[Cryptography] Heartbleed and fundamental crypto programming practices
ianG
iang at iang.org
Tue Apr 15 15:41:47 EDT 2014
On 15/04/2014 19:42 pm, Jerry Leichter wrote:
> On Apr 15, 2014, at 4:13 AM, Joachim Strömbergson <Joachim at Strombergson.com> wrote:
>>> I've seen comments over the years that crypto- (and all
>>> security-)related programming should not be left to "general"
>>> programmers with no domain expertise. I'm not aware of any attempt
>>> to collect a list of "issues and programming techniques a crypto
>>> programmer must know". Might be useful to have.... -- Jerry
>>
>> I haven't seen anyone in the thread mentioning the Cryptography Coding
>> Standard effort started by Jean-Philippe Aumasson of Blake, Siphash fame:
>>
>> https://cryptocoding.net/index.php/Cryptography_Coding_Standard
>>
>> Might be a good starting point and probably appreciates comments and
>> contributions.
> That's an *excellent* resource. Thank you for sending it. I've read parts and intend to go through the whole thing, and comment if I find something to say. I encourage everyone here to do the same.
>
> I should actually have pointed to another resource, one that I actually *have* sent comments on in the past (and they've been included): CERT's C Coding Standard at
>
> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard
>
> There are also CERT coding standards for C++ and Java, though I'm not sure they're available on line.
For Java, there is a book:
http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780321933157
Which is a must-read if you've got $32 idle. It's #1 recommendation is:
1. Limit the lifetime of sensitive data
rather apropos recent thread, I wonder what they say about Strings.
Especially in the light of #75:
75. Do not attempt to help the garbage collector by
setting local reference variables to null
?? Chapter 2 is downloadable, or some portion thereof.
And for C++ there is:
http://www.informit.com/store/secure-coding-in-c-and-c-plus-plus-9780321822130
iang
More information about the cryptography
mailing list