Community Guidance to Prevent Common Coding Errors
Created December 2017 • Updated December 1899
With the billions of lines of code that software developers generate each year, the potential for errors is high. The SEI leads a community initiative to identify unsafe, unreliable, and insecure coding practices to help establish secure coding standards that organizations can implement into their development lifecycles to prevent vulnerabilities.
Vulnerabilities from Coding
Coders are not just translators who take software designs and create secure and functional programs from them. Coding can include numerous pitfalls, and although some vulnerabilities come from design, most of a system’s vulnerabilities are introducing during the coding phase.
Coding standards can help prevent these pitfalls and avoid vulnerabilities, which is the reason that such standards are increasingly established as a requirement by organizations such as the Department of Defense. Establishing and updating standards, however, can pose challenges. Standards must address large volumes of violations found by conformance testing, and the standards must not result in bloated code.
To establish usable and effective coding standards, we need broad collaboration with experts in different coding languages as well as security researchers and software developers. In addition, we must establish ongoing work to continue to evolve and refine the standards.
Leveraging Community Knowledge to Develop Standards
To address the risk of introducing vulnerabilities during coding, the CERT Division of the SEI leads an effort to engage the programming community to develop coding standards. In Spring of 2006, at the meeting of the C Standards Committee in Berlin, Germany, the idea for the CERT C Coding Standard arose as a community-based project where contributors could work together to document their ideas in a wiki-based group. Experts from the programming community, including members of the C Standards Committee, were invited to contribute and were provided with editing privileges on the wiki.
The project we launched in 2006 has developed and evolved over the years. The CERT Coding Standards wiki has more than 1,500 registered contributors, and coding standards have been completed for C, Java, C++, and Perl, and other languages under development.
Our secure coding standards are developed by studying the standards that define the programming languages themselves and how they are interpreted and compiled for runtime platforms. They also reflect our experience with audits of millions of lines of source code and countless contributions from the community. We have contributed to international committees to improve the security of the programming languages and tools that are used to build systems with those languages.
Our secure coding standards consist of actionable guidelines (rules and recommendations), which provide information about the types of security flaws that can be injected through development with specific programming languages. Each guideline offers a wealth of precise information describing the cause and impact of violations, including examples of common noncompliant (flawed) and compliant (fixed) code. Each guideline also includes a risk assessment for violations to it. You can access and download the standards for secure coding on the Secure Coding wiki.
February 11, 2019 Blog Post
The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from...read
The CERT Secure Coding in C and C++ Professional Certificate provides software developers with practical instruction based upon the CERT Secure Coding Standards. The CERT Secure Coding Standards have been curated from the contribution of 1900+ experts for the C and C++ programming language. The CERT Secure Coding team teaches the essentials of...Register
The CERT Secure Coding in Java Professional Certificate provides software developers with practical instruction based upon the CERT Secure Coding Standards. The CERT Secure Coding team teaches the essentials of designing and developing secure software in Java. Completion of this Professional Certificate will enable software developers to increase...Register
4 - Day Course
Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in Java programming. This four-day course provides a detailed explanation of common programming errors in Java and describes how these errors can lead to code that is...Register