What Is CWE Security? What Is Cert Security? What Are Secure Coding Standards?
October 8, 2018

What Are Secure Coding Standards: CERT C and CWE

Security & Compliance
Static Analysis

Up to 90% of software security problems are caused by coding errors.

That’s why secure coding is more important than ever before. There are several secure coding practices you can adopt today. But to write truly secure code, you need a secure coding standard — including CERT and CWE.

Here, we explain what are secure coding standards — speecifically CERT security and CWE security — and how to enforce these security standards.

What Are Secure Coding Standards?

Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security. 

Why Are Secure Coding Standards Important?

Secure coding guidelines are important for every development team. And they're especially important for the C and C++ programming languages.

C and C++ are the preferred languages for embedded development — where safety and security is critical. That’s because they’re flexible, high-performance languages. But flexibility and performance come with a cost — risk.

So, embedded developers need to write secure code in C and C++.


Developing Embedded Systems? How to Improve Security >>


What Is The CWE Security Weakness List?

The Common Weakness Enumeration (CWE) list identifies software security weaknesses in C and C++. The CWE security list is compiled based on community feedback. It’s sponsored by the MITRE corporation.

The latest version of CWE — CWE 3.1 — was released in 2018.

The CWE security weakness list includes over 600 categories, such as:

  • Buffer overflows
  • Cross-site scripting
  • Insecure random numbers

So, you can use this list to identify potential weaknesses in your code. Using a static analyzer, such as Helix QAC, helps you identify CWE security weaknesses faster.

CWE Top 25

Published by MITRE, the CWE Top 25 is a compilation of the most widespread and critical weaknesses that could lead to severe software vulnerabilities. The most recent CWE Top 25 was published in 2019 and listed vulnerabilities that allowed hackers to gain control over an affected system, steal sensitive data and cause a denial-of-service condition.

CWE Compliance With Perforce Static Analyzers

Perforce's static analyzers — Helix QAC and Klocwork — can check your code against the CWE security list of weaknesses automatically, which includes the most recent CWE Top 25.

What's more, both Helix QAC and Klocwork can report on the results of code analysis in terms of CWE compliance. This includes compliance with CWE C and CWE C++ for both Helix QAC and Klocwork. While Klocwork can also be used in compliance with CWE C# and CWE Java.

In addition, both of Perforce's static analyzers report on the results of code analysis in terms of CWE compliance.

Learn More About Secure Coding Best Practices and How a SAST Tool can Help >>

What Is the CERT Security and Secure Coding Standards?

CERT is a secure coding standard. It’s developed by the CERT division of the Software Engineering Institute at Carnegie Mellon University. This secure coding standard is available for C and C++.

CERT targets insecure coding practices and undefined behaviors that lead to security risks. Using CERT security rules will help you identify security issues in existing code and prevent the introduction of new issues that pose a security risk.

You can apply CERT secure coding rules faster by using a static analyzer, such as Helix QAC or Klocwork.

CERT C Compliance With Perforce Static Analyzers

Perforce's static analyzers — Helix QAC and Klocwork — can check your code against CERT C and C++ coding standards. CERT security rules improve the safety and quality of your code. And, both of Perforce's static analyzers automatically checks your code against CERT’s secure coding rules.

This module supports the 2016 editions of CERT C and CERT C++ coding standards. 


There are overlaps between secure coding standards. For instance, the CERT C and C++ coding standards address many of the CWE security weaknesses.

There's also some security coverage in MISRA C.

MISRA C Security Rules

MISRA C:2012 includes two addenda focused on security. These map MISRA C’s rules against CERT C and ISO/IEC TS 17961:2013 “C Secure”. 


Compare MISRA C Security Rules >>


You can apply MISRA C security rules faster with Helix QAC.

MISRA Compliance With Helix QAC

The MISRA compliance modules for Helix QAC improve the security of your C and C++ code. You can use these modules to automatically find security vulnerabilities in your code. And you can create MISRA compliance reports using Helix QAC.

These modules support MISRA C:2012 and MISRA C++:2008 security rules.

How to Apply Secure Coding Standards?

The best way to ensure secure coding in C and C++ is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Helix QAC comes with code security modules — CERT, MISRA, and CWE — to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Extensive example code.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Use Perforce Static Analyzers for Secure Coding Standards

Klocwork is the most trusted static analyzer for C, C++, C#, and Java and it helps you to securely code. See the difference that Klocwork can make.

Enforce Secure Coding standards