Skip to content

Secure Coding Standards and Checking Compliance

Jump to bottom
Mihály Dobos-Kovács edited this page Oct 13, 2020 · 4 revisions

Secure Coding Standards

As security is of paramount importance in this project, we define the secure coding standards the implementations should follow.

Server side

As the server side will be developed in Java, the secure coding standard followed during development should be the SEI CERT Oracle Coding Standard for Java.

The standard governs various aspects of the code, and ultimately

leads to higher quality systems that are safe, secure, reliable, dependable, robust, resilient, available, and maintainable and can be used as a metric to evaluate source code for these properties (using manual or automated processes). [source]

Native component

The server side will be implemented in C. The secure coding standard we decided to follow will be the SEI CERT C Coding Standard.

The standard deals with the security aspects of the low level C code, and its main goal

is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. [source]

Client side

The client side application will be an Android application, so the secure coding standard we decided upon will be the Android Secure Coding Standard.

The standard contains rules for both language and API usage, and its goal

is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. [source]

Checking Compliance to Secure Coding Standards

We decided to use an automatic tool to evaluate our compliance to the secure coding standards. The tool of our choice is SonarCloud, which provides an automatic way to check numerous rules of the secure coding standards we use. Moreover, SonarCould implements additional security best practices that can be useful. SonarCloud's main features of interest are:

  • Server side (source)
    • Support for the language Java
    • Support for Spring and Hibernate
    • Integration with build tools
    • Security oriented checks (see)
    • Support for OWASP, SANS, CWE, Misra, CERT standards
    • The analysis is CWE Compatible
  • Native component (source)
    • Support for the language C
    • Checking memory usage (memory leak, null pointer dereference, ...)
    • Support for SANS, CWE, Misra, CERT standards
    • The analysis is CWE Compatible
  • Client side (source)
    • Support for the language Java
    • Support for the language Kotlin
    • Support for OWASP, SANS, CWE, Misra, CERT standards

IDE Integration

To check the secure coding standards during development, directly in the IDE, we plan to use SonarLint, that integrates with SonarCloud, and displays the notifications errors by integrating to the IDE's error and warning system.

SonarLint supports numerous IDE's, which will be sufficient for our development purposes:

  • VSCode: Server side, Native component
  • IntelliJ products:
    • IntelliJ: Server side
    • CLion: Native component
    • Android Studio: Client side
  • Eclipse: Server side

© Grotesque Gecko, 2020

Home

Requirements

Design

Implementation

Testing

Clone this wiki locally