NEWS AT SEI
This article was originally published in News at SEI on: July 1, 2006
The Carnegie Mellon Software Engineering Institute (SEI) CERT Program has deployed a secure-coding Web site at www.securecoding.cert.org as a forum in which software developers can codify a practical and effective set of secure coding practices for popular programming languages. These coding practices can then be used by software developers to eliminate vulnerabilities before software is operationally deployed.
The purpose of this project is that the practices can be used by developers for professional development and as the basis for organizational coding standards supporting the quality of their products.
Jeffrey Carpenter, manager of the CERT Coordination Center, says that the project is part of a larger secure-coding initiative within the CERT/CC to eliminate dangerous coding practices that can result in exploitable software vulnerabilities. According to Carpenter, “CERT is in a unique position to coordinate development of a set of secure coding practices because of its long history in analyzing and responding to software vulnerabilities.”
CERT’s initial efforts are focused on the development of secure coding practices for the C and C++ programming languages. CERT senior vulnerability analyst Robert Seacord is leading the secure-coding initiative. Seacord is a leading authority on secure coding, author of the book Secure Coding in C and C++ [Seacord 05], and technical expert for the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.
“C and C++ were selected because a large percentage of critical infrastructures are developed and maintained using these programming languages,” Seacord says. “C and C++ are popular and viable languages although they have characteristics that make them prone to security flaws.”
“Today’s dependency on networked software systems has been matched by an increase in the number of attacks against governments, corporations, educational institutions, and individuals. These attacks result in the loss and compromise of sensitive data, system damage, lost productivity, and financial loss,” says Seacord. To address this growing threat, the introduction of software vulnerabilities during development and ongoing maintenance must be significantly reduced, if not eliminated.
There are a number of available resources, both online and in print, containing coding guidelines, best practices, suggestions, and tips. The Motor Industry Software Reliability Association (MISRA) developed guidelines for the use of the C language in critical systems [MISRA 04], and more recently the U.S. Department of Homeland Security launched its Build Security In Web site to promote the codification of practices and rules. These sources, however, do not provide a prescriptive set of secure coding practices that can be uniformly applied in the development of a software system.
“Without secure coding practices, software vulnerability reports are likely to continue on an upward trend,” Seacord says. “At CERT/CC, we have had nearly 4,000 vulnerabilities reported in the first half of 2006. To stop the threats, we need to develop secure software from the outset.”
The secure coding practices proposed by CERT are based on standard language versions as defined by official or de facto standards organizations such as ISO/IEC. CERT is not an internationally recognized standards body, but plans to work with organizations such as ISO/IEC to advance the state of the practice in secure coding. The ISO/IEC JTC1/SC22 WG14 international standardization working group for the programming language C, for example, has offered to provide direction in the development of the C-language secure coding practices and to review and comment on drafts of the informal CERT standard.
According to WG14 convener John Benito, “The secure coding standard is going in the correct direction, and I have confidence the final product will be useful to the community.”
CERT is also working with standards groups, such as the ISO/IEC working group on Guidance for Avoiding Vulnerabilities through Language Use (OWGV). While the ISO/IEC group is working on providing language-independent guidance, CERT is working on developing and consolidating the language-specific guidance that provides the foundations for the ambitious goals of OWGV.
Jim Moore, convener of OWGV, states that “CERT’s efforts in identifying and documenting secure coding practices for C and C++ will contribute to the standardization of these practices and advance the goals of the OWGV.”
The success of the secure coding standards depends largely on the active involvement of members of the secure software and C and C++ development communities. Rules and recommendations for each coding practice are solicited from the communities involved in the development and application of each programming language, including the formal or de facto standard bodies responsible for the documented standard.
These rules and recommendations are edited by CERT senior members of the technical staff for content and style and placed on the secure coding standards Web site for comment and review. Users are invited to discuss and comment on the publicly posted content. Once a consensus develops that the rule or recommendation is appropriate and correct, the final rule is incorporated into the coding standard.
Once practices are documented, tools can be developed or modified to verify compliance. Compliant software systems can then be certified as compliant by a properly authorized certification body. Seacord also envisions a training-and-development program to educate software professionals regarding application of secure coding practices.
The development of secure coding practices is a necessary step to stem the ever-increasing threat from software vulnerabilities. CERT’s goal is that the enumeration of secure coding practices will allow for a common set of criteria that can be used to measure and evaluate software development efforts.
The public can review or comment on the existing content at the secure coding Web site or submit new ideas for secure coding practices by e-mailing firstname.lastname@example.org. Robert Seacord can be reached at email@example.com.
 Seacord, R. Secure Coding in C and C++. Addison-Wesley, 2005. See http://www.cert.org/books/secure-coding for news and errata.
 MISRA C: 2004 Guidelines for the use of the C language in Critical systems. MIRA Limited. Warwickshire, UK. October 2004. ISBN 0 9524156.