What is ISO/IEC TS 17961
January 18, 2020

What Is ISO/IEC TS 17961 (Secure C)?

Static Analysis
Security & Compliance

Here, we provide an overview of ISO/IEC TS 17961 (Secure C) and provided guidance on how to best comply with the secure coding standard.

Read along or jump ahead to the section that interests you the most:

➡️ achieve iso 17961 compliance with Klocwork

Back to top

What Is ISO 17961 (Secure C)?

ISO 17961 is a secure coding standard for C. The full name of the standard is ISO/IEC TS 17961.

It was designed specifically to be enforced by static code analyzers. ISO/IEC TS 17961 helps to ensure fewer false positives are identified when a static code analyzer is used.

Back to top

ISO/IEC TS 17961 (Secure C) Overview

Before ISO/IEC TS 17961, the use of static analysis to help ensure that code was secure was done in an improvised, as-needed manner. Unfortunately, this resulted in non-uniform coverage of significant security issues. 

For that reason, ISO/IEC TS 17961 was developed in order to specify secure coding rules. In addition, the standard requires that static code analyzers identify secure code rule violations in the same manner.

The standard is a combination of two previous ISO publications:

  • ISO/IEC TS 17961:2013: This standard is a collection of rules for secure coding in the C programming language as well as provides code examples. The noncompliant code examples that demonstrate language constructs that have weaknesses with potentially exploitable security implications. And, compliant examples that are expected not to elicit a diagnostic. 
     
  • ISO/IEC TS 17961:2013/COR 1:2016: This is an update to the previous secure coding standard that includes a new rule for memory allocation.  
Back to top

Why ISO/IEC TS 17961 (Secure C) Is Important

ISO/IEC TS 17961 is important to ensure that safety-critical code written in C is safe, reliable, and secure.

In addition, the standard enforces a baseline set of requirements. This reduces the number of false positives identified by a static code analyzer.

Back to top

How ISO/IEC TS 17961 (Secure C) Works With MISRA

While ISO/IEC TS 17961 provides developers with secure coding standards for C, it's not the only one. MISRA provides coding standards for developing safety-critical systems. And, MISRA C is the most widely used set of coding guidelines for C around the world.

While originally designed for functional safety, MISRA C also covers security. Included as a part of the third edition of MISRA C, Addendum 2 strengthens code security by illustrating how each MISRA rule maps to the C Secure rules in ISO/IEC TS 17961. This means, if your code is compliant with MISRA C:2012, it is also compliant with ISO/IEC TS 17961.  

Back to top

How to Achieve ISO/IEC TS 17961 (Secure C) Compliance

Complying ISO/IEC TS 17961 can be a challenge unless you have the right software development tools. 

Static analyzers —like Klocwork — will help you to meet development guidelines for the production of safe, secure, and reliable software.

Klocwork is certified for developing functional safety software by TÜV-SÜD. And, its compliance taxonomies — including MISRA, AUTOSAR, and CERT — helps developers to identify and address defects sooner.

Using a static code analyzer makes compliance easier by:

  • Enforcing coding standards and identifying rule violations.
  • Accelerating code reviews and manual testing efforts.
  • Reporting on compliance over time and across product versions.

See how Klocwork will help you accelerate compliance, register for a free trial.

➡️ Klocwork free trial

 

Related Content:

Back to top