It is a frequent yet unintended mistake among software developers. In
copying a string in memory, they unwittingly create a vulnerability
that can be used to execute malicious code by an attacker.
The malicious code may be used to spread a worm, or insert a back door
on a machine, steal a user's identity, or steal sensitive information.
In fact, a recent study found that 64 percent of vulnerabilities in the
National Vulnerability Database were the result of coding errors.
Led by Robert Seacord, the Secure Coding Initiative (SCI) within CERT
works with software developers and software development organizations
to eliminate vulnerabilities resulting from coding errors before
software becomes operational. SCI is developing secure coding
standards for commonly used programming languages such as C, C++, and
Java. These standards can be used to improve and assess the security
and overall quality of software through training, automated analysis,
code review, and other processes.
About Robert Seacord
Robert Seacord began programming (professionally) for IBM in 1982 and has been programming in C since 1985. Robert leads the Secure Coding Initiative at the CERT, located at Carnegie Mellon’s Software Engineering Institute (SEI). He is author of The CERT C Secure Coding Standard (Addison-Wesley, 2009), Secure Coding in C and C++ (Addison-Wesley, 2005), Building Systems from Commercial Components (Addison-Wesley, 2002) and Modernizing Legacy Systems (Addison-Wesley, 2003).