CERT
 
Publications Catalog Historical Documents CERT Coordination Center Vulnerability Analysis Blog US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy CERT Statistics CERT Knowledgebase Courses FIRST conference 2008 sponsor Link to US-CERT cylab
 

Secure Coding

Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. The CERT/CC has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

The CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed. We work to identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and to advance the state of the practice in secure coding.

Announcements

  • Ranged Integers for the C Programming Language
    SEI Technical Note CMU/SEI-2007-TN-027, authored by members of the Secure Coding Initiative, has been published. This note describes an extension to the C programming language to introduce the notion of ranged integers.

  • A draft of the CERT C Programming Language Secure Coding Standard (Document No. N1255) has been accepted for review at the upcoming meeting of the JTC1/SC22/WG14 in Kona, Hawaii. This group is the international standardization working group for the programming language C.

  • New Vodcast: Secure Coding Project
    Robert Seacord talks about the Secure Coding Project.

    all Secure Coding vodcasts
    rss

Current Projects

Secure Coding standards web site
A collaborative site that provides rules and recommendations for secure coding practices in the C and C++ programming languages is now available at http://www.securecoding.cert.org. You are invited to review and comment on already codified practices or submit suggestions for new practices. If you have a comment or suggestion concerning the site, or would like to be more directly involved in the effort, send email to secure-coding at cert dot org.

Managed string library
A beta implementation of the managed string library specified by "Specifications for Managed Strings" is now available for download. The managed string library provides a more secure alternative to standard null-terminated byte strings in C. Managed string functions dynamically allocate memory as required, eliminating the possibility of buffer overflows, string truncation, and other common programming errors.

Secure integer library
A beta version of the secure integer library is now available at http://www.cert.org/secure-coding/IntegerLib.zip. This library includes functions for safe integer conversions and arithmetic operations.


Related Publications

more...

Presentations

Training

Resources

In the News

Last updated March 14, 2008