The CERT C Secure Coding Standard
“I’m an enthusiastic supporter of the CERT Secure Coding Initiative. Programmers have lots of sources of advice on correctness, clarity, maintainability, performance, and even safety. Advice on how specific language features affect security has been missing. The CERT® C Secure Coding Standard fills this need.”
–Randy Meyers, Chairman of ANSI C
“For years we have relied upon the CERT/CC to publish advisories documenting an endless stream of security problems. Now CERT has embodied the advice of leading technical experts to give programmers and managers the practical guidance needed to avoid those problems in new applications and to help secure legacy systems. Well done!”
–Dr. Thomas Plum, founder of Plum Hall, Inc.
“Connectivity has sharply increased the need for secure, hacker-safe applications. By combining this CERT standard with other safety guidelines, customers gain all-round protection and approach the goal of zero-defect software.”
–Chris Tapp, Field Applications Engineer, LDRA Ltd.
“I’ve found this standard to be an indispensable collection of expert information on exactly how modern software systems fail in practice. It is the perfect place to start for establishing internal secure coding guidelines. You won’t find this information elsewhere, and, when it comes to software security, what you don’t know is often exactly what hurts you.”
–John McDonald, coauthor of The Art of Software Security Assessment
Software security has major implications for the operations and assets of organizations, as well as for the welfare of individuals. To create secure software, developers must know where the dangers lie. Secure programming in C can be more difficult than even many experienced programmers believe.
This book is an essential desktop reference documenting the first official release of The CERT® C Secure Coding Standard . The standard itemizes those coding errors that are the root causes of software vulnerabilities in C and prioritizes them by severity, likelihood of exploitation, and remediation costs. Each guideline provides examples of insecure code as well as secure, alternative implementations. If uniformly applied, these guidelines will eliminate the critical coding errors that lead to buffer overflows, format string vulnerabilities, integer overflow, and other common software vulnerabilities.
What people are saying - Write a review
We haven't found any reviews in the usual places.
Other editions - View all
argument arithmetic array attacker bitfield buffer overflow char file_name character compiler Compliant Solution const char conversions copy CWE ID declared defined ensure enum environment variables errno errno_t evaluated Example This noncompliant execution fgets file name fopen fsetpos function call getenv guaranteed Handle error condition identifier implementation implementationdefined incorrect input int main(void integer overflow integer type ISO/IEC PDTR Linux long long loop macro malloc memory allocation MISRA 04 MITRE 07 modify Noncompliant Code Example null pointer nullterminated byte string object Open Group Open Group 04 operands operations parameter POSIX privileges race condition realloc References results in undefined return value Risk Assessment Seacord Seacord 05a Section side effects signal handler signed integer size_t sizeof sizeof(int Solution This compliant specified string literal struct temporary files tmpvar undefined behavior unsigned char unsigned int unsigned long valid variadic function violation void volatile