CERT
 
Publications Catalog Historical Documents CERT Coordination Center Vulnerability Analysis Blog US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy CERT Statistics CERT Knowledgebase Courses Link to US-CERT cylab
 

Secure Coding

Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. The CERT/CC has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

The CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed. We work to identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and to advance the state of the practice in secure coding.

Announcements

  • Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
    This report describes a study conducted by the CERT Secure Coding Initiative and JPCERT to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects.

  • Ranged Integers for the C Programming Language
    SEI Technical Note CMU/SEI-2007-TN-027, authored by members of the Secure Coding Initiative, has been published. This note describes an extension to the C programming language to introduce the notion of ranged integers.

  • A draft of the CERT C Programming Language Secure Coding Standard (Document No. N1255) has been accepted for review at the upcoming meeting of the JTC1/SC22/WG14 in Kona, Hawaii. This group is the international standardization working group for the programming language C.

  • New Vodcast: Secure Coding Project
    Robert Seacord talks about the Secure Coding Project.

    all Secure Coding vodcasts
    rss

Current Projects

Secure Coding standards web site
A collaborative site that provides rules and recommendations for secure coding practices in the C and C++ programming languages is now available at http://www.securecoding.cert.org. You are invited to review and comment on already codified practices or submit suggestions for new practices. If you have a comment or suggestion concerning the site, or would like to be more directly involved in the effort, send email to secure-coding at cert dot org.

Managed string library
A beta implementation of the managed string library specified by "Specifications for Managed Strings" is now available for download. The managed string library provides a more secure alternative to standard null-terminated byte strings in C. Managed string functions dynamically allocate memory as required, eliminating the possibility of buffer overflows, string truncation, and other common programming errors.

Secure integer library
A beta version of the secure integer library is now available at http://www.cert.org/secure-coding/IntegerLib.zip. This library includes functions for safe integer conversions and arithmetic operations.

Resources

more...

SEI Books

Secure Coding in C and C++

Secure Coding in C and C++
Robert Seacord
Addison-Wesley, September 2005.
ISBN-13: 9780321335722
ISBN-10: 0321335724


Software Security Engineering: A Guide for Project Managers

Software Security Engineering: A Guide for Project Managers
Robert J. Ellison
Nancy R. Mead
Gary McGraw
Sean Barnum
Julia H. Allen
Addison-Wesley, May 2008
ISBN-13: 9780321509178
ISBN-10: 032150917X
(Official book websiteoff site)


Related Publications

more...

Presentations

Training

Secure Coding in C and C++
CERT offers 1 and 2 day courses in "Secure Coding in C and C++". For more information see:

In the News

Last updated June 17, 2008