Secure Coding Standards
October 8, 2018

CWE List & CERT Secure Coding Standards — An Overview

Security & Compliance
Static Analysis

Up to 90% of software security problems are caused by coding errors.

That’s why secure coding is more important than ever before. There are several secure coding practices you can adopt today. But to write truly secure code, you need a coding standard.

What Are Secure Coding Standards?

Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Used effectively, secure coding standards prevent, detect, and eliminate errors that could compromise software security. 

Why Secure Coding Guidelines Are Important

Secure coding guidelines are important for every development team. And they're especially important for the C and C++ programming languages.

C and C++ are the preferred languages for embedded development — where safety and security is critical. That’s because they’re flexible, high-performance languages. But flexibility and performance come with a cost — risk.

So, embedded developers need to write secure code in C and C++.

 

Developing Embedded Systems? How to Improve Security >>

 

CWE Security Weakness List

The Common Weakness Enumeration (CWE) list identifies software security weaknesses in C and C++. The CWE list is compiled based on community feedback. It’s sponsored by the MITRE corporation.

The latest version of CWE — CWE 3.1 — was released in 2018.

The CWE security weakness list includes over 600 categories, such as:

  • Buffer overflows
  • Cross-site scripting
  • Insecure random numbers

So, you can use this list to identify potential weaknesses in your code. Using a static analyzer, such as Helix QAC, helps you identify CWE security weaknesses faster.

CWE Top 25

Published by MITRE, the CWE Top 25 is a compliation of the most widespread and critical weaknesses that could lead to severe software vulnerabilities. The most recent CWE Top 25 was published in 2019 and listed vulnerabilities that allowed hackers to gain control over an affected system, steal sensitive data, and cause a denial-of-service condition.

CWE Compliance With Perforce Static Analyzers

Perforce's static analyzers — Helix QAC and Klocwork — can check your code against the CWE list of security weaknesses automatically, which includes the most recent CWE Top 25.

What's more, both Helix QAC and Klocwork can report on the results of code analysis in terms of CWE compliance. This includes compliance with CWE C and CWE C++ for both Helix QAC and Klocwork. While Klocwork can also be used in compliance with CWE C# and CWE Java.

In addition, both of Perforce's static analyzers report on the results of code analysis in terms of CWE compliance.

CERT Security & Secure Coding Rules

CERT is a secure coding standard. It’s developed by the CERT division of the Software Engineering Institute at Carnegie Mellon University. This secure coding standard is available for C and C++.

CERT targets insecure coding practices and undefined behaviors that lead to security risks. Using CERT security rules will help you identify security issues in existing code and prevent the introduction of new issues that pose a security risk.

You can apply CERT secure coding rules faster by using a static analyzer, such as Helix QAC.

CERT Compliance With Perforce Static Analyzers

Perforce's static analyzers — Helix QAC and Klocwork — can check your code against CERT C and C++ coding standards. CERT security rules improve the safety and quality of your code. And, both of Perforce's static analyzers automatically checks your code against CERT’s secure coding rules.

This module supports the 2016 editions of CERT C and CERT C++ coding standards. 

CWE vs. CERT vs. MISRA

There are overlaps between secure coding standards. For instance, the CERT C and C++ coding standards address many of the CWE weaknesses.

There's also some security coverage in MISRA C.

MISRA C Security Rules

MISRA C:2012 includes two addenda focused on security. These map MISRA C’s rules against CERT C and ISO/IEC TS 17961:2013 “C Secure”. 

 

Compare MISRA C Security Rules >>

 

You can apply MISRA C security rules faster with Helix QAC.

MISRA Compliance With Helix QAC

The MISRA compliance modules for Helix QAC improve the security of your C and C++ code. You can use these modules to automatically find security vulnerabilities in your code. And you can create MISRA compliance reports using Helix QAC.

These modules support MISRA C:2012 and MISRA C++:2008 security rules.

How to Apply Secure Coding Standards

The best way to ensure secure coding in C and C++ is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Helix QAC comes with code security modules — CERT, MISRA, and CWE — to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Extensive example code.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Try Helix QAC for Secure Coding in C and C++

See for yourself how Helix QAC helps you securely code in C and C++.

Ensure Secure Code With Helix QAC