Cisco Systems, Inc. has announced it has adopted the CERT® C Secure Coding Standard as a baseline programming standard in its product development. The announcement came in late October at Cisco's annual SecCon conference, an internal security conference aimed at raising security awareness within the Cisco's development community.
"An essential component of every secure software development process is a set of coding practices. Rather than formulating our own, after evaluating publicly available sets of guidelines we decided to adopt the CERT C Secure Coding Standard," said Cisco's Martin Sebor. Sebor is technical leader of the C and C++ Compiler Toolchain Team in Cisco's Network Operating System Group (NOSTG).
The CERT standard provides rules and recommendations for secure coding in the C programming language. These rules and recommendations seek to eliminate insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities. By applying the secure coding standard, developers can produce higher-quality systems that are robust and more resistant to attack.
"Although Cisco already develops highly secure systems, it was not happy to rest on its laurels," said Robert C. Seacord. Seacord leads the CERT Secure Coding Team. "Cisco proactively decided to adopt the Cisco C Secure Coding Standard corporate wide to further institutionalize secure coding practices." The Cisco C Secure Coding Standard is a derivative of the CERT C Secure Coding Standard.
The CERT standard was developed over several years following a community-based development process. Cisco Systems made significant contributions to the development and evolution of the standard. Cisco's Sebor played a key in this development. "It was an easy choice to adopt the CERT standard, thanks to the high quality of material, comprehensive coverage of most aspects of the C language, and close alignment with the C language standardization process," said Sebor. "The goal of the authors of the CERT C Secure Coding Standard was to publish the document as an ANSI and ISO technical specification and to establish a baseline for modern code analysis tools. This also played an important role in our decision [to adopt the CERT standard]."
On hand for the launch was David Keaton, member of the technical staff on the CERT Secure Coding Team and chairman of American National Standards Institute (ANSI) effort for the C programming language. Keaton delivered a two-day boot camp on secure coding and presented CERT Secure Coding Standards and SCALe at the Cisco SecCon conference.
Cisco, recognizing the need for widely available and scalable training in secure coding, sponsored the development of online secure coding course modules using Carnegie Mellon University's (CMU) Open Learning Initiative (OLI) model. This effort represented a collaboration involving Cisco, CERT, OLI, and the Eberly Center for Teaching Excellence at CMU. An online demonstration version of one of the course modules, the Integer module, can be accessed at http://oli.web.cmu.edu. Enter the course key: seccode. Other companies, such as Siemens, are also contributing to the effort.
"In beginning this project, we all felt that OLI's scientific, evidence-based approach to learning is well-aligned with the SEI's development philosophy," said Norman Bier, associate director at OLI. "And, as the early results from the Integers pilot module indicate, this is a case where a multi-disciplinary team design and authorship of a course was a natural fit—this success makes a great foundation to improve and build upon with industry."
CERT welcomes the adoption of its C Secure Coding Standard by an industry leader such as Cisco. Archie Andrews, technical director for Secure Software and Systems at CERT, noted that "It is encouraging to see industry recognizes that application of secure coding standards leads to higher quality systems that are more liable to safe, dependable, and resilient."
For more information about CERT secure coding standards, please visit http://www.cert.org/secure-coding/scstandards.html.For more information about Cisco Systems, please visit http://www.cisco.com/.
If you are a member of the media or analyst community and would like to schedule an interview with an SEI expert, please contact:
SEI Public Relations
Media Line: 412-268-4793
For other useful information sources, please visit the Contact Us page.