[Cryptography] Heartbleed and fundamental crypto programming practices
Jerry Leichter
leichter at lrw.com
Tue Apr 15 14:42:14 EDT 2014
On Apr 15, 2014, at 4:13 AM, Joachim Strömbergson <Joachim at Strombergson.com> wrote:
>> I've seen comments over the years that crypto- (and all
>> security-)related programming should not be left to "general"
>> programmers with no domain expertise. I'm not aware of any attempt
>> to collect a list of "issues and programming techniques a crypto
>> programmer must know". Might be useful to have.... -- Jerry
>
> I haven't seen anyone in the thread mentioning the Cryptography Coding
> Standard effort started by Jean-Philippe Aumasson of Blake, Siphash fame:
>
> https://cryptocoding.net/index.php/Cryptography_Coding_Standard
>
> Might be a good starting point and probably appreciates comments and
> contributions.
That's an *excellent* resource. Thank you for sending it. I've read parts and intend to go through the whole thing, and comment if I find something to say. I encourage everyone here to do the same.
I should actually have pointed to another resource, one that I actually *have* sent comments on in the past (and they've been included): CERT's C Coding Standard at
https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard
There are also CERT coding standards for C++ and Java, though I'm not sure they're available on line.
-- Jerry
More information about the cryptography
mailing list