...
A secure coding standard consists of rules and recommendations. Coding practices are defined to be rules when all of the following conditions are met:
- Violation of the coding practice will result in a security flaw that may result in an exploitable vulnerability.
- There is an enumerable set of exceptional conditions (or no such conditions) where violating the coding practice is necessary to ensure the correct behavior for the program.
- Conformance to the coding practice can be verified.
...
Recommendations are guidelines or suggestions. Coding practices are defined to be recommendations when all of the following conditions are met:
- Application of the coding practice is likely to improve system security.
- One or more of the requirements necessary for a coding practice to be considered a rule cannot be met.
Compliance with recommendations is not necessary to claim compliance with a coding standard. It is possible, however, to claim compliance with one or more verifiable guidelines. The set of recommendations that a particular development effort adopts depends on the security requirements of the final software product. Projects with high-security requirements can dedicate more resources to security , and are thus likely to adopt a larger set of recommendations.