I would like to suggest an approach to solving Kevin's problem of "How can we stop the spreading insecure coding examples at training classes, etc.?"
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. Each rule and recommendation contains at least one non-compliant coding example (the sort of thing you are likely to see in a poor training class) and at least one safe, secure "compliant solution" that shows how you can do the same thing safely. We are depending on the active involvement of the secure coding community (you) and relevant standards bodies to make this effort a success. I invite you to participate in this effort by reviewing content on the web site and providing comments, or by contributing new rules and recommendations for secure c coding. These can be sent to me directly or to secure-coding at cert dot com. I am attaching a press-release like article we wrote below to announce the effort. There is also a rationale section on the web site that provides more details as to what we are doing and why. Thanks, rCs ------------------- The Carnegie Mellon Software Engineering Institute (SEI) CERT® Program has deployed a secure coding Web site at www.securecoding.cert.org to cooperate with the software development community in codifying a practical and effective set of secure coding practices for popular programming languages. These coding practices can then be used by software developers to eliminate vulnerabilities before software is operationally deployed. The purpose of this project is that the practices can be used by developers for professional development and as the basis for organizational coding standards supporting the quality of their products. Jeffrey Carpenter, manager of the CERT Coordination Center, says that the project is part of a larger secure coding initiative within the CERT/CC to eliminate dangerous coding practices that can result in exploitable software vulnerabilities. According to Carpenter, "CERT is in a unique position to coordinate development of a set of secure coding practices because of its long history in analyzing and responding to software vulnerabilities." CERT's initial efforts are focused on the development of secure coding practices for the C and C++ programming languages. CERT senior vulnerability analyst Robert Seacord is leading the secure coding initiative. Seacord is a leading authority on secure coding, author of the book Secure Coding in C and C++ [Seacord 05], and technical expert for the ISO/IEC JTC1/SC22/WG14 international standardization working group for the programming language C. "C and C++ were selected because a large percentage of critical infrastructures are developed and maintained using these programming languages," Seacord says. "C and C++ are popular and viable languages although they have characteristics that make them prone to security flaws." "Today's dependency on networked software systems has been matched by an increase in the number of attacks against governments, corporations, educational institutions, and individuals. These attacks result in the loss and compromise of sensitive data, system damage, lost productivity, and financial loss," says Seacord. To address this growing threat, the introduction of software vulnerabilities during development and ongoing maintenance must be significantly reduced, if not eliminated. CERT recognizes that there are a number of available resources, both online and in print, containing coding guidelines, best practices, suggestions, and tips. The Motor Industry Software Reliability Association (MISRA) developed guidelines for the use of the C language in critical systems [MISRA 04], and more recently the U.S. Department of Homeland Security launched its Build Security In web site (https://buildsecurityin.us-cert.gov) to promote the codification of practices and rules. These sources, however, do not provide a prescriptive set of secure coding practices that can be uniformly applied in the development of a software system. "Without secure coding practices, software vulnerability reports are likely to continue on an upward trend," Seacord says. "At CERT/CC, we have had nearly 4,000 vulnerabilities reported in the first half of 2006. To stop the threats, we need to develop secure software from the outset." The secure coding practices proposed by CERT are based on standard language versions as defined by official or de facto standards organizations such as ISO/IEC. CERT is not an internationally recognized standards body, but plans to work with organizations such as ISO/IEC to advance the state of the practice in secure coding. The ISO/IEC JTC1/SC22 WG14 international standardization working group for the programming language C, for example, has offered to provide direction in the development of the C language secure coding practices and to review and comment on drafts of the informal CERT standard. According to WG14 convener John Benito, "The secure coding standard is going in the correct direction, and I have confidence the final product will be useful to the community." CERT is also working with standards groups, such as the ISO/IEC working group on Guidance for Avoiding Vulnerabilities through Language Use (OWGV). While the ISO/IEC group is working on providing language-independent guidance, the CERT effort is working on developing and consolidating the language-specific guidance that provides the foundations for the ambitious goals of OWGV. Jim Moore, convener of OWGV, states that "CERT's efforts in identifying and documenting secure coding practices for C and C++ will contribute to the standardization of these practices and advance the goals of the OWGV." Community Involvement The success of the secure coding standards depends largely on the active involvement of members of the secure software and C and C++ development communities. Rules and recommendations for each coding practice are solicited from the communities involved in the development and application of each programming language, including the formal or de facto standard bodies responsible for the documented standard. These rules and recommendations are edited by CERT senior members of the technical staff for content and style, and placed in Secure Coding Standards Web site for comment and review. The user community is invited to discuss and comment on the publicly posted content. Once a consensus develops that the rule or recommendation is appropriate and correct, the final rule is incorporated into the coding standard. Once practices are documented, tools can be developed or modified to verify compliance. Compliant software systems may then be certified as compliant by a properly authorized certification body. Seacord also envisions a training and development program to educate software professionals regarding the appropriate application of secure coding practices. The development of secure coding practices is a necessary step to stem the ever-increasing threat from software vulnerabilities. CERT's goal is that the enumeration of secure code practices will allow for a common set of criteria that can be used to measure and evaluate software development efforts. The public can review or comment on the existing content at the secure coding Web site or submit new ideas for secure coding practices by e-mailing [EMAIL PROTECTED] Robert Seacord can be reached at [EMAIL PROTECTED] ******************************* [1] Seacord, R. Secure Coding in C and C++. Addison-Wesley, 2005. See http://www.cert.org/books/secure-coding for news and errata. [2] MISRA C: 2004 Guidelines for the use of the C language in Critical systems. MIRA Limited. Warsickshire, UK. October 2004. ISBN 0 9524156. -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
