CERT-SEI

04/17/2014

New Edition of CERT C Coding Standard Prioritizes Worst Offenses, Aligns with C11 Standard

April 17, 2014—Dig a little below the surface of the latest high-profile computer breach, system failure, or application vulnerability and you're almost certain to discover the culprit is incorrectly written code. Most recently, a failure to validate an input message length in OpenSSL (the backbone of many trusted system-to-system internet communications) resulted in the Heartbleed bug, which has put at risk user credentials, secret keys, and the assets they protect on systems around the world.

As part of its ongoing mission to help developers avoid coding errors and produce safe, reliable, and secure systems, the SEI's Secure Coding Team has updated its C language coding standard. Published by Addison-Wesley Professional, The CERT C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems has been greatly improved and incorporates contributions from numerous experts.

The CERT C Coding Standard, Second Edition enumerates the coding errors that are the root causes of current software vulnerabilities in C, prioritizing them by severity, likelihood of exploitation, and remediation costs. "Secure programming in C can be more difficult than even many experienced programmers realize," said Robert C. Seacord, technical manager of the CERT Secure Coding Initiative and author of the CERT C Coding Standard. "Software systems are becoming increasing complex as our dependency on these systems increases. In our new CERT standard, as with all of our standards, we identify insecure coding practices and present secure alternatives that software developers can implement to reduce or eliminate vulnerabilities before deployment."

"This book is primarily intended for developers of C-language programs," said Seacord, "but it may also be used by software acquirers to define the requirements for custom software." Seacord added that C++ programmers might also find the book valuable. "The majority of issues identified for C language programs are also issues in C++ programs, although in many cases the solutions are different."

This new edition provides secure coding rules for the new C11 standard, including a new chapter on concurrency. The rules can also be applied to earlier editions of the C language, such as C99.

"The idea of a CERT secure coding standard for C arose at the spring 2006 meeting of the C Standards Committee in Berlin, Germany," said Seacord. "Committee members recognized the need for a secure coding standard for C and that CERT was in a unique position to produce such a document." CERT researchers got to work, launched the Secure Coding Wiki, and coordinated community development of the first edition of the CERT C Secure Coding Standard.

Building on the success of The CERT C Secure Coding Standard in 2008, the CERT Secure Coding Team has coordinated the community development of additional standards and guidelines for C++, Java, and Perl. CERT coding standards have been widely adopted by companies such as Cisco and Oracle. CERT also led an effort in the C Standards Committee to produce ISO/IEC TS 17961 C secure coding rules. This technical specification provides requirements for analyzers and compilers that wish to diagnose secure coding violations beyond the requirement of the C Standard.

In addition to its work in standards development, the Secure Coding Team has developed the Source Code Analysis Laboratory (SCALe), which offers conformance testing of C language software systems against the CERT C Coding Standard and the CERT Oracle Secure Coding Standard for Java. SCALe applies commercial, open source, and experimental analysis to analyze systems. Recent SCALe analysis has identified, on average, 143 true positives and 2,453 suspicious diagnostics from systems averaging 1.6 million lines of code.

The Secure Coding Team also pursues an educational mission. It provides a four-day course on Secure Coding in C and C++, a Secure Coding course made available through Carnegie Mellon University's Open Learning Initiative, and a Java Workshop available on demand from the CERT Division.

For more on the work of the Secure Coding Team, please visit http://www.cert.org/secure-coding/.

To learn more about The CERT C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems, review the table of contents, and read the book's preface, please visit http://www.cert.org/secure-coding/publications/books/cert-c-coding-standard-second-edition.cfm.

Or, to order The CERT C Coding Standard, Second Edition from InformIT, please visit http://www.informit.com/store/cert-c-coding-standard-second-edition-98-rules-for-9780133805383.

Media Contact

If you are a member of the media or analyst community and would like to schedule an interview with an SEI expert, please contact:

SEI Public Relations
Richard Lynch
Media Line: 412-268-4793
Email: public-relations@sei.cmu.edu

For other useful information sources, please visit the Contact Us page.

SEI Bulletin