Secure Coding Standards for scala

463 views

Skip to first unread message

Ian Nowland

unread,

Apr 7, 2014, 12:25:13 PM4/7/14

to scala-l...@googlegroups.com

Hey guys (especially Typesafe people),

Maybe this discussion belongs in the tools mailing list, but I'm not sure:

My company runs on a Lift platform and our customers are all enterprise, so we have the joy of being audited periodically. While we've got some decent stories to tell around security, we're getting mature enough (and scala is certainly mature enough), that it seems like it's time to formalize some secure coding standards for the language, à la the Secure Coding Standard for Java, or similar to the style guide we've got, but targeted towards security.

I know my company is going to have to have a formal document in that vein that we reference regardless, but I suspect that other companies developing on scala for enterprise customers - such as Typesafe - will probably have to develop such a document eventually as well, so it seems like something that would be worthwhile for the community to have a baseline document for reference against.

--Ian

Lex Spoon

unread,

Apr 7, 2014, 1:04:36 PM4/7/14

to scala-l...@googlegroups.com

It sounds like a good thing to do, and it happens to be a very familiar problem area to me lately. A few thoughts:

1. Coding standards are good, given a review process that includes checking for them. They work even better if you check them with some sort of tool. NASA has hired my employer (Semmle) to automate checking for their own very restrictive style guide. Not all organizations have NASA's funding for such a solution :), and for them, it might be good to accompany the docs with a Scala compiler plugin.

2. For security checking, we at Semmle have found significant interest in the "Common Weakness Enumeration" (CWE), in addition to the CERT documents that you link to. In particular, the CWE has a "Top 25" listing that is widely felt to cover the most pervasive security problems for software development today. A company being audited can explain what they do for each of the top-25 common weaknesses; about a dozen of them are amenable to automated checks.

https://cwe.mitre.org/top25/

3. I know what you mean about audits. Corporate oversight is on the rise, and one component of that oversight includes checking for security issues. Companies nowadays need to not just be secure, but *convincingly* secure.