search menu icon-carat-right cmu-wordmark

CERT Team Improves Security in the New ISO/IEC C Programming Language Standard

CERT Team Improves Security in the New ISO/IEC C Programming Language Standard
January 9, 2012 • Media Coverage

January 9, 2012—In the field of information technology, ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) has established a joint technical committee ISO/IEC JTC 1. For the past several years, members of the Secure Coding team in the SEI's CERT Program have been contributing to the development of a major revision of the ISO/IEC standard for the C programming language. CERT's efforts have focused on introducing much-needed security enhancements to the language and standard library. These security enhancements include (conditional) support for bounds-checking interfaces (originally specified in ISO/IEC TR 24731−1:2007), (conditional) support for analyzability, static assertions, no-return functions, support for opening files for exclusive access, and the removal of the insecure gets function. In December 2011, the work of the CERT team and industry participants resulted in the release of ISO/IEC 9899:2011, informally referred to as C11. This third edition of the C standard cancels and replaces the second edition, ISO/IEC 9899:1999.

David Keaton, a member of the SEI's Secure Coding team, served as chair of Task Group PL22.11 C of the International Committee for Information Technology Standards (INCITS). Working with SEI colleagues Robert C. Seacord and David Svoboda, Keaton helped develop, refine, and introduce many of the security enhancements to this major ISO standard revision.

"Security features in C had been limited to the snprintf function, introduced in 1999," explained Keaton. "Now, the new ISO standard includes an entire new library of secure string functions, plus an optional compilation model that makes C code more understandable by source code analyzers that perform security checks."

"This is a major accomplishment," noted Archie Andrews, technical director, Secure Software and Systems, CERT. "While the SEI, as a federally funded research and development center, focuses on software engineering issues relevant to the DoD, this new standard will not only improve software developed for the DoD but all software applications written in the C programming language. The CERT team realized many years ago that the standards bodies are a primary point of influence to improve the security of software. The DoD was farsighted enough to be willing to support this team's hard work. The reward for all of us is a new set of language standards that incorporate security."

For more information about the new ISO standard for the C programming language, visit

For more information about the work of the CERT Secure Coding Team, visit

Members of the CERT Secure Coding Team made key contributions to security features in the new ISO/IEC standard for the C programming language.