Christian Long's Blog

Jun 23, 2015

Van Lindberg’s List of Security Practices

Van Lindberg, chair of the Python Software Foundation, recently tweeted 1 2 3 4 5 a list of security best practices. For my information and future reference, I’m gathering them here.

  1. Thorough negative testing. Cause failures with test cases.
  2. Fuzz with address checking and standard alloc
  3. Compiling with address checking and standard memory alloc
  4. Focused manual spotcheck validation of fields
  5. Fuzzing w/ output examination
  6. Context-sensitive source code analysis
  7. Multi-implementation tests
  8. Aggressive, not compiled out runtime assertions
  9. Implementations in safer languages
  10. Static analysis
  11. Thorough human review/audit
  12. Formal methods

Use more than 1.

Update 2015-06-23 14:11

Van mentionned that this list was from David Wheeler. Thanks! David’s Secure Programming HOWTO is an essential reference.