U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.



The content describes practices that have been successfully deployed and are in widespread use. Readers can start using these practices today with confidence. Experience reports and case studies are typically available.

Title Updated datesort ascending
Risk Management Framework (RMF) 2013-07-05
The Common Criteria 2013-07-05
Risk-Centered Practices 2013-07-02
"Prioritizing IT Controls for Effective, Measurable Security" 2013-07-02
"Plan, Do, Check, Act" 2013-07-02
Navigating the Security Practice Landscape 2013-07-02
Assume that Human Behavior Will Introduce Vulnerabilities into Your System 2013-06-26
Do Not Perform Arithmetic with Unvalidated Input 2013-06-26
Never Use Unvalidated Input as Part of a Directive to any Internal Component 2013-06-26
Treat the Entire Inherited Process Context as Unvalidated Input 2013-06-26
Be Suspicious about Trusting Unauthenticated External Representation of Internal Data Structures 2013-06-26
Handle All Errors Safely 2013-06-26
If Emulation of Another System Is Necessary, Ensure that It Is as Correct and Complete as Possible 2013-06-26
Carefully Study Other Systems Before Incorporating Them into Your System 2013-06-24
Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage 2013-06-24
Use Well-Known Cryptography Appropriately and Correctly 2013-06-21
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations 2013-06-20
Follow the Rules Regarding Concurrency Management 2013-06-20
Ensure that Input Is Properly Canonicalized 2013-06-20
Guidelines Overview 2013-06-20
Ensure that the Bounds of No Memory Region Are Violated 2013-06-20
Use Authorization Mechanisms Correctly 2013-06-20
Use Authentication Mechanisms, Where Appropriate, Correctly 2013-06-19
Integrating Security and IT 2013-05-21
Models for Assessing the Cost and Value of Software Assurance 2013-05-21
Deploying and Operating Secure Systems 2013-05-14
strcpy() and strcat() 2013-05-14
fgets() and gets_s() 2013-05-14
C++ std::string 2013-05-14
Consistent Memory Management Conventions 2013-05-13
Design Principles 2013-05-13
Separation of Privilege 2013-05-10
Securing the Weakest Link 2013-05-10
Strong Typing 2013-05-10
Reluctance to Trust 2013-05-10
Psychological Acceptability 2013-05-10
Promoting Privacy 2013-05-10
Never Assuming That Your Secrets Are Safe 2013-05-10
Least Privilege 2013-05-10
Least Common Mechanism 2013-05-10
Failing Securely 2013-05-10
Economy of Mechanism 2013-05-10
Complete Mediation 2013-05-10
Range Checking 2013-05-10
Windows XP SP2 2013-05-10
Penetration Testing Tools 2007-01-18
Defense in Depth 2005-09-13
Back to Top