SEI Releases Fortran Coding Standard
• Article
June 1, 2026—The Fortran programming language underlies services ranging from weather prediction to supercomputing. Despite its long history and continued popularity, the language has had no rules to guide the writing of secure Fortran code. To help developers create more secure and compliant programs in Fortran, the Software Engineering Institute (SEI) has released the first-ever secure coding standard for the language. The open source SEI CERT Fortran Coding Standard is available on the new SEI CERT Coding Standards GitHub repository.
AI Brings New Attention to a Legacy Language
The Fortran programming language originated in the 1950s. Today it runs software for heavy numeric computation and high-performance computing. It was the 11th most popular programming language on the TIOBE Index in May, and many Fortran codebases are still being maintained. U.S. government agencies use Fortran applications to simulate complex systems such as high-resolution weather prediction and nuclear reactors.
With simulation software increasingly sharing hardware with more artificial intelligence systems, Fortran applications are suddenly within the scope of U.S. cyber regulations, like NIST SP 800-218 and Security Technical Implementation Guides (STIGs) defined by the Department of War. Despite its longevity, popularity, and mission-critical importance, Fortran has lacked the standards that guide developers to write code that avoids common security errors.
Coding Standard Modernizes Fortran Security
The newly released SEI CERT Fortran Coding Standard aims to help developers assess the security of existing Fortran codebases and write new, more secure software. The standard’s 25 rules promote secure coding practices common to many languages, such as managing memory, input, and output. But it also defines practices particular to Fortran, such as automatic memory management for allocatable arrays, array bounds checking, and stronger interfaces and argument checking.
The language has inherited some features that other languages no longer allow, for example, implicit declaration of variables. “This was a best practice 20 years ago, and now it is a very bad practice because it opens the door to many compliance, security, and correctness issues,” said Manuel Arenaz, chief technical officer and cofounder of the software development tool company Codee and the Fortran standard’s lead developer. Use of the best practices in the Fortran Coding Standard can help modernize legacy codebases.
Community Improvements Needed
Software developers can use the standard to make Fortran code compliant with security regulations. Owners of existing codebases, especially in the defense domain, can check their code for compliance with STIGs. The SEI invites these and other members of the software development community to use the standards and suggest improvements.
David Svoboda, a senior software security engineer in the SEI’s CERT Division who helped develop the SEI’s other secure coding standards, noted that this first release of the Fortran standard is far from complete. “The first step is to let Fortran developers comment on the standard and improve it,” he said. “But they can also contribute rules and help complete the standard.”
Svoboda encourages developers to submit feedback via the SEI’s contact form or by opening GitHub issues. Developers can also fork the repository, make improvements, and submit a pull request to the SEI team to merge the changes.
GitHub is the new home for all the SEI CERT coding standards: C, C++, Java, Android, Perl, and now Fortran. This transition makes the standards more accessible and easier to update with bulk changes.
Access the SEI CERT Fortran Coding Standard on GitHub. Subscribe to the SEI Blog to be notified of a forthcoming blog post on the new standard. Learn more about the SEI’s secure development research on our website.
