At one extreme, a secure coding standard can be developed for a particular release of a compiler from a particular vendor. At the other extreme, the standards can be designed to be not only compiler independent but also language independent.
A coding standard for a particular compiler release has the largest possible benefit to the smallest group of users. Targeting a particular compiler allows for the definition of rules and guidelines that deal specifically with the peculiarities of that implementation, including defects in the implementation and non-standard extensions. At the other extreme, a language- independent coding standard has the least possible benefit to the largest possible group of users, as the rules and guidelines specified at this level of abstraction are largely notional.
The secure coding standards proposed by CERT are based on documented standard language versions as defined by official or de facto standards organizations. For example, secure coding standards are planned for the following languagesThe CERT C Programming Language Secure Coding Standard was developed specifically for version of the C programming language defined by:
Wiki Markup C programming language (ISO/IEC 9899:1999) \[5\]
Wiki Markup C+\+ programming language ( -1999 Programming Languages ? C, Second Edition \[[ISO/IEC 9899:1999) \[6\]
Wiki Markup Sun Microsystems' Java2 Platform Standard Edition 5.0 API Specification \[19\]-1999|AA. C References#ISO/IEC 9899-1999]\]- Technical corrigenda TC1 and TC2
Wiki Markup C# programming language (ISO/IEC 23270:2003) \[7\]
...
TR 24731-1 Extensions to the C Library, ? Part I: Bounds-checking interfaces. \[[ISO/IEC TR 24731-2006|AA.
...
C
...
References#ISO/IEC TR 24731-2006]\]
- ISO/IEC WDTR 24731-2 Specification for Safer C Library Functions ? Part II: Dynamic Allocation Functions
Most of the material included in this secure coding can also be applied to earlier versions of the C programming language.
Rules and recommendations included in this standard are designed to be operating system and platform independent. However, the best available solutions to these problems is often platform specific. In most cases, we have attempted to provide appropriate compliant solutions for POSIX-compliant and Windows operating systems. In many cases, compliant solutions have also been provided for specific platforms such as Linux or OpenBSD. Occasionally, we also point out implementation specific behaviors when these behaviors are of interestthe C library \[8\] will also be considered.The scope allows specific guidance to be provided to broad classes of users. Programming language standards, like those created by ISO/IEC, are primarily intended for compiler implementers. Secure coding standards are ancillary documents that provide rules and guidance directly to developers who program languages defined by these standards.