ISO/IEC Standards

The CERT Division participates in the development of international standards for programming languages to improve the safety and security of these languages. The CERT Division is a voting member of PL2.16 C++, INCITS PL22 Programming Languages, and PL22.11 Programming Language C and sends technical experts to ISO/IEC working group meetings for C, C++, and programming language vulnerabilities. Working with technical experts in these international standards bodies has led to the following advancements (among others):

  • publication of TR 24731-1 and TR 24732-2, followed by their inclusion into a conditionally normative annex for C1X
  • security improvements to C standard library functions
  • deprecation of the gets() function in C99 and its removal from C1X
  • inclusion of the Analyzability Annex into the conditionally normative annex for C1X
  • successful balloting of PDTR 24772.2, Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use
  • formation of the C Secure Coding Guidelines Study Group within WG14 to study the problem of producing analyzable secure coding guidelines for C99 and C1X

The CERT Division's Secure Coding Standards Research program examines existing ISO/IEC international standards for security issues and solutions.

Revision to ISO and IEC Standards

For the past several years, the CERT Secure Coding team has contributed to a major revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The team has focused on introducing enhancements to C and its standard library to address security issues, such as buffer overflows, and Secure Coding team members are involved in ISO/IEC Program Languages Vulnerabilities Working Group 23, which prepares comparative guidance spanning multiple programming languages. With this approach, application developers are better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. Members of the Secure Coding team participated in this ISO/IEC effort by contributing to the technical report titled Guidance for Avoiding Vulnerabilities through Language Selection and Use.

The blog post Improving Security in the Latest C Programming Language Standard, David Keaton describes these efforts to revise ISO and IEC standards for the C programming language. The team focused on introducing enhancements to C and its standard library, and David's post explores two of the team's changes: bounds-checking interfaces and analyzability.

Members of the CERT Secure Coding team have authored many ISO/IEC standards proposals in their roles on the ISO/IEC committees.

The CERT Division's participation in international standards bodies improves the quality of the secure coding standards and processes and provides a channel for their adoption and publication as international standards.