Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Software systems can be validated as conforming to the CERT C Secure Coding Standard. Source code analysis tools , included including compilers , and static analysis tools, can be certified as able to validate source code as conforming to this standard.

Source Code Compliance

The CERT C Secure Coding standard Standard can be used as a measure of software security by determining the degree to which a software system complies with the rules and recommendations in this standard. While compliance does not guarantee the absence of vulnerabilities (for example, vulnerabilities resulting from design flaws), it does guarantee the absence of coding errors that are commonly found to be the root causes of vulnerabilities.

...

Compilers and source code analysis tools are trusted processes, meaning that a degree of reliance is placed on the output of the tools. Consequently, developers must ensure that this trust is not misplaced. Ideally, this should be achieved by the tool supplier running appropriate validation tests. While it is possible to use a validation suite to test a compiler or source code analysis tools, no formal validation scheme exists at the time of publication of this documentbook.

Levels

Rules and recommendations in this standard are classified into three levels (see Priority and Levels). Emphasis should be placed on conformance Level 1 (L1) rules. Software systems that have been validated as complying with all Level 1 rules are considered to be L1 Conforming. Software systems can be assessed as L1, L2, or fully conforming depending on the set of rules to which the system has been validated.

Rules

...

versus Recommendations

Conformance to secure coding rules must be demonstrated to claim compliance with this standard unless an exceptional condition exists. If an exceptional condition is claimed, the exception must correspond to a predefined exceptional condition and the application of this exception must be documented in the source code.

...

Deviations may occur for a specific instance, typically in response to circumstances which that arise
during the development process , or for a systematic use of a particular construct in a particular circumstance. Systematic deviations are usually agreed upon at the start of a project.

For these secure coding rules to have authority, it is necessary that a formal procedure be used to authorize these deviations rather than an individual programmer having discretion to deviate at will. The use of a deviation must be justified on the basis of both necessity and security. Rules that have a high severity and/or a high likelihood require a more stringent process for agreeing to a deviation than do rules and recommendations with a low severity that are unlikely to result in a vulnerability.

Software To claim compliance with this standard, software developers must be able to produce on request documentation as to which systematic and specific deviations have been permitted during development on request to claim compliance with this standard.

...

      00. Introduction       01. Preprocessor (PRE)