Developing software using secure coding rules is a good idea and is increasingly a requirement. The National Defense Authorization Act for Fiscal Year 2013, Section 933, "Improvements in Assurance of Computer Software Procured by the Department of Defense," requires evidence that government software development and maintenance organizations and contractors are conformingconform, in computer software coding, to approved secure coding standards of the Department of Defense (DoD) during software development, upgrade, and maintenance activities, including through the use of inspection inspections and appraisals.
DoD acquisition programs are specifying the now specifying the Application Security and Development Security Technical Implementation Guide (STIG) in requests for proposal (RFPs). Below is information for about the last two versions of the Application Security and Development STIG, Version 4, Release 1 and Version 3, Release 10.
...
Section 2.1 of the Application Security and Development STIG Overview, "Security Assessment Information," , requires that "...coding standards, application vulnerability scan reports, and automated code review results are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."
The proper application of this CERT Secure Coding standard would enable enables a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 4, Release 1:
- (APSC-DV-001995: CAT II) The application must not be vulnerable to race conditions.
- (APSC-DV-002000: CAT II) The application must terminate all network connections associated with a communications session at the end of the session.
- (APSC-DV-002510: CAT I) The application must protect from command injection.
- (APSC-DV-002520: CAT II) The application must protect from canonical representation vulnerabilities.
- (APSC-DV-002530: CAT II) The application must validate all input.
- (APSC-DV-002560: CAT I) The application must not be subject to input handling vulnerabilities.
- (APSC-DV-002590: CAT I) The application must not be vulnerable to overflow attacks.
- (APSC-DV-003215: CAT III) The application development team must follow a set of coding standards.
- (APSC-DV-003235: CAT II) The application must not be subject to error handling vulnerabilities.
Adoption of Adopting secure coding verification processes and training programmers and software testers on the standard will help satisfy helps to satisfy the following requirements:
...
The proper application of this standard would enable enables a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 3, Release 10:
...
Training programmers and software testers on the standard will help satisfy helps to satisfy the following requirements:
...