This secure coding standard consists of rules and recommendations.
Coding practices are defined to be rules when the following conditions are met:
Implementation of the secure coding rules defined in this standard are necessary (but not sufficient) to ensure the security of software systems developed in the Perl programming language.
Rules are identified by the label rule.
Recommendations are guidelines or suggestions. Coding practices are defined to be recommendations when all of the following conditions are met:
The set of recommendations that a particular development effort adopts depends on the security requirements of the final software product. Projects with high-security requirements can dedicate more resources to security and are consequently likely to adopt a larger set of recommendations.
To ensure that the source code conforms to this secure coding standard, it is necessary to have measures in place that check for rule violations. The most effective means of achieving this is to use one or more static analysis tools. Where a rule cannot be checked by a tool, then a manual review is required.
Recommendations are identified by the label recommendation.
Any rule or recommendation may specify a small set of exceptions detailing the circumstances under which the coding practice is not necessary to ensure the security of software. Exceptions are informative only and are not required to be followed.
Coding practices that specify one or more exceptions are identified by the label exceptions.
Each rule and recommendation is given a unique identifier. These identifiers consist of three parts:
The three-letter mnemonic can be used to group similar coding practices and to indicate to which category a coding practice belongs.
The numeric value is used to give each coding practice a unique identifier. Numeric values in the range of 00–29 are reserved for recommendations, while values in the range of 30–99 are reserved for rules.