Secure Coding in C and C++: Efforts Lead to Book, Course, Community, Coding Standard
July 17, 2009 • Article
It’s a frequent yet unintended mistake among software developers.
A software developer copies a string in memory, but in doing so, unwittingly creates a vulnerability that can be exploited by an attacker to execute malicious code.
“The malicious code can do anything. It can be used to spread a worm, or insert a back door on a machine, steal the user’s identity, steal information … anything really,” explained Robert Seacord, lead of the Secure Coding Team at the SEI’s CERT Program.
In fact, a recent study by Jon Heffley and Pascal Meunier found that 64 percent of vulnerabilities in the National Vulnerability Database in 2004 were the result of coding errors.
The coding errors and strategies for avoiding them are the subject of a book by Seacord, Secure Coding in C and C++, which was published by Addison-Wesley in 2005. In October 2008, a follow-up effort, The CERT C Secure Coding Standard, was also published by Addison-Wesley.
“The current book is a comprehensive enumeration of coding errors that you can make that lead to vulnerabilities,” Seacord explained. By complying with these secure coding guidelines, developers can reduce or eliminate vulnerabilities present in their software before deployment.
The standards are developed using a community process on the CERT Secure Coding wiki and incorporating input from more than 300 industry experts.
Seacord also teaches a course, Secure Coding in C and C++, which was offered publicly for the first time in 2009 at the SEI’s Pittsburgh headquarters. Seacord’s books are distributed as part of the course materials to supplement the hands-on learning of the course. The four-day course covers string management, dynamic memory management, integral security, formatted output, and file I/O. The course will be offered in Pittsburgh; Arlington, Va.; San Francisco; and Boston in 2009 and 2010.
“Many common coding errors can go undetected during a typical development process. Many of these errors are undiagnosed by compilers, even when run at the highest warning levels,” Seacord said. “Consequently, it becomes the programmer’s responsibility to recognize and avoid these errors.”
Seacord is also working with Sun Microsystems, which was recently acquired by Oracle, to create a secure coding standard for Java, which he hopes to release in the summer of 2010.
For more information