Up to 90% of software security problems are caused by coding errors. That's why secure coding is more important than ever. To write secure code, you need a coding standard.
#What are secure coding standards?
Secure coding standards are the rules and guidelines used to prevent security breaches. Used effectively, secure coding standards can prevent, detect, and eliminate bugs that could compromise software security.
Why secure coding in C and C is important
Secure coding is important for every development team. It is particularly important for C and the C programming language.
C and C++ are the languages of choice for embedded development - where safety and security are paramount. That's because they are flexible, high-performance languages. But flexibility and performance come with cost risks.
Therefore, embedded developers need to write secure code in C and C++.
What is CWE? CWE Security Introduction
The Common Weakness Enumeration (CWE) is a list of C and C software security vulnerabilities. CWE lists are compiled based on community feedback. It is sponsored by MITER Corporation.
The latest version of CWE - CWE 3.1 - was released in 2018.
The CWE security vulnerability list includes more than 600 categories, such as:
1. Buffer overflow
2. Cross-site scripting
3. Insecurity The random numbers
You can use this list to identify potential weaknesses in your code.
CERT Security and Secure Coding Rules
CERT is a secure coding standard. It was developed by the CERT division of Carnegie Mellon University's Software Engineering Institute. This secure coding standard applies to C and C++.
CERT targets unsafe coding practices and undefined behavior that lead to security risks. Using CERT security rules will help you identify security issues in existing code and prevent the introduction of new issues that pose security risks.
CERT C and the C coding standard address many of the shortcomings of CWE.
MISRA Security Rules
MISRA C also provides rules to ensure secure coding.
MISRA C:2012 includes two appendices focused on safety. These map the MISRA C rules for CERT C and ISO/IEC TS 17961:2013 "C Secure".
How to apply secure coding standards
The best way to ensure secure coding in C and C++ is to use a static code analyzer.
Static code analyzer enforces coding rules and flags security violations. Helix QAC comes with code security modules - CERT, MISRA and CWE - to ensure secure software.
Includes:
1. Completely documented rule execution and message interpretation.
2. Extensive sample code.
3. Fully configurable rule processing.
4. Compliance report of security audit.
CERT Compliant Helix QAC
Helix QAC’s CERT Compliance module identifies security violations in C and C++ code. CERT security rules improve the security and quality of your code. Helix QAC automatically checks your code against CERT's secure coding rules.
This module supports the 2016 version of CERT C and CERT C coding standards.
MISRA Compliance Module
Helix QAC’s MISRA Compliance Module improves the security of C and C code. You can use these modules to automatically find security vulnerabilities in your code. You can use Helix QAC to create MISRA compliance reports.
These modules support MISRA C:2012 and MISRA C:2008 security rules.
CWE Compatibility with Helix QAC
Helix QAC's CWE compatibility module identifies weaknesses in C and C++ code. You can use these modules to improve the overall security of your codebase. Additionally, Helix QAC reports code analysis results for CWE compliance.
The above is the detailed content of Why secure coding standards matter. For more information, please follow other related articles on the PHP Chinese website!