Defensive Coding Guide | Red Hat Developer

Introducing the Defensive Coding Guide

The Defensive Coding Guide provides guidelines for improving software security through secure coding. It covers common programming languages and libraries, and focuses on concrete recommendations.

The first part of the book contains useful tips for seven programming languages, such as C++, Java, or Go. Part II is dedicated to secure coding principles from manipulating files to processes. The third part offers tips for authentication, authorization, cryptographic protocols, hardware security modules, and smart cards.

The Defensive Coding Guide Table of Contents:

Part I. Programming Languages

1. The C Programming Language - dealing with memory safety, functions to avoid, garbage collection, array handling, and wrapper functions

2. The C++ Programming Language - overloading, preparing for security updates, C++0X and C++11 support, string handling, containers, iterators

3. The Java Programming Language - resource management, recovering from exceptions and errors, low-level features of the virtual machine, interacting with the security manager

4. The Python Programming Language - dangerous standard library features, run-time compilation, sandboxing

5. Shell Programming and bash - shell language features, invoking external commands, temporary files, performing input validation, guarding shell scripts against changes

6. The Go Programming Language - memory safety, error handling, garbage collection, (un)marshalling

7. The Vala Programming Language - memory safety recommendations

Part II. Specific Programming Tasks

8. Library Design - state management, object orientation, callbacks, process attributes

9. File Descriptor Management - closing descriptors, preventing file descriptor leaks to child processes, dealing with the select limit

10. File System Manipulation - operating on files directories owned by potentially untrusted users, accessing the file system as a different users, file system limits and features, checking free space

11. Temporary Files - how to create temporary files and directories, how to remove them, and how to work with programs which do not create files in ways that are safe with a shared directory for temporary files

12. Processes - safe process creation, handling child process termination, SUID/SGID processes, daemons, fork as a primitive for parallelism

13. Serialization and Deserialization - recommendations for manually-written decoders, protocol design, fragmentation, library support for deserialization, XML serialization

14. Cryptography - primitives, randomness

15. RPM Packaging - generating X.509 self-signed certificates

Part III. Implementing Security Features

16. Authentication and Authorization - authenticating servers, host-base authentication, UNIX domain socket authentication, AF_NETLINK authentication of origin

17. Transport Layer Security (TLS) - OpenSSL, GnuTLS, OpenJDK, and NSS pitfalls, implementing TLS clients

18. Hardware Security Modules and Smart Cards - OpenSSL, GnuTLS, and NSS HSM support