Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools

Abstract

This report describes the results of a study to evaluate the effectiveness of secure coding practices, including the use of static analysis tools coupled with secure coding rule sets such as the CERT C Programming Language Secure Coding Standard (CERT 07a) and the CERT C++ Programming Language Secure Coding Standard (CERT 07b). This study represents a joint effort between the CERT Secure Coding Initiative and JPCERT/CC. The CERT Secure Coding Initiative was established to work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. The goal of this effort is to reduce the number of vulnerabilities to a level where they can be handled by existing vulnerability analysis teams around the world and decrease remediation costs by eliminating vulnerabilities before software is deployed. JPCERT/CC is the first CSIRT (computer security incident response team) established in Japan. The objectives of the study were to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects. Two static analysis tools, Fortify Source Code Analysis (SCA) from Fortify Software and Compass/ROSE from Lawrence Livermore National Laboratory were selected for their extensibility as well as overall effectiveness. Checkers were then developed for each of the tools to check code for violations of the CERT C and C++ Secure Coding Standards. The tools were then provided to Software Research Associates, Inc., Japan, which evaluated the extended versions of Fortify SCA and Compass/ROSE on two existing projects: an electronic toll collection (ETC) system-related GUI application written in C++ and an IP-TV Service Protocol Stack (IP-TV) written in the C programming language. The project successfully extended source code analysis tools to discover software defects in both projects evaluated.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2008
Accession Number
ADA482285

Entities

People

  • Chad Dougherty
  • Chris Taschner
  • Dan Saks
  • David Keaton
  • David Svoboda
  • Kazuya Togashi
  • Robert C. Seacord
  • Stephen Dewhurst
  • Yurie Ito

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • C Programming Language
  • Compilers
  • Computer Programming
  • Computer Programs
  • Computers
  • Cybersecurity
  • Department Of Defense
  • Engineering
  • Graphical User Interface
  • Language
  • Operating Systems
  • Programming Languages
  • Side Effects
  • Software Development
  • Teamwork
  • Vulnerability
  • Web Browsers

Fields of Study

  • Computer science
  • Engineering

Readers

  • Cybersecurity.
  • Database Systems and Applications
  • Radio communications and signal processing.

Technology Areas

  • Cyber
  • Microelectronics