Better Software Through Secure Coding Practices
Created December 2017
Security flaws and vulnerabilities are all too common in software today. In response, we research and develop solutions for identifying and preventing security flaws during development, where it is much more cost effective than in the test phase or post-deployment.
Defect Removal Is a Major Challenge
Many research studies have shown that the cost to remove defects, including security flaws, can be hundreds of times higher after deployment. Moreover, adding security through testing is a never-ending task. Other research has shown that a majority of vulnerabilities are related to programming errors that are fairly well understood.
Research, Coding Standards, and Best Practices
To enable software developers to reduce vulnerabilities by eliminating coding errors, CERT researchers investigate how errors occur and how to prevent them, codify best practices and coding standards for security, and contribute that knowledge to the programming community. We disseminate information on these practices through courses, standards, webinars, blogs, conferences, reports, newsletters, and our Secure Coding wiki.
Community Guidance to Prevent Common Coding Errors
Our secure coding standards consist of actionable guidelines (rules and recommendations), which provide information about the types of security flaws that can be injected through development with specific programming languages. Each guideline offers a wealth of precise information describing the cause and impact of violations, including examples of common noncompliant (flawed) and compliant (fixed) code. Each guideline also includes a risk assessment for violations to it. You can access and download the standards for secure coding on the Secure Coding wiki.
Our secure coding standards are developed by studying the standards that define the programming languages themselves and how they are interpreted and compiled for runtime platforms. They also reflect our experience with audits of millions of lines of source code and countless contributions from the community. We have also contributed to international committees to improve the security of the programming languages and tools that are used to build systems with those languages.
In addition to developing standards and guidelines, we offer training to help developers, auditors, and testers improve their secure coding skills based on standards and identified best practices. The training is available with a live instructor or as an online course. We also made evaluating software for violations of specific secure coding rules more practical and accessible by developing static analysis checkers for rules in Clang (and Clang-Tidy) and our Rosecheckers tool. We’ve also advanced and developed other useful secure coding tools.
Source Code Analysis Laboratory
Our research, as well as research from others, has shown that different static analysis tools (tools designed to analyze source code to help find security flaws) are optimized to find different types of weaknesses. Therefore, it is almost always best to evaluate source code with multiple static analysis tools. However, doing so creates the complication of evaluating the results from multiple tools in an integrated way. Additionally, static analysis tools often have high false-positive rates (the alerts do not identify an actual problem) and often indicate stylistic issues rather than security issues.
Our experience performing audits with multiple static analysis tools improved our effectiveness and efficiency. From that experience, we developed the Source Code Analysis Laboratory (SCALe), which audits code to identify security flaws as indicated by violations of the CERT secure coding standards.
The SCALe tools aggregate output from commercial, open source, and experimental analysis tools and provide results in a single interface. They also filter out alerts that are not security related and map the security alerts from those tools to specific guidelines of the secure coding standards. This alert processing enables developers to quickly learn more about the security issue the alert is diagnosing, how to fix it, and how best to prioritize it with other alerts.
We can perform a SCALe assessment as a service to third parties, and we can help organizations adopt aspects of SCALe to help them improve their secure coding development and evaluation processes.
Our current and future research is aimed toward improving the efficiency of identifying and removing vulnerabilities through the advancement of tool automation, using machine learning to improve the accuracy of static analysis tools, and developing tools that identify certain classes of flaws and automatically correct them.
April 23, 2018 Presentation
Lori Flynn describes some of the accomplishments and challenges of the FY16-17-18 classifier research she led.read
August 25, 2014 Blog Post
According to a 2013 report examining 25 years of vulnerabilities (from 1998 to 2012), buffer overflow causes 14 percent of software security vulnerabilities and 35 percent of critical vulnerabilities, making it the leading cause of software security vulnerabilities overall. As...read