September 29, 2020

What Is CERT C? Overview of CERT Secure Coding

Security & Compliance
Static Analysis

By

CERT secure coding is essential, as an estimated 82% of software vulnerabilities are caused by coding errors. Secure coding standards — like CERT C— ensure that your software is protected against potential software security vulnerabilities. Here, we explain what is CERT and why CERT secure coding is important.

Read along or jump ahead to the section that interests you the most:

➡️ Secure code starts with Klocwork

What Is CERT Secure Coding / CERT C?

CERT is a secure coding standard that supports commonly used programming languages such as C, C++, and Java.

The standards are developed through a broad-based community effort by members of the software development and software security communities.

The rules and recommendations target insecure coding practices and undefined behaviors that lead to security risks.

The latest rules and recommendations are available on the secure coding standard's website and are also periodically published: C and C++ in 2016 and Java in 2011.

📕 Related Resource: Learn how to write secure code in C.

Why Is CERT C Secure Coding Important?

CERT secure coding is important because although C, C++, and Java are flexible, high-performance languages, they are still vulnerable to security risks. As these languages are extensively used in many applications, it is vital that code is reviewed at all stages of development.

The aim of the secure coding standard is to not only detect security risks with rules but also provide suggestions that can improve code quality with recommendations.

The scope of the secure coding standard is a whole program coding standard and the goal is to produce safe, reliable, and secure systems. 

By using the secure coding standard, you are able to ensure that your software is secure and safeguarded from potential vulnerabilities.

CERT C Risk Assessment

For each guideline included in the secure coding standard, there is a risk assessment to help determine the possible consequences of violating that specific rule or recommendation. There are three sections to the risk assessment: Severity, Likelihood, and Remediation Cost. Each section is assigned a value between 1 and 3, and based upon the results of the assessment, you are able to determine the priority of the violation. 

Severity — How serious are the consequences of the rule being ignored.

Value

Meaning

Examples of Vulnerability

1

Low

DoS Attack

2

Medium

Data Integrity Violation

3

High

Run Arbitrary Code

 

Likelihood — How likely is the coding flaw introduced by violating the rule can lead to an exploitable vulnerability?

Value

Meaning

1

Unlikely

2

Probable

3

Likely

 

Remediation Cost — How expensive will it be to comply with the rule.

Value

Meaning

Detection

Correction

1

High

Manual

Manual

2

Medium

Automatic

Manual

3

Low

Automatic

Automatic

Each of these three values— Severity, Likelihood, and Remediation Cost — are then multiplied together to determine priority, which is a measure of the risk, and therefore the level of the vulnerability. This can be used to prioritize the repair of violations.

 

Priorities and Levels

Level

Priorities

Possible Interpretation

L1

12, 18, 27

Severity: High Severity

Likelihood: Likely

Remediation Cost: Inexpensive to Repair

L2

6, 8, 9

Severity: Medium Severity

Likelihood: Probable

Remediation Cost: Medium Cost to Repair

L3

1, 2, 3, 4

Severity: Low Severity

Likelihood: Unlikely

Remediation Cost: Expensive to Repair

 

CERT C Secure Coding Compliance with Klocwork

The CERT C taxonomies for Klocwork improve the security of your code. You can use these modules to automatically find security vulnerabilities. In addition, you can create compliance reports.

How to Enforce CERT C Secure Coding with SAST

The best way to ensure that your code is secure is to use a SAST tool, like Klocwork.

SAST tools identify and eliminate security vulnerabilities and software defects early on in development. This helps to ensure that your software is secure, reliable, and compliant.

Klocwork helps you:

  • Identify and analyze security risks and prioritizes severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.
📕 Related Resource: SAST Tutorial

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce software security standards, register for a free trial.

➡️ register for a free Klocwork trial

Stuart Foster Headshot — 250x250

Stuart Foster

Klocwork and Helix QAC Product Manager, Perforce

Stuart Foster has over 10 years of experience in mobile and software development. He has managed product development of consumer apps and enterprise software. Currently, he manages Klocwork and Helix QAC, Perforce’s market-leading code quality management solutions. He believes in developing products, features, and functionality that fit customer business needs and helps developers produce secure, reliable, and defect-free code. Stuart holds a bachelor’s degree in information technology, interactive multimedia and design from Carleton University, and an advanced diploma in multimedia design from the Algonquin College of Applied Arts and Technology.