...
- there is well-known good practice to follow
- to describe an approach that, if universally followed, would both avoid violations where the normative part of the guideline applies, and would also be harmless when applied to code where the normative part of the guideline is inapplicable.
Although uncommon, some guidelines are entirely Entirely non-normative . The following guidelines, for example, are entirely non-normative:
...
guidelines are not included in this coding standard, but will be covered in a follow on publication: Recommendations for Secure Coding in Java.
Source Code Conformance
Conformance to The CERT Oracle Secure Coding Standard for Java can be used as as security indicator or metric. While conformance does not guarantee the absence of vulnerabilities (for example, vulnerabilities resulting from design flaws), it does guarantee the absence of coding errors that are commonly found to be the root causes of vulnerabilities.
...