This document lists resources that might be useful for improving software security. We have provided these lists for information and convenience only. As part of a Federally Funded Research and Development Center (FFRDC), the CERT Coordination Center cannot endorse any products, services, or organizations.

Other Standards and Guidelines

• TIOBE Coding Standard Methodology from TIOBE Software
• Secure Coding Guidelines for the Java Programming Language, version 2.0 from Sun Microsystems
• Build Security In
• ISO/IEC JTC1/SC22/WG14 - C
  The programming language international standardization working group offers a wide range of information, including
  • Specification for Safer, More Secure C Library Functions - a draft technical report
  • ISO/IEC 9899:TC2 - Programming languages - C - the current C programming language standard

Static Source Code Analysis Tools

• Fortify Source Code Analysis (SCA)
• Coverity Prevent Software Quality System (SQS)
• OUNCE from Ounce Labs, Inc.
• Klockwork
• CodeSonar from GrammaTech
• Understand from Scientific Toolworks, Inc.
• Splint (secure programming lint), formerly known as LCLint
• Checkmarx CxSuite
• Compass/ROSE - Compass is a tool for the checking of source code. Compass is based on the ROSE compiler infrastructure and demonstrates the use of ROSE to build many simple pattern detectors for analysis of C, C++, and Fortran source code.
• LLVM/Clang Static Analyzer - The LLVM/Clang static analyzer is a standalone tool that find bugs in C and Objective-C programs.
• FindBugs - a program to find bugs in Java code
• PMD - a program to find several types of problems with Java code
• Jlint - a program to check Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph
• PScan - A limited problem scanner for C source files
• CQUAL - A tool for adding type qualifiers to C, from University of Maryland
• BOON - Buffer Overrun detectiON from David Wagner, et al.
• MOPS - MOdelchecking Programs for Security properties from David Wagner, et al.
• ITS4 from Cigital
• Flawfinder from David Wheeler
• Uno is a tool for analysis of C source code, by Gerard Holzmann. It is designed to detect Use of uninitialized variables, Null pointer dereferences, and Out-of-bounds array indexing.
• Penjili - Static analysis tool from EADS Innovation Works. Based around an intermediary language called Newspeak. Newspeak is a simplified programming language, well-suited for the purpose of static analysis. C2Newspeak compiles C programs into Newspeak.
• Airac5 - Static Analyzer for Automatic Detection of Buffer Overrun Errors in C Programs
• C Code Analyzer
• A list of static analysis and other testing tools maintained by Gerard Holzmann
• Another list of static analysis tools from the Software Assurance Metrics And Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST)
• A list of testing tools, including model checkers and unit test generators maintained by CMU professor Jonathan Aldrich

Secure Programming

• Insecure programming by example, from Gerardo Richarte (gera) of CORE Security Technologies - a collection of examples of vulnerable code
• Reviewing Code for Integer Manipulation Vulnerabilities - Michael Howard, Microsoft Secure Windows Initiative
• An Overlooked Construct and an Integer Overflow Redux - Michael Howard, Microsoft Secure Windows Initiative
• Integer Handling with the C++ SafeInt Class - David Leblanc, Microsoft Office
• Another Look at the SafeInt Class - David Leblanc, Microsoft Office
• Scrubbing Secrets in Memory and Mitigating Cross-site Scripting Issues - Michael Howard, Microsoft Secure Windows Initiative
• Validating Input - David Wheeler
• Safe string handling libraries for C and C++:
• Vstr contains a documentation page including a detailed comparison of string libraries, and notes on security and speed among other things.
• The Safe String Library
• The XXL exception handling and asset management library