A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Secure Coding<br />
The Challenge: Preventing S<strong>of</strong>tware Vulnerabilities<br />
S<strong>of</strong>tware vulnerabilities open <strong>the</strong> Department <strong>of</strong> Defense, o<strong>the</strong>r federal agencies, and businesses<br />
to attacks that could compromise <strong>the</strong>ir systems’ integrity or expose or modify <strong>the</strong>ir critical information.<br />
S<strong>of</strong>tware vulnerabilities also put our nation’s critical infrastructure at risk. Successful exploitation<br />
<strong>of</strong> <strong>the</strong>se vulnerabilities has severe consequences: financial loss, loss or compromise <strong>of</strong><br />
sensitive data, damage to critical systems, and loss <strong>of</strong> productivity.<br />
The traditional, reactive approach <strong>of</strong> mitigating s<strong>of</strong>tware<br />
vulnerabilities after <strong>the</strong> product’s release is expensive<br />
and leaves s<strong>of</strong>tware users exposed and, frequently, compromised<br />
until a patch is released—if customers can<br />
keep up with patches at all. Some vulnerabilities are<br />
never patched. Preventing <strong>the</strong> introduction <strong>of</strong> s<strong>of</strong>tware<br />
vulnerabilities during s<strong>of</strong>tware development is a proactive,<br />
efficient way to reduce risk before <strong>the</strong> s<strong>of</strong>tware is<br />
ever deployed.<br />
A Solution: Secure Coding Standards<br />
and Practices<br />
The CERT/CC has analyzed and cataloged thousands <strong>of</strong><br />
s<strong>of</strong>tware vulnerabilities and discovered that many share<br />
<strong>the</strong> same common errors. Deficient or error-prone constructs<br />
in <strong>the</strong> programming languages were frequently a<br />
factor. In 2003, <strong>the</strong> <strong>SEI</strong> formed <strong>the</strong> Secure Coding Initiative,<br />
whose goals were to enumerate errors in coding<br />
that can result in s<strong>of</strong>tware vulnerabilities and to develop<br />
and promote mitigation strategies. 35 By engaging more<br />
than a thousand security researchers, language experts,<br />
and s<strong>of</strong>tware developers, <strong>the</strong> initiative produced secure<br />
coding standards for common s<strong>of</strong>tware development<br />
languages such as C and Java. These standards guide<br />
programmers to avoid coding errors that lead to vulnerabilities;<br />
<strong>the</strong> standards also provide solution examples.<br />
Having standards encourages programmers to follow<br />
uniform coding rules and guidelines determined by <strong>the</strong><br />
requirements <strong>of</strong> a project or organization, ra<strong>the</strong>r than by<br />
personal coding preferences or familiarity.<br />
The View from O<strong>the</strong>rs<br />
We are thrilled to be <strong>the</strong> first company<br />
to deliver a CERT C compliant<br />
programming checker as we believe<br />
this new standard will play a<br />
significant role in <strong>the</strong> development<br />
<strong>of</strong> higher quality systems that are<br />
more robust and more resistant to<br />
attack.<br />
– Ian Hennell, LDRA<br />
Operations Director<br />
[Businesswire 2008]<br />
I’m an enthusiastic supporter <strong>of</strong> <strong>the</strong><br />
CERT Secure Coding Initiative.<br />
Programmers have lots <strong>of</strong> sources<br />
<strong>of</strong> advice on correctness, clarity,<br />
maintainability, performance, and<br />
even safety. Advice on how specific<br />
language features affect security<br />
has been missing. The CERT ® C Secure<br />
Coding Standard fills this<br />
need.<br />
– Randy Meyers,<br />
Chairman <strong>of</strong> ANSI C<br />
[Seacord 2013]<br />
35 Details about <strong>the</strong> work <strong>of</strong> <strong>the</strong> Secure Coding Initiative can be found at http://www.cert.org/securecoding.<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 177<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.