Lasting Impact: The CERT Secure Coding Initiative

Twenty years ago, software security researchers were struggling with a troubling observation: Software vulnerabilities with known solutions continued to be reported. The CERT Secure Coding Initiative was formed at the SEI to discover what programmers could do about it. The initiative would go on to pioneer secure coding, a field that has made a lasting impact in software security and resilience.

By the early 2000s, the software community had been studying and categorizing vulnerabilities for years, but guidance for prevention was basic and left much to programmers’ interpretation. Existing guidance reflected the perspective of how computers interpret and process software, not how programmers should write it, and it lacked any clear recommendations for different programming languages.

The SEI was uniquely suited to address this problem. SEI researchers could take a bird’s-eye view by analyzing vulnerabilities reported to the CERT/CC and seek patterns in code. They could also dive deeply into programming language details and software analysis to unpack specific vulnerabilities, their causes, and their mitigations.

The Secure Coding Initiative developed guidance and training for developers on secure coding practices for C and C++, the most prominent languages at the time. This effort resulted in 2005’s Secure Coding in C and C++ and its second edition.

The work progressed into formalized descriptions of rules and recommendations for secure coding in C, developed through a broad-based, collaborative effort with the software development and software security communities. The result was The CERT C Secure Coding Standard, first published in 2008.

Since then, Robert Seacord, David Svoboda, and other SEI authors and collaborators have written secure coding standards for C++, Java, Perl, and Android. The SEI continues to revise the standards in response to language updates and programmer feedback.

The SEI CERT Coding Standards have had wide impact. Companies such as Cisco and Oracle have adopted them. The SEI CERT C Coding Standard formed the basis for the ISO/IEC standard on C secure coding rules. All major static analysis tool vendors support checking for standards adherence. Secure coding courses, such as those pioneered at the SEI’s CERT Division, are now incorporated into university curricula.

SEI CERT standards will forever be a vital part of securing code.

Robert Schiela

Deputy Technical Director, Cybersecurity Foundations, SEI CERT Division

As more AI is applied to software development, the standards are now being used to train automated analysis tools to detect weaknesses in source code. One example is CodeQL, GitHub’s code analysis engine developed to automate security checks. GitHub advanced security specialist Jose Palafox noted, “Microsoft and GitHub implemented checks for CERT C and C++ into CodeQL. This enables auto manufacturers, other regulated industries, and open source enthusiasts to demonstrate meeting the standard through continuous code scanning during the software development lifecycle.”

SEI research and development on secure coding continues. Its experts are studying newer, memory-safe languages, such as Rust, and expanding into other aspects of secure coding: using large language models to augment software development and analysis, automatically repairing code, and detecting malicious information flow in source code. The SEI participates in the ISO C committee and contributes to security improvements of the ISO C language standard.

Use of the SEI CERT Coding Standards embeds best practices into the foundation of software engineering, making software less vulnerable by reducing system attack surfaces. As more tools implement the standards, their use will become a more natural part of the software product development lifecycle. The SEI’s Cybersecurity Foundations deputy director and former Secure Coding technical manager Robert Schiela noted, “SEI CERT standards will forever be a vital part of securing code.”

Learn more about the SEI CERT Coding Standards at securecoding.cert.org.