At one extreme, a secure coding standard can be developed for a particular release of a compiler from a particular vendor. At the other extreme, the standards can be designed to be not only compiler independent but also language independent.
A coding standard for a particular compiler release has the largest possible benefit to the smallest group of users. Targeting a particular compiler allows for the definition of rules and guidelines that deal specifically with the peculiarities of that implementation, including defects in the implementation and non-standard extensions. At the other extreme, a language- independent coding standard has the least possible benefit to the largest possible group of users, as the rules and guidelines specified at this level of abstraction are largely notional.
The secure coding standards proposed by CERT are based on documented standard language versions as defined by official or de facto standards organizations. For example, secure coding standards are planned for the following languages:
Wiki Markup C programming language (ISO/IEC 9899:1999) \[5\]
Wiki Markup C+\+ programming language ( ISO/IEC 9899:1999) \[6\]
Wiki Markup Sun Microsystems' Java2 Platform Standard Edition 5.0 API Specification \[19\]
Wiki Markup C# programming language (ISO/IEC 23270:2003) \[7\]
| Wiki Markup |
|---|
Applicable technical corrigenda and documented language extensions such as the ISO/IEC TR 24731 extensions to the C library \[8\] will also be considered. |
The scope allows specific guidance to be provided to broad classes of users. Programming language standards, like those created by ISO/IEC, are primarily intended for compiler implementers. Secure coding standards are ancillary documents that provide rules and guidance directly to developers who program languages defined by these standards.