SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Robert Schiela

Saved on

compared with

New Version 7

changes.mady.by.user Robert Schiela

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added V4R1 to V3R10 text, rather than replacing it. Also changed training statement for V4R1.

...

DoD acquisition programs are specifying The specifying the Application Security and Development Security Technical Implementation Guide (STIG) in requests for proposal (RFPs). Below is information for the last two versions of the Application and Development Security STIG, Version 4, Release 1 [DISA 2016] and Version 3, Release 10 10 [DISA 2015].

Application and Development Security STIG, Version 4, Release 1 [DISA 2016]

Section 2.1 of the Application Security and Development STIG Overview, "Security Assessment Information", requires that "...coding standards, application vulnerability scan reports, and automated code review results are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."

The proper application of this CERT Secure Coding standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 4, Release 1 [DISA 2016]:

  • (APSC-DV-001995: CAT II) The application must not be vulnerable to race conditions.
  • (APSC-DV-002510: CAT I) The application must protect from command injection.
  • (APSC-DV-002520: CAT II) The application must protect from canonical representation vulnerabilities.
  • (APSC-DV-002530: CAT II) The application must validate all input.
  • (APSC-DV-002560: CAT I) The application must not be subject to input handling vulnerabilities.
  • (APSC-DV-002590: CAT I) The application must not be vulnerable to overflow attacks.
  • (APSC-DV-003215: CAT III) The application development team must follow a set of coding standards.
  • (APSC-DV-003235: CAT II) The application must not be subject to error handling vulnerabilities.

Adoption of secure coding verification processes and training programmers and software testers on the standard will help satisfy the following requirements:

  • (APSC-DV-003150: CAT II) At least one tester must be designated to test for security flaws in addition to functional testing.
  • (APSC-DV-003170: CAT II) An application code review must be performed on the application.
  • (APSC-DV-003210: CAT II) Security flaws must be fixed or addressed in the project plan.
  • (APSC-DV-003400: CAT II) The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.

Application and Development Security STIG, Version 3, Release 10 [DISA 2015]

in requests for proposal (RFPs). Section 2.1.5, "Coding Standards," requires that "the Program Manager will ensure the development team follows a set of coding standards."

...

Training programmers and software testers on the standard will help satisfy the following requirements:

  • (APP2120.3: CAT II) The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.
  • (APP2120.4: CAT II) The Program Manager will ensure testers are provided training on an annual basis.
  • (APP2060.3: CAT II) The Designer will follow the established coding standards established for the project.
  • (APP2060.4: CAT II) The Designer will not use unsafe functions documented in the project
    coding standards.
  • (APP5010: CAT III) The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.

...