The CERT Division participates in the development of international standards for programming languages to improve the safety and security of these languages. The CERT Division is a voting member of PL2.16 C++, INCITS PL22 Programming Languages, and PL22.11 Programming Language C and sends technical experts to ISO/IEC working group meetings for C, C++, and programming language vulnerabilities. Working with technical experts in these international standards bodies has led to the following advancements:
For the past several years, the CERT Secure Coding team has contributed to a major revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The team has focused on introducing enhancements to C and its standard library to address security issues, such as buffer overflows, and Secure Coding team members are involved in ISO/IEC JTC 1/SC 22/WG23, which prepares comparative guidance spanning multiple programming languages. With this approach, application developers are better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. Members of the Secure Coding team participated in this ISO/IEC effort by contributing to the technical report titled Guidance for Avoiding Vulnerabilities through Language Selection and Use.
In the June 2012 blog post titled Improving Security in the Latest C Programming Language Standard, David Keaton describes these efforts to revise ISO and IEC standards for the C programming language. The team focused on introducing enhancements to C and its standard library, and David's post explores two of the team's changes: bounds-checking interfaces and analyzability.
The CERT Division's participation in international standards bodies improves the quality of the secure coding standards and processes and provides a channel for their adoption and publication as international standards.