U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

SEI: Coding Practices

Published: January 04, 2006 | Last revised: May 14, 2013

Author(s): Daniel Plakosh and Robert C. Seacord SDLC Life Cycles: Implementation Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

Most software vulnerabilities are the result of small but reoccurring programming errors that could be easily avoided if programmers learned to recognize them and understand their potential harm. In particular, the C and C++ programming languages have proved highly susceptible to these classes of errors. This knowledge area of the Build Security In web site describes coding practices that can be used to mitigate against these common problems in C and C++.

Most of the documents in this knowledge area are excerpted from the CERT book Secure Coding in C and C++ [1], written by Robert C. Seacord with contributions from other members of the CERT Coordination Center.  The mitigation strategies included in this knowledge area deal primarily with vulnerabilities resulting from programming errors in string manipulation, integer operations, and dynamic memory management. For a more complete description of common programming errors and the resulting vulnerabilities, please see Secure Coding in C and C++.

Secure coding requires an understanding of common programming errors that lead to software vulnerabilities and the knowledge and use of alternative approaches that are less error prone. Secure coding can also benefit from the proper use of software development tools, including compilers. Compilers typically have options that allow increased or specific diagnostics to be performed on code during compilation. Resolving these warnings (by correcting the problem or determining that the warning is superfluous) can improve the security of your deployed software system. Compilers can also provide options that influence runtime settings, such as the /GS flag in Microsoft Visual Studio. Understanding available compiler options and making informed decisions about which options to use and which to omit can help eliminate vulnerabilities and mitigate against runtime exploitation of undiscovered or unresolved vulnerabilities. An example of the use of compiler checks to mitigate against integer vulnerabilities is described in Compiler Checks. Examples of using other static and dynamic analysis tools to discover and mitigate vulnerabilities are described in Runtime Analysis Tools and Heap Integrity Detection.

Mitigation strategies are described, including security, performance, availability, ease of use, and other known quality attributes.  We do not attempt to describe the conditions under which one mitigation strategy is preferred to another.  Instead, we assume that you (the customer of the information) know what your requirements and constraints are and can make an appropriate selection based on your analysis of this information and the information contained in the referenced resources.

String Manipulation

Dynamic Memory Management

Integers

Acknowledgments

Documents in this section were authored by Robert C. Seacord and Daniel Plakosh.  Documents were reviewed by Shawn Hernan, Michael Howard, and Steve Lipner of Microsoft, Jeffrey Voas of SAIC, and Gary McGraw of Cigital.  Editing was performed by Pamela Curtis of the SEI.

References

[1] Seacord, Robert C.  Secure Coding in C and C++.  Boston, MA: Addison Wesley Professional, 2005 (ISBN 0321335724).


Back to Top