Software Engineering Institute

FOR IMMEDIATE RELEASE

SEI Public Relations
Tel: 412-268-4793
E-mail: public-relations@sei.cmu.edu

CERT Secure Coding Standards Improve the Quality and Security of Commercial Software Products

By using source code analysis tools integrated with the standards, organizations can prevent significant vulnerabilities.

Pittsburgh, PA, October 28, 2008 – Society's increased dependency on networked software systems has been matched by an increase in the number of attacks aimed at these systems. The attacks – directed at governments, corporations, educational institutions, and individuals – have resulted in financial loss, the loss and compromise of sensitive data, system damage, and lost productivity and are most often enabled by common software vulnerabilities.

To address this issue, the CERT® Secure Coding Initiative, part of the CERT Program at Carnegie Mellon University's Software Engineering Institute (SEI), has released The CERT C Secure Coding Standard. It provides best practices to reduce, or eliminate, vulnerabilities before software is released by vendors. The standard has been published in a just released book by Addison-Wesley titled The CERT C Secure Coding Standard. Training on the standard will be delivered by the SEI and its partners.

"To create secure software, developers must know where the dangers lie. Secure programming in C can be more difficult than even many experienced programmers believe, and without expert guidelines, impossible to achieve," said Robert Seacord, technical lead for the CERT Secure Coding Initiative. "The standard helps developers eliminate insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities."

The standard was developed to provide organizations with the ability to develop code that is robust and more resistant to attack. The standard’s guidelines – if applied appropriately – eliminate the critical coding errors that lead to buffer overflows, format string vulnerabilities, and other common software vulnerabilities. Each guideline in the standard provides examples of insecure code and alternative secure code implementations. The standard is currently being used as a basis for the Global Information Assurance Certification (GIAC) Secure Software Programmer-C (GSSP-C) exam and certification.

More than 220 contributors and reviewers participated in the standard’s development and review over a period of two and a half years. Additionally, the standard was reviewed by the ISO/IEC WG14 international standardization working group for the programming language C, members of the Association of C and C++ Users (ACCU), and other members of the C language development and software security communities.

"I’m an enthusiastic supporter of the CERT Secure Coding Initiative," says Randy Meyers, Chairman of ANSI C. "Programmers have lots of sources of advice on correctness, clarity, maintainability, performance, and even safety. Advice on how specific language features affect security has been missing. The CERT C Secure Coding Standard fills this need."

To ensure that the source code conforms to this secure coding standard, it is necessary to have measures in place that check for rule violations. The most effective means of achieving this is to use one or more static analysis tools. Where a rule cannot be checked by a tool, a manual review is required. Both free and commercial source code analysis tools are available to automatically detect violations of CERT C Secure Coding Standard rules and recommendations. Software analysis tools from Lawrence Livermore National Laboratory, LDRA Ltd., and Fortify Software, Inc. have all had their capabilities extended to automatically diagnose violations of CERT secure coding guidelines.

Organizations interested in learning how to use tools to apply the CERT Secure Coding Standard can learn more by visiting www.cert.org/secure-coding/. 

About the Software Engineering Institute and the CERT Program
The Software Engineering Institute (SEI) is a U.S. Department of Defense federally funded research and development center operated by Carnegie Mellon University. The SEI helps organizations make measured improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. The CERT Program serves as a center of enterprise and network security research, analysis, and training within the SEI. For more information, visit the CERT website at www.cert.org and the SEI website at www.sei.cmu.edu.

For more information

Media Contacts: 

Richard Lynch

public-relations@sei.cmu.edu