The CERT Division participates in the development of international standards for programming languages to improve the safety and security of these languages. The CERT Division is a voting member of PL2.16 C++, INCITS PL22 Programming Languages, and PL22.11 Programming Language C and sends technical experts to ISO/IEC working group meetings for C, C++, and programming language vulnerabilities. Working with technical experts in these international standards bodies has led to the following advancements (among others):
The CERT Division's Secure Coding Standards Research program examines existing ISO/IEC international standards for security issues and solutions.
For the past several years, the CERT Secure Coding team has contributed to a major revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The team has focused on introducing enhancements to C and its standard library to address security issues, such as buffer overflows, and Secure Coding team members are involved in ISO/IEC Program Languages Vulnerabilities Working Group 23, which prepares comparative guidance spanning multiple programming languages. With this approach, application developers are better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. Members of the Secure Coding team participated in this ISO/IEC effort by contributing to the technical report titled Guidance for Avoiding Vulnerabilities through Language Selection and Use.
The blog post Improving Security in the Latest C Programming Language Standard, David Keaton describes these efforts to revise ISO and IEC standards for the C programming language. The team focused on introducing enhancements to C and its standard library, and David's post explores two of the team's changes: bounds-checking interfaces and analyzability.
Members of the CERT Secure Coding team have authored many ISO/IEC standards proposals in their roles on the ISO/IEC committees.
The CERT Division's participation in international standards bodies improves the quality of the secure coding standards and processes and provides a channel for their adoption and publication as international standards.