It is a frequent yet unintended mistake among software developers. In
copying a string in memory, they unwittingly create a vulnerability
that can be used to execute malicious code by an attacker.
The malicious code may be used to spread a worm, or insert a back door
on a machine, steal a user's identity, or steal sensitive information.
In fact, a recent study found that 64 percent of vulnerabilities in the
National Vulnerability Database were the result of coding errors.
Led by Robert Seacord, the Secure Coding Initiative (SCI) within CERT
works with software developers and software development organizations
to eliminate vulnerabilities resulting from coding errors before
software becomes operational. SCI is developing secure coding
standards for commonly used programming languages such as C, C++, and
Java. These standards can be used to improve and assess the security
and overall quality of software through training, automated analysis,
code review, and other processes.