Skip to content

PW.5: Create Source Code by Adhering to Secure Coding Practices

Decrease the number of security vulnerabilities in the software, and reduce costs by minimizing vulnerabilities introduced during source code creation that meet or exceed organization-defined vulnerability severity criteria.

PW.5.1

Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization's requirements.

Implementation Examples
  • Example 1: Validate all inputs, and validate and properly encode all outputs.\nExample 2: Avoid using unsafe functions and calls.\nExample 3: Detect errors, and handle them gracefully.\nExample 4: Provide logging and tracing capabilities.\nExample 5: Use development environments with automated features that encourage or require the use of secure coding practices with just-in-time training-in-place.\nExample 6: Follow procedures for manually ensuring compliance with secure coding practices when automated methods are insufficient or unavailable.\nExample 7: Use tools (e.g., linters, formatters) to standardize the style and formatting of the source code.\nExample 8: Check for other vulnerabilities that are common to the development languages and environment.\nExample 9: Have the developer review their own human-readable code to complement (not replace) code review performed by other people or tools. See PW.7.\nExample 10: When designing interfaces that accept input, use well-structured input formats that can be easily validated and sanitized.\nExample 11: Where appropriate, use formal methods and provers to validate the correctness of code. While particular attention should be given to high-risk code, other sections of code may also benefit from these techniques while balancing cost and risk trade-offs.
References
  • BSAFSS: SC.2, SC.3, LO.1, EE.1
  • BSIMM: SR3.3, CR1.4, CR3.5
  • IDASoar: 2
  • IEC62443: SI-1, SI-2
  • ISO27034: 7.3.5
  • MSSDL: 9
  • OWASPASVS: 1.1.7, 1.5, 1.7, 5, 7
  • OWASPMASVS: 7.6
  • SCFPSSD: Establish Log Requirements and Audit Practices, Use Code Analysis Tools to Find Security Issues Early, Handle Data Safely, Handle Errors, Use Safe Functions Only
  • SP80053: SA-15, SI-03, SI-10, SI-10(03)
  • SP800181: SP-DEV-001; T0013, T0077, T0176; K0009, K0016, K0039, K0070, K0140, K0624; S0019, S0060, S0149, S0172, S0266; A0036, A0047

PW.5.2

Task Moved

This task has been relocated. Please refer to PW.5.1 for the current content.