[Cryptography] Heartbleed and fundamental crypto programming practices

ianG iang at iang.org
Tue Apr 15 18:06:00 EDT 2014 

On 15/04/2014 20:41 pm, ianG wrote:
> On 15/04/2014 19:42 pm, Jerry Leichter wrote:
>> On Apr 15, 2014, at 4:13 AM, Joachim Strömbergson <Joachim at Strombergson.com> wrote:
>>>> I've seen comments over the years that crypto- (and all 
>>>> security-)related programming should not be left to "general" 
>>>> programmers with no domain expertise.  I'm not aware of any attempt 
>>>> to collect a list of "issues and programming techniques a crypto 
>>>> programmer must know".  Might be useful to have.... -- Jerry
>>>
>>> I haven't seen anyone in the thread mentioning the Cryptography Coding
>>> Standard effort started by Jean-Philippe Aumasson of Blake, Siphash fame:
>>>
>>> https://cryptocoding.net/index.php/Cryptography_Coding_Standard
>>>
>>> Might be a good starting point and probably appreciates comments and
>>> contributions.
>> That's an *excellent* resource.  Thank you for sending it.  I've read parts and intend to go through the whole thing, and comment if I find something to say.  I encourage everyone here to do the same.
>>
>> I should actually have pointed to another resource, one that I actually *have* sent comments on in the past (and they've been included):  CERT's C Coding Standard at 
>>
>> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard
>>
>> There are also CERT coding standards for C++ and Java, though I'm not sure they're available on line.
> 
> For Java,

It is here:
https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java

But no time to look now. For C++,
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637



> there is a book:
> http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780321933157
> 
> Which is a must-read if you've got $32 idle.  It's #1 recommendation is:
> 
>     1. Limit the lifetime of sensitive data
> 
> rather apropos recent thread, I wonder what they say about Strings.
> Especially in the light of #75:
> 
>     75. Do not attempt to help the garbage collector by
>         setting local reference variables to null
> 
> 
> ??  Chapter 2 is downloadable, or some portion thereof.
> 
> And for C++ there is:
> http://www.informit.com/store/secure-coding-in-c-and-c-plus-plus-9780321822130
> 
> 
> 
> iang
>

More information about the cryptography mailing list