How To Write Secure
How To Write Secure
How To Write Secure
Introduction
Software security is a top concern today. You can’t risk any security vulnerabilities —
particularly if you’re developing software for embedded systems. And that means
your code needs to be secure and free of coding errors.
buff[10] = ‘a’;
To ensure secure software, you need to start at This is bad enough. And it can get worse. A buffer
the source — the code level. Otherwise, coding overflow can allow a hacker to take control of
errors will compromise your program. a system.
cious code. This overflows the input buffer and The top 25 list also adds a small set of the most
overwrites the return address on the stack with effective ‘Monster Mitigations’. This helps devel-
the address of the malicious code. opers reduce or eliminate entire groups of the
top 25 weaknesses. It also helps with many of the
PREVENTING SECURITY VULNERABILITIES other 800 weaknesses that are documented in the
IS CRITICAL
CWE list.
Preventing security vulnerabilities — such as buf-
fer overflow — is critical. And this can be done
CWE focuses on stopping vulnerabilities at
by making sure the code itself is written without
the source. This is done by educating designers,
exploitable gaps.
programmers, and testers on how to eliminate
common mistakes — before software is even
After all, putting stronger locks on your front door is shipped.
no use if the windows are left open. So, to improve
security, you’ll need to ensure secure code. 2. CERT C
You can apply the CERT C coding standard to
4 Ways to Ensure Secure Code in C your code.
Writing secure code is important. And when it comes
to C programming, there are four key sources of What Is CERT C?
information to help you ensure secure code. The CERT C coding standard is published by
the CERT Division at the Software Engineering
1. CWE
Institute (SEI). SEI is a research and development
You can identify security weaknesses from the center operated by Carnegie Mellon University.
Common Weakness Enumeration (CWE). It’s primarily funded by the U.S. Department
of Defense and the Department of Homeland
What Is CWE? Security.
CWE is a community-developed list of common
software security weaknesses in C. It’s maintained CERT C Security Rules
by the MITRE Corporation. This list can be used Secure coding experts continually develop the
as a baseline for weakness identification, mitiga- CERT C guidelines on a wiki.
tion, and prevention.
Each guideline consists of:
CWE’s List of Software Security Weaknesses
• A title
The CWE list prioritizes weaknesses. The top 25
• A description
entries are prioritized using input from more than
• An example of non-compliant code
two dozen different organizations. They evaluate
• Examples of compliant solutions
each weakness based on frequency and impor-
tance. Many of the weaknesses (in C programs) The guidelines cover coding and implementation
listed in CWE relate to buffer overflow. errors, as well as low-level design errors. The aim
Here’s an example of a MISRA C security rule: Following either the MISRA C rule or the CERT
rule will ensure secure code — and avoid com-
MISRA C Rule 18.1 mon weaknesses in CWE. This is because writing
to an out-of-range pointer (or pointer operand)
“A pointer resulting from could result in a buffer overflow — and vulner-
arithmetic on a pointer oper- able code. Reading from an out-of-range pointer
and shall address an element (or pointer operand) could accidentally reveal
information to hackers.
of the same array as that
pointer operand.”
So, by ensuring these rules are followed, you’ll
avoid serious coding errors. You can enforce
This rule does the same thing as the following MISRA and CERT rules by using a static code
CERT C rule. analyzer, such as Helix QAC.
Comparing MISRA C and C Secure CERT C is designed for C11. MISRA C:2012 was
MISRA C:2012 – Addendum 2 shows how each designed for C99.
MISRA rule maps to the C Secure rules in ISO/
IEC TS 17961:2013. There are 15 C11-specific rules in CERT C
that are out of scope for MISRA C:2012. Of
the CERT C rules (within the scope of MISRA
C:2012), there are only four that aren’t covered.
So, MISRA C covers a large share of security rules
from CERT C.
Every rule in C Secure is covered by a rule or Write Secure Code With Helix QAC
directive in MISRA C. And any static code ana- You can enforce MISRA rules (in C or C++)
lyzer (such as Helix QAC) that fully supports automatically with Helix QAC. This significantly
MISRA C will also comply with the C Secure reduces the amount of time you need to spend
standard. So, you can use the standards inter- performing manual code inspections. So, you’ll
changeably for security. free up development resources and deliver your
program on time — while improving the quality
Comparing MISRA C and CERT C of your software.
MISRA C:2012 – Addendum 3 shows how each
rule maps to the CERT C rules. See how Helix QAC applies MISRA rules by
visiting perforce.com/helix-qac-demo.
About Perforce
Perforce is a leading provider of enterprise scale software solutions to technology developers and development operations (“DevOps”) teams
requiring productivity, visibility, and scale during all phases of the development lifecycle. Enterprises across the globe rely on its agile plan-
ning and ALM tools, developer collaboration, static code analysis, version control and repository management solutions as the foundation for
successful DevOps at scale. Perforce is trusted by the world’s most innovative brands, including NVIDIA, Pixar, Scania, Ubisoft, and VMware.
Perforce has offices in Minneapolis, MN, Alameda, CA, Mason, OH, Boston, MA, the United Kingdom, Finland, Sweden, Germany, India, and Aus-
tralia, and sales partners around the globe. For more information, please visit www.perforce.com