Coding errors cause the majority of software vulnerabilities. For example, 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors.
The use of secure coding standards defines a proscriptive set of rules and recommendations by which the source code can be evaluated for compliance. For each secure coding standard, the source code is certified as provably nonconforming, conforming, or provably conforming against each guideline in the standard.
Provably Nonconforming . The code is provably nonconforming if one or more violations of a rule are discovered for which no deviation has been allowed.
Conforming. The code is conforming if no violations of a rule can be identified.
Provably Conforming. The code is provably conforming if the code has been verified to adhere to the rule in all possible cases.
Evaluation violations of a particular rule ends when a "provably nonconforming" violation is discovered. Most SCALe analysis is performed by static analyzers. In general, determining conformance to coding rules is computationally undecidable. It may be impossible for any tool to determine statically whether a given rule is satisfied in specific circumstances.
The SCALe Conformance Process
Source Code Analysis Laboratory (SCALe) consists of commercial, open source, and experimental analysis that is used to analyze various code bases, including those from the DoD, energy delivery systems, medical devices, and more. SCALe provides value to the customer, but it also aids research into the effectiveness of coding rules and analysis.
The SCALe process consists of the following steps:
- Customer submits source code to CERT for analysis.
- Source is analyzed in SCALe using various analyzers.
- Results are analyzed, validated, and summarized.
- Detailed report of findings is provided to guide repairs.
- The developer addresses violations and resubmits repaired code.
- The code is reassessed to ensure all violations have been properly mitigated.
- The certification for the product version is published in a registry of certified systems.
A goal of conformance testing is to provide an incentive for industry to invest in developing conforming systems by performing conformance testing against CERT secure coding standards, verifying that a software system conforms with a CERT secure coding standard, using the CERT seal when marketing products, and maintaining a certificate registry with the certificates of conforming systems.
The CERT SCALe Seal
Developers of software that are determined by the CERT Division to conform to a secure coding standard may use the CERT SCALe seal to describe the conforming software on the developer's website.
The seal must be specifically tied to the software passing conformance testing and not applied to untested products, the company, or the organization. Use of the CERT SCALe seal is contingent upon the organization entering into a service agreement with Carnegie Mellon University and upon the software being designated by the CERT Division as conforming.
Except for patches that meet the following criteria, any modification of software after it is designated as conforming voids the conformance designation. Until such software is retested and determined to be conforming, the new software cannot be associated with the CERT SCALe seal.
Patches that meet all three of the following criteria do not void the conformance designation:
- The patch is necessary to fix a vulnerability in the code or is necessary for the maintenance of the software.
- The patch does not introduce new features or functionality.
- The patch does not introduce a violation of any of the rules in the secure coding standard to which the software has been determined to conform.
CERT SCALe Certificates
CERT SCALe certificates contain the name and version of the software system that passed the conformance test and the results of the test. The process is similar to that followed by The Open Group (see http://www.opengroup.org/collaboration-services/certification.html).
Initially, all assessments are performed by the CERT Division. In the future, third parties may be accredited to perform certifications.