Recently, I had a great conversation with my friend Adam Shostack about a petition I started for the Canadian government to adopt a Secure Coding Policy that I wrote.
Adam pointed out that my policy is very specific. Much more so than other government guidance like NIST or CISA’s publications. And he’s right! But I believe that’s exactly what we need right now.
We’ve been giving high-level advice for decades, such as “be secure by design,” “validate input,” “protect your supply chain”. However, most teams don’t know what that actually means. The result? Inconsistent implementation, frequent breaches, and organizations that are still teaching beginner-level secure coding because (as an industry) we’re just getting started.
I believe specific, clear, actionable guidance leads to better results. When we tell developers exactly what to do, we get more secure software. Vague statements like “practice secure by design” aren’t enough. We need to say exactly how we want them to do that.
That’s why I created this Secure Coding Guideline and Policy (linked below). You can apply them to any tech stack, language, or framework. It’s designed to be broadly useful, but still precise enough for clear action.
Here’s what I’m asking from you, my reader:
- If you’re Canadian: please sign the petition to help make this policy official.
- If you work in tech: download and review the Secure Coding Policy and Guideline.
- No matter who you are: please be specific in your security advice! Clarity leads to better security.
Let’s stop saying “secure by design” and start showing people exactly how to be secure by design.
#SpecificSecurity #BeSpecific