Addressing Your Insecurities with CERT C
August 31, 2017
The CERT C Coding Standard consists of a set of guidelines designed to assist in the development of safe, reliable, and secure systems.
The definition of good quality code is evolving as demand for it increases. Coding practices have long been focused on functional safety for applications developed for sectors where a software malfunction could cause injury or death, such as medical devices, industrial, transportation, automotive, and aerospace.
Lately, however, functional security has been more in the news. In some instances, the difference is academic. If your heart pacemaker malfunctions as the result of malicious attack, you really won’t care whether that was the result of a security or safety limitation in the software.
But secure coding is equally imperative away from these safety critical sectors, where hacking can result in damaged brands, misused information, and identity theft, and with the threat of organized criminal activity such as the development of ransomware an increasing concern. In either case, the challenge is to make sure the software as a whole is coded in such a way that it is safe AND secure, and adherence to a security focused standard such as CERT C is central to that. This technical briefing is an introduction to both the CERT C standard, and the way in which automated tools can help achieve its objectives.
- An Overview of the CERT C Secure Coding Standard
- Verifying compliance with the CERT C Secure Coding Standard
- Static Analysis
- Expression-level Data
- Control Flow Analysis
- Data Flow Analysis
- Cross Reference Analysis
- Comparing Static Analysis Tools