SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The proper application of this standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 2, Release 1 Disa 2008:

  • (APP2060.1: CAT II) The Program Manager will ensure the development team follows a set of coding standards.
  • (APP2060.2: CAT II) The Program Manager will ensure the development team creates a list of unsafe functions to avoid and document this list in the coding standards.
  • (APP3550: CAT I) The Designer will ensure the application is not vulnerable to integer arithmetic issues.
  • (APP3560: CAT I) The Designer will ensure the application does not contain format string vulnerabilities.
  • (APP3570: CAT I) The Designer will ensure the application does not allow Command Injection.
  • (APP3590.1: CAT I) The Designer will ensure the application does not have buffer overflows.
  • (APP3590.2: CAT I) The Designer will ensure the application does not use functions known to be vulnerable to buffer overflows.
  • (APP3590.3: CAT II) The Designer will ensure the application does not use signed values for memory allocation where permitted by the programming language.
  • (APP3600: CAT II) The Designer will ensure the application has no canonical representation vulnerabilities.
  • (APP3630.1: CAT II) The Designer will ensure the application is not vulnerable to race conditions.
  • (APP3630.2: CAT III) The Designer will ensure the application does not use global variables when local variables could be used.

Training programmers and software testers on the standard will satisfy requirements:

  • (APP2120.3: CAT II) The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.
  • (APP2120.4: CAT II) The Program Manager will ensure testers are provided annual training.
  • (APP2060.3: CAT II) The Designer will follow the established coding standards established for the project.
  • (APP2060.4: CAT II) The Designer will not use unsafe functions documented in the project
    coding standards.
  • (APP5010: CAT III) The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.
  • No labels