- Author:
- Robert C. Seacord
Im an enthusiastic supporter of the CERT Secure Coding Initiative. Programmers have lots of sources of advice on correctness, clarity, maintainability, performance, and even safety. Advice on how specific language features affect security has been missing. The CERT C Secure Coding Standard fills this need.Randy Meyers, Chairman of ANSI CFor years we have relied upon the CERT/CC to publish advisories documenting an endless stream of security problems. Now CERT has embodied the advice of leading technical experts to give programmers and managers the practical guidance needed to avoid those problems in new applications and to help secure legacy systems. Well done!Dr. Thomas Plum, founder of Plum Hall, Inc.Connectivity has sharply increased the need for secure, hacker-safe applications. By combining this CERT standard with other safety guidelines, customers gain all-round protection and approach the goal of zero-defect software.Chris Tapp, Field Applications Engineer, LDRA Ltd.Ive found this standard to be an indispensable collection of expert information on exactly how modern software systems fail in practice. It is the perfect place to start for establishing internal secure coding guidelines. You wont find this information elsewhere, and, when it comes to software security, what you dont know is often exactly what hurts you.John McDonald, coauthor of The Art of Software Security AssessmentSoftware security has major implications for the operations and assets of organizations, as well as for the welfare of individuals. To create secure software, developers must know where the dangers lie. Secure programming in C can be more difficult than even many experienced programmers believe.This book is an essential desktop reference documenting the first official release of The CERT C Secure Coding Standard. The standard itemizes those coding errors that are the root causes of software vulnerabilities in C and prioritizes them by severity, likelihood of exploitation, and remediation costs. Each guideline provides examples of insecure code as well as secure, alternative implementations. If uniformly applied, these guidelines will eliminate the critical coding errors that lead to buffer overflows, format string vulnerabilities, integer overflow, and other common software vulnerabilities.
Cited By
Pundir N, Aftabjahani S, Cammarota R, Tehranipoor M and Farahmandi F (2022). Analyzing Security Vulnerabilities Induced by High-level Synthesis, ACM Journal on Emerging Technologies in Computing Systems, 18:3, (1-22), Online publication date: 31-Jul-2022.- KØien G (2019). Why Cryptosystems Fail Revisited, Wireless Personal Communications: An International Journal, 106:1, (85-117), Online publication date: 1-May-2019.
- Todorov V, Boulanger F and Taha S Formal verification of automotive embedded software Proceedings of the 6th Conference on Formal Methods in Software Engineering, (84-87)
- Rhein A, Liebig J, Janker A, Kästner C and Apel S (2018). Variability-Aware Static Analysis at Scale, ACM Transactions on Software Engineering and Methodology, 27:4, (1-33), Online publication date: 31-Oct-2018.
- Rigger M, Schatz R, Grimmer M and Mössenböck H Lenient Execution of C on a Java Virtual Machine Proceedings of the 14th International Conference on Managed Languages and Runtimes, (35-47)
- Piessens F and Verbauwhede I Software security Proceedings of the 2016 Conference on Design, Automation & Test in Europe, (990-999)
- Coblenz M, Sunshine J, Aldrich J, Myers B, Weber S and Shull F Exploring language support for immutability Proceedings of the 38th International Conference on Software Engineering, (736-747)
- Ibing A Architecture description language based retargetable symbolic execution Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, (241-246)
- Sidiroglou-Douskos S, Lahtinen E, Rittenhouse N, Piselli P, Long F, Kim D and Rinard M (2015). Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement, ACM SIGARCH Computer Architecture News, 43:1, (473-486), Online publication date: 29-May-2015.
- Sidiroglou-Douskos S, Lahtinen E, Rittenhouse N, Piselli P, Long F, Kim D and Rinard M (2015). Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement, ACM SIGPLAN Notices, 50:4, (473-486), Online publication date: 12-May-2015.
- Sidiroglou-Douskos S, Lahtinen E, Rittenhouse N, Piselli P, Long F, Kim D and Rinard M Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, (473-486)
- Zhu J, Chu B, Lipford H and Thomas T Mitigating Access Control Vulnerabilities through Interactive Static Analysis Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, (199-209)
- Barabanov A, Markov A, Fadin A and Tsirlov V A Production Model System for Detecting Vulnerabilities in the Software Source Code Proceedings of the 8th International Conference on Security of Information and Networks, (98-99)
- Long F, Sidiroglou-Douskos S, Kim D and Rinard M (2014). Sound input filter generation for integer overflow errors, ACM SIGPLAN Notices, 49:1, (439-452), Online publication date: 13-Jan-2014.
- Long F, Sidiroglou-Douskos S, Kim D and Rinard M Sound input filter generation for integer overflow errors Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, (439-452)
- Zhu J, Lipford H and Chu B Interactive support for secure programming education Proceeding of the 44th ACM technical symposium on Computer science education, (687-692)
- Coker Z and Hafiz M Program transformations to fix C integers Proceedings of the 2013 International Conference on Software Engineering, (792-801)
- Ibing A SMT-Constrained Symbolic Execution for Eclipse CDT/Codan Revised Selected Papers of the SEFM 2013 Collocated Workshops on Software Engineering and Formal Methods - Volume 8368, (113-124)
- Coker Z Security-oriented program transformations to cure integer overflow vulnerabilities Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity, (103-104)
- Wang X, Chen H, Jia Z, Zeldovich N and Kaashoek M Improving integer security for systems with KINT Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, (163-177)
Index Terms
- The CERT C Secure Coding Standard