Secure Coding Standards

Coding standards encourage programmers to follow a uniform set of rules and guidelines determined by the requirements of the project and organization, rather than by the programmer’s familiarity or preference. Developers and software designers can apply these coding standards during software development to create secure systems.

The use of secure coding standards defines a set of rules and recommendations against which the source code can be evaluated for conformance. Secure coding standards provide a metric for evaluating and contrasting software security, safety, reliability, and related properties.

The CERT Program coordinates the development of secure coding standards by security researchers, language experts, and software developers using a wiki-based community process. More than 500 contributors and reviewers have participated in the development of secure coding standards on the CERT Secure Coding Standards wiki.

In addition to being used by software developers, these secure coding guidelines enable the CERT SCALe to evaluate conformance.

The CERT Program has completed two secure coding standards, which are available as books from Addison-Wesley:

• The CERT C Secure Coding Standard, Version 1.0
  This is the official version of the C language standards against which conformance testing is performed.
• The CERT Oracle Secure Coding Standard for Java

We are currently developing three additional standards:

• The CERT C Secure Coding Standard, Version 2.0
• The CERT C++ Secure Coding Standard
• The CERT Perl Secure Coding Standard

To learn how these secure coding standards can help DoD acquisition programs address software security, read the technical note Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions.