June 8, 2012—Having successfully coordinated projects that resulted in secure coding standards for the C, C++, and Java programming languages, the CERT Secure Coding Initiative has unveiled work on a draft standard for Perl. The members of the CERT Secure Coding Team have analyzed thousands of vulnerability reports, including reports produced by the CERT Vulnerability Analysis Team, to identify insecure coding practices in Perl. From this analysis, the team has developed the draft Perl secure coding standard. The goal for the standard is to provide software developers with a tool for reducing or eliminating vulnerabilities before deployment. This work is being sponsored by the Department of Homeland Security, Network Security Deployment Division.
"In our analysis, we performed Perl code audits using the Source Code Analysis Lab (SCALe)," said the Secure Coding Team's David Svoboda. "Our audit process presupposes a secure coding standard. So, auditing Perl code required us to have a draft standard, which also served as a nascent set of issues. That is, many of our rules were inspired by vulnerabilities in the code we analyzed."
Most software vulnerabilities stem from a relatively small number of common programming errors. Coding standards encourage programmers to follow a uniform set of rules and guidelines determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to manually or automatically evaluate source code.
The draft CERT Perl Secure Coding Standard provides a core of well-documented and enforceable coding rules and recommendations for the Perl programming language. Developing this core of draft rules into a comprehensive standard can help programmers realize significant security improvements in a variety of programming contexts. "Perl is the most prominent scripting language in the Unix world," noted Svoboda. "It predates other scripting languages like PHP, Python, and Ruby."
To augment the standard, the CERT Program invites collaboration from interested professionals in the software development and software security communities. As with all of the Secure Coding Team's standards work, the goal of this project is to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Its application will lead to higher-quality systems that are more robust and resistant to attack. To get involved, software development professionals should visit www.securecoding.cert.org, create an account, sign in, and start commenting on the rules.
For more information on the CERT Secure Coding Standard for Perl, please visit www.securecoding.cert.org/confluence/display/perl/CERT+Perl+Secure+Coding+Standard.
If you are a member of the media or analyst community and would like to schedule an interview with an SEI expert, please contact:
SEI Public Relations
Media Line: 412-268-4793
For other useful information sources, please visit the Contact Us page.