
- The analysis is CWE Compatible
- Client side (source)
- Support for the language Java
- Support for the language Kotlin
- Support for OWASP, SANS, CWE, Misra, CERT standards
To check the secure coding standards during development, directly in the IDE, we plan to use SonarLint, that integrates with SonarCloud, and displays the notifications errors by integrating with the IDE's error and warning reporting system.
SonarLint supports numerous IDE's, which will be sufficient for our development purposes:
- VSCode: Server side, Native component
- IntelliJ products:
- IntelliJ: Server side
- CLion: Native component
- Android Studio: Client side
- Eclipse: Server side
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System