The Art of Software Security Assessment

CERT Secure Coding Standards

jm January 7th, 2007

You should check out the CERT Secure Coding Standards. We’ve started contributing to them recently, as we think they are interesting and quite well done. The standards are a community effort and a work in progress, so feel free to help out. The best way to start is by leaving comments on the appropriate pages with your ideas and/or criticisms.

One aspect of the system that I think is particularly good is the separation between rules and recommendations. Rules are things that you definitely don’t want to do in your code, as you’re very likely shooting yourself in the foot. Recommendations are more best practice coding standards or idioms that will buttress your code base against attack or help inform program design. So, for example, there is a rule that says "MEM31-C. Free dynamically allocated memory exactly once." Double frees are obviously something categorically bad, and should never occur in production code. An example of a recommendation is "MEM00-A. Allocate and free memory in the same module, at the same level of abstraction." This is absolutely sound advice. However, it’s a recommendation and not a rule because there are situations in real-world code where you might have solid reasons for violating this design. I think it’s this subtlety of analysis that will make the standard actually useful in real-world development efforts.

It looks like it will be a useful resource for its intended purpose as a baseline for secure coding standards. (i.e. if you need to put together secure coding guidelines for your organization, it should be a great starting point.) That said, it’s also useful for code auditing, as the rules encapsulate a lot of ideas about what can go wrong in code. It’s approaching the problem from a slightly different angle, but in general, for every rule, there are one or more implied insecure practices that you can audit against.

A quick plug: Robert C. Seacord is one of the chief contributors to the effort, and we might be able to coerce him to do a guest post later on. If you haven’t bought his book, "Secure Coding in C/C++," we highly recommend it.

Discussion , Auditing , C/C++

Permanent Link | Trackback URI | Comments RSS

The Book

This blog provides running commentary from Mark Dowd, John McDonald, and Justin Schuh, the authors of the book: The Art of Software Security Assessment. You can purchase a copy from Amazon, or directly from the publisher, Addison-Wesley, and peruse the sample chapter on C Language vulnerabilities.
Tags
- Errata (5)
- Discussion (31)
- Auditing (9)
  - Windows (6)
  - Unix (3)
  - C/C++ (9)
  - SQL (2)
  - Web (5)
- Spot the Vuln (2)
Archives
- July 2009 (2)
- November 2008 (2)
- October 2008 (1)
- August 2008 (2)
- June 2008 (1)
- May 2008 (1)
- April 2008 (2)
- February 2008 (2)
- January 2008 (2)
- August 2007 (1)
- July 2007 (1)
- April 2007 (1)
- February 2007 (6)
- January 2007 (6)
- December 2006 (13)

Continued ramblings on software security and code auditing

CERT Secure Coding Standards

Leave a Reply

The Book

Tags

Archives