...
Noncompliant examples in CERT C Secure Coding Standard guidelines are operating system and platform independent. However, the best solutions to secure coding problems are often platform specific. In most cases, this standard provides appropriate compliant solutions for POSIX-compliant and Windows operating systems. Language and library extensions that have been published as ISO/IEC Technical Reports or Technical Specifications are frequently given precendence, such has those described by ISO/IEC TR 24731-2 Extensions to the C Library—Part II: Dynamic Allocation Functions [ISO/IEC TR 24731-2:2010]. In many cases, compliant solutions are also provided for specific platforms such as Linux or OpenBSD. Occasionally, we also point out implementation-specific behaviors when these behaviors are of interest.
...
The C Standard documents existing practice where possible. That is, most features must be tested in an implementation before being included in the standard. The CERT C Secure Coding Standard has a different purpose. When existing practice serves this purpose, that is fine, but the goal is to create a new set of best practices, and that includes introducing some concepts that are not yet widely known. To put it a different way, the CERT C Secure Coding Standard attempts to drive change rather than just document it.
...