Skip to content

PW.5: Create Source Code by Adhering to Secure Coding Practices

Decrease the number of security vulnerabilities in the software, and reduce costs by minimizing vulnerabilities introduced during source code creation that meet or exceed organization-defined vulnerability severity criteria.

PW.5.1

Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.

Implementation Examples
  • Example 1: Validate all inputs, and validate and properly encode all outputs.
  • Example 2: Avoid using unsafe functions and calls.
  • Example 3: Detect errors, and handle them gracefully.
  • Example 4: Provide logging and tracing capabilities.
  • Example 5: Use development environments with automated features that encourage or require the use of secure coding practices with just-in-time training-in-place.
  • Example 6: Follow procedures for manually ensuring compliance with secure coding practices when automated methods are insufficient or unavailable.
  • Example 7: Use tools (e.g., linters, formatters) to standardize the style and formatting of the source code.
  • Example 8: Check for other vulnerabilities that are common to the development languages and environment.
  • Example 9: Have the developer review their own human-readable code to complement (not replace) code review performed by other people or tools. See PW.7.
References
  • BSAFSS: SC.2, SC.3, LO.1, EE.1
  • BSIMM: SR3.3, CR1.4, CR3.5
  • EO14028: 4e(iv), 4e(ix)
  • IDASOAR: 2
  • IEC62443: SI-1, SI-2
  • ISO27034: 7.3.5
  • MSSDL: 9
  • OWASPASVS: 1.1.7, 1.5, 1.7, 5, 7
  • OWASPMASVS: 7.6
  • SCFPSSD: Establish Log Requirements and Audit Practices, Use Code Analysis Tools to Find Security Issues Early, Handle Data Safely, Handle Errors, Use Safe Functions Only
  • SP800181: SP-DEV-001; T0013, T0077, T0176; K0009, K0016, K0039, K0070, K0140, K0624; S0019, S0060, S0149, S0172, S0266; A0036, A0047