Secure Coding Standards
October 8, 2018

Why Secure Coding Standards Are Important

Security & Compliance
Static Analysis

Up to 90 percent of software security problems are caused by coding errors.

That’s why secure coding is more important than ever before. And to write secure code, you need a coding standard.

Why Secure Coding in C and C++ Is Important

Secure coding is important for every development team. And it’s especially important for the C and C++ programming languages.

C and C++ are the preferred languages for embedded development — where safety and security is critical. That’s because they’re flexible, high-performance languages. But flexibility and performance come with a cost — risk.

So, embedded developers need to write secure code in C and C++.

[RELATED BLOG: WHAT IS SECURE CODING?]

What Is CWE? Intro to CWE Security

The Common Weakness Enumeration (CWE) is a list of software security weaknesses in C and C++. The CWE list is compiled based on community feedback. It’s sponsored by the MITRE corporation.

The latest version of CWE — CWE 3.1 — was released in 2018.

The CWE security weakness list includes over 600 categories, such as:

  • Buffer overflows
  • Cross-site scripting
  • Insecure random numbers

You can use this list to identify potential weaknesses in your code.

CERT Security & Secure Coding Rules

CERT is a secure coding standard. It’s developed by the CERT division of the Software Engineering Institute at Carnegie Mellon University. This secure coding standard is available for C and C++.

CERT targets insecure coding practices and undefined behaviors that lead to security risks. Using CERT security rules will help you identify security issues in existing code and prevent the introduction of new issues that pose a security risk.

The CERT C and C++ coding standards address many of the CWE weaknesses.

[RELATED WHITE PAPER: HOW TO IMPROVE EMBEDDED SYSTEMS SECURITY]

MISRA Security Rules

MISRA C also provides rules to ensure secure coding.

MISRA C:2012 includes two addenda focused on security. These map MISRA C’s rules against CERT C and ISO/IEC TS 17961:2013 “C Secure”.

[RELATED WHITE PAPER: HOW TO WRITE SECURE CODE IN C]

How to Apply Secure Coding Standards

The best way to ensure secure coding in C and C++ is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Helix QAC comes with code security modules — CERT, MISRA, and CWE — to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Extensive example code.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

CERT Compliance With Helix QAC

The CERT compliance modules for Helix QAC identify security violations in C and C++ code. CERT security rules improve the safety and quality of your code. And Helix QAC automatically checks your code against CERT’s secure coding rules.

This module supports the 2016 editions of CERT C and CERT C++ coding standards. 

MISRA Compliance Modules

The MISRA compliance modules for Helix QAC improve the security of your C and C++ code. You can use these modules to automatically find security vulnerabilities in your code. And you can create MISRA compliance reports using Helix QAC.

These modules support MISRA C:2012 and MISRA C++:2008 security rules.

CWE Compatibility with Helix QAC

The CWE compatibility modules for Helix QAC identify weaknesses in your C and C++ code. You can use these modules to improve the overall security of your codebase. Plus, Helix QAC reports on the results of code analysis in terms of CWE compliance.

Try Helix QAC for Secure Coding in C and C++

See for yourself how Helix QAC helps you securely code in C and C++.

Ensure Secure Code With Helix QAC