It is a frequent yet unintended mistake among software developers. In copying a string in memory, they unwittingly create a vulnerability that can be used to execute malicious code by an attacker.
The malicious code may be used to spread a worm, or insert a back door on a machine, steal a user's identity, or steal sensitive information.
In fact, a recent study found that 64 percent of vulnerabilities in the National Vulnerability Database were the result of coding errors.
Led by Robert Seacord, the Secure Coding Initiative (SCI) within CERT works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before software becomes operational. SCI is developing secure coding standards for commonly used programming languages such as C, C++, and Java. These standards can be used to improve and assess the security and overall quality of software through training, automated analysis, code review, and other processes.
About Robert Seacord
Robert Seacord began programming (professionally) for IBM in 1982 and has been programming in C since 1985. Robert leads the Secure Coding Initiative at the CERT, located at Carnegie Mellon’s Software Engineering Institute (SEI). He is author of The CERT C Secure Coding Standard (Addison-Wesley, 2009), Secure Coding in C and C++ (Addison-Wesley, 2005), Building Systems from Commercial Components (Addison-Wesley, 2002) and Modernizing Legacy Systems (Addison-Wesley, 2003).