Secure Coding

Software Assurance Secure Coding Vulnerability Analysis Function Extraction (FX)

Publications Catalog Historical Documents CERT Coordination Center Vulnerability Analysis Blog US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy CERT Knowledgebase Courses Build Security In

Secure Coding

Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. The CERT/CC has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

The CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed. We work to identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and to advance the state of the practice in secure coding.

Announcements

Secure Design Patterns Updated October 2009
This newly updated technical report describes a set of secure design patterns, which are descriptions or templates describing a general solution to a security problem that can be applied in many different situations.

As-if Infinitely Ranged Integer Model Published
This paper presents a model for automating the elimination of integer overflow and truncation in C and C++ programming code.

Robert Seacord on the CERT C Secure Coding Standard
Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots.

Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
This report describes a study conducted by the CERT Secure Coding Initiative and JPCERT to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects.

Current Projects

Secure Coding standards web site
A collaborative site that provides rules and recommendations for secure coding practices in the C and C++ programming languages is now available at http://www.securecoding.cert.org. You are invited to review and comment on already codified practices or submit suggestions for new practices. If you have a comment or suggestion concerning the site, or would like to be more directly involved in the effort, send email to secure-coding at cert dot org.

Managed string library
A beta implementation of the managed string library specified by "Specifications for Managed Strings" is now available for download. The managed string library provides a more secure alternative to standard null-terminated byte strings in C. Managed string functions dynamically allocate memory as required, eliminating the possibility of buffer overflows, string truncation, and other common programming errors.

Integral Security
Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. CERT's Secure Coding Initiative has been working on a number of solutions for addressing the issue of integral security including the AIR integer paper and prototype, a secure integer library, and a paper on ranged integers.

Resources

Related Publications

more...

Acquisition Documents

SEI Books

	The CERT C Secure Coding Standard Robert Seacord Addison-Wesley, October 2008. ISBN-13: 978-0-321-56321-7 ISBN-10: 0-321-56321-2
	Secure Coding in C and C++ Robert Seacord Addison-Wesley, September 2005. ISBN-13: 9780321335722 ISBN-10: 0321335724
	Software Security Engineering: A Guide for Project Managers Robert J. Ellison Nancy R. Mead Gary McGraw Sean Barnum Julia H. Allen Addison-Wesley, May 2008 ISBN-13: 9780321509178 ISBN-10: 032150917X (Official book website)