...
Conformance to secure coding rules must be demonstrated to claim compliance with this standard unless an exceptional condition exists. If an exceptional condition is claimed, the exception must correspond to a predefined exceptional condition and the application of this exception must be documented in the source code. Implementation of the secure coding rules defined in this standard are neccessary (but not sufficient) to ensure the security of software systems developed in the C programming language.
Recommendations are guidelines or suggestions. Coding practices are defined to be recommendations when all of the following conditions are met:
...
Compliance with recommendations is not necessary to claim compliance with this standard. It is possible, however, to claim compliance with recommendations (especially in cases in which compliance can be verified). The set of recommendations that a particular development effort adopts depends on the security requirements of the final software product. Projects with high-security requirements can dedicate more resources to security and are thus likely to adopt a larger set of recommendations.Implementation of the secure coding rules defined in this standard are helpful (but not sufficient) to ensure the security of software systems developed in the C programming language
To ensure that the source code conforms to this secure coding standard, it is necessary to have measures in place which check that none of the rules have been broken. The most effective means of achieving this is to use one or more static analysis tools. Where a rule cannot be checked by a tool, then a manual review is required.
The following graph shows the number and breakdown of rules and recommendations in the CERT C Programming Language Secure Coding Standard:
...