“I’m an enthusiastic supporter of the CERT Secure
Coding Initiative. Programmers have lots of sources of advice on
correctness, clarity, maintainability, performance, and even
safety. Advice on how specific language features affect security
has been missing. The CERT® C Secure Coding
Standard fills this need.”
–Randy Meyers,
Chairman of ANSI C
“For years we have relied upon the CERT/CC to publish
advisories documenting an endless stream of security problems. Now
CERT has embodied the advice of leading technical experts to give
programmers and managers the practical guidance needed to avoid
those problems in new applications and to help secure legacy
systems. Well done!”
–Dr. Thomas Plum, founder of Plum Hall, Inc.
“Connectivity has sharply increased the need for secure,
hacker-safe applications. By combining this CERT standard with
other safety guidelines, customers gain all-round protection and
approach the goal of zero-defect software.”
–Chris Tapp, Field Applications Engineer, LDRA Ltd.
“I’ve found this standard to be an indispensable
collection of expert information on exactly how modern software
systems fail in practice. It is the perfect place to start for
establishing internal secure coding guidelines. You won’t
find this information elsewhere, and, when it comes to software
security, what you don’t know is often exactly what hurts
you.”
–John McDonald, coauthor of The Art of Software Security
Assessment
Software security has major implications for the operations and
assets of organizations, as well as for the welfare of individuals.
To create secure software, developers must know where the dangers
lie. Secure programming in C can be more difficult than even many
experienced programmers believe.
This book is an essential desktop reference documenting the first
official release of The CERT® C Secure
Coding Standard. The standard itemizes those coding errors
that are the root causes of software vulnerabilities in C and
prioritizes them by severity, likelihood of exploitation, and
remediation costs. Each guideline provides examples of insecure
code as well as secure, alternative implementations. If uniformly
applied, these guidelines will eliminate the critical coding errors
that lead to buffer overflows, format string vulnerabilities,
integer overflow, and other common software
vulnerabilities.