You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

If a code-generating tool is to be used, it is necessary to select an appropriate tool and undertake validation. Adherence to the requirements of this document may
provide one criterion for assessing a tool.

Secure coding guidance varies depending on how code is generated and maintained. Categories of code include:

  • Tool-generated, tool-maintained - code that is specified and maintained in a higher level format, from which language-specific source code is generated. The source code is generated from this higher level description and then provided as input to the language compiler. The generated source code is never viewed or modified by the programmer.
  • Tool-generated, hand-maintained - code that is specified and maintained in a higher level format, from which language-specific source code is generated. It is expected or anticipated, however, that at some point in the development cycle the tool will cease to be used and the generated source code will be visually inspected and/or manually modified and maintained.
  • Hand-coded - code that has been manually written by a programmer using a text editor or interactive development environment in which the programmer maintains source code directly in the source code format provided to the compiler.

Source code that is written and maintained by hand must have the following properties:

  • readability
  • program comprehension

These requirements are not applicable for source code that is never directly handled by a programmer, although requirements for correct behavior still apply. Reading and comprehension requirements apply to code that is tool-generated and hand-maintained but does not apply to code that is tool-generated and tool-maintained. Tool-generated, tool-maintained code can impose consistent constraints that ensure the safety of some constructs that are risky in hand-generated code.

The following rules and recommendations do not apply to code that is tool-generated and tool-maintained:


Priority and Levels      00. Introduction       Compliance

  • No labels