Secure Coding

Software Assurance Secure Coding Vulnerability Analysis

Historical Documents CERT Coordination Center CERT/CC Blog Vulnerability Notes Database Vulnerability Disclosure Policy Courses Build Security In

Secure Coding

Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. CERT Program staff has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

As part of the CERT Secure Coding Initiative, members of the Secure Coding team work with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed. We strive to identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and to advance the state of the practice in secure coding.

Areas of Work

Secure Coding Standards
The CERT Program is working with the software development and security communities to develop standards for commonly used programming languages on the CERT secure coding wiki. We are also contributing to the development of international standards to improve software security.

International Standards Development
The CERT Program participates in the development of international standards for programming languages to improve the security of these languages.

SCALe
The Source Code Analysis Laboratory (SCALe) offers conformity assessment of software to CERT secure coding standards.

Development Tools and Libraries
The CERT Program has developed tools and libraries that help software developers reduce the number of vulnerabilities in their code.

TSP-Secure
TSP-Secure extends TSP—the Team Software Process—to achieve the development of secure software systems. When organizations implement TSP-Secure, they can efficiently build high-quality, secure software while conforming to Capability Maturity Model Integration (CMMI).

Announcements

Recently added:

Strengths in Security Solutions: CERT solutions and the Microsoft Security Development Lifecycle
Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions technical note
The Source Code Analysis Laboratory (SCALe) webinar
Source Code Analysis Laboratory (SCALe) technical note
Secure Coding team improves security in C programming language standard
The CERT Oracle Secure Coding Standard for Java book
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems technical report
Java Concurrency Guidelines technical report
This report has been superseded by The CERT Oracle Secure Coding Standard for Java.
MITRE CWE and CERT Secure Coding Standards
Instrumented Fuzz Testing Using AIR Integers

Podcasts and Videos

Get the Flash Player to see this player.

Books


The CERT C Secure Coding Standard	Secure Coding in C and C++, Second Edition	Software Security Engineering	The CERT Oracle Secure Coding Standard for Java

Resources

CERT Publications

more publications...

Training

An Online Learning Approach to Information Systems Security Education

CISSE 2011

Secure Coding in C and C++

Additional Resources
A variety of other sites offer additional information about the following topics: