The Cert C Coding Standard ― 98 Rules for Developing Safe, Reliable, and Secure Systems

Software security has major implications for the operations and assets of organizations, as well as for the welfare of individuals. To create secure software, developers must know where the dangers lie. Secure programming in C can be more difficult than even many experienced programmers believe. CERT's secure programming initiative, from which this book is drawn, defines a set of rules that is necessary to ensure the security and overall reliability of software systems being developed in the C programming language, as specified by the new C11 standard. The CERT C Coding Standard explains this standard to give programmers concrete, practical, and shared guidelines for measuring the security and reliability of their software and to build with sufficient quality to meet the needs of the software's users.

This book is an essential desktop reference for the CERT C coding standard. Written as an organized set of rules, the book is designed to be adopted by organizations for all their C programmers to follow and intended to be used as a reference by both programming teams and individuals. The CERT C Coding Standard is an indispensable collection of expert information. The standard itemizes those coding errors that are the root causes of software vulnerabilities in C and prioritizes them by severity, likelihood of exploitation, and remediation costs. Each guideline provides examples of insecure code as well as secure, alternative implementations. If uniformly applied, these guidelines will eliminate the critical coding errors that lead to buffer overflows, format string vulnerabilities, integer overflow, and other common software vulnerabilities.

Robert C. Seacord is a computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.

Robert C. Seacord manages the Secure Coding Initiative in the CERT Division of Carnegie Mellon’s Software Engineering Institute (SEI) in Pittsburgh, PA. CERT, among other security related activities, regularly analyzes software vulnerability reports and assesses the risk to the Internet and other critical infrastructure. Robert is an adjunct professor in the Carnegie Mellon University School of Computer Science and in the Information Networking Institute. He represents CMU at PL22.11 (ANSI “C”) and is a technical expert for the JTC1/SC22/WG14 international standardization working group for the C programming language.

Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System.

Robert has a B.A. in computer science from Rensselaer Polytechnic Institute.