CERT Secure Coding Initiative Tackles Standard for Perl

« More News Stories

CERT Secure Coding Initiative Tackles Standard for PerlJune 8, 2012—Having successfully coordinated projects that resulted in secure coding standards for the C, C++, and Java programming languages, the CERT Secure Coding Initiative has unveiled work on a draft standard for Perl. The members of the CERT Secure Coding Team have analyzed thousands of vulnerability reports, including reports produced by the CERT Vulnerability Analysis Team, to identify insecure coding practices in Perl. From this analysis, the team has developed the draft Perl secure coding standard. The goal for the standard is to provide software developers with a tool for reducing or eliminating vulnerabilities before deployment. This work is being sponsored by the Department of Homeland Security, Network Security Deployment Division.

“In our analysis, we performed Perl code audits using the Source Code Analysis Lab (SCALe),” said the Secure Coding Team’s David Svoboda. “Our audit process presupposes a secure coding standard. So, auditing Perl code required us to have a draft standard, which also served as a nascent set of issues. That is, many of our rules were inspired by vulnerabilities in the code we analyzed.”

Most software vulnerabilities stem from a relatively small number of common programming errors. Coding standards encourage programmers to follow a uniform set of rules and guidelines determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to manually or automatically evaluate source code.

The draft CERT Perl Secure Coding Standard provides a core of well-documented and enforceable coding rules and recommendations for the Perl programming language. Developing this core of draft rules into a comprehensive standard can help programmers realize significant security improvements in a variety of programming contexts. “Perl is the most prominent scripting language in the Unix world,” noted Svoboda. “It predates other scripting languages like PHP, Python, and Ruby.”

To augment the standard, the CERT Program invites collaboration from interested professionals in the software development and software security communities. As with all of the Secure Coding Team’s standards work, the goal of this project is to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Its application will lead to higher-quality systems that are more robust and resistant to attack. To get involved, software development professionals should visit www.securecoding.cert.org, create an account, sign in, and start commenting on the rules.

For more information on the CERT Secure Coding Standard for Perl, please visit www.securecoding.cert.org/confluence/display/perl/CERT+Perl+Secure+Coding+Standard.

 

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Media Contacts: 

Richard Lynch

public-relations@sei.cmu.edu

412-268-4793

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.