Van Lindberg’s List of Security Practices
Van Lindberg, chair of the Python Software Foundation, recently tweeted 1 2 3 4 5 a list of security best practices. For my information and future reference, I’m gathering them here.
- Thorough negative testing. Cause failures with test cases.
- Fuzz with address checking and standard alloc
- Compiling with address checking and standard memory alloc
- Focused manual spotcheck validation of fields
- Fuzzing w/ output examination
- Context-sensitive source code analysis
- Multi-implementation tests
- Aggressive, not compiled out runtime assertions
- Implementations in safer languages
- Static analysis
- Thorough human review/audit
- Formal methods
Use more than 1.
Update 2015-06-23 14:11¶
Van mentionned that this list was from David Wheeler. Thanks! David’s Secure Programming HOWTO is an essential reference.