CERT Secure Coding Standards Robert C. Seacord

© 2006 Carnegie Mellon University Problem Statement

5,990 6,000 Reacting to vulnerabilities in existing systems is not 5,000 working

4,129 4,000 Total vulnerabilities reported 3,784 3,780 (1995-2Q,2005): 19,600

3,000

2,437

2,000

1,090 1,000

417 311 262

0 1997 1998 1999 2000 2001 2002 2003 2004 2005 © 2006 Carnegie Mellon University 2 Recent Trends Are No Different

2000

1750

1500

1250

1000

750

500

250

0 FY 2004 FY 2004 FY 2004 FY 2005 FY 2005 FY 2005 FY 2005 FY 2006 FY 2006 FY 2006 Q3 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3TD

© 2006 Carnegie Mellon University 3 Secure Coding Initiative

Work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. ƒ Reduce the number of vulnerabilities to a level where they can be handled by computer security incident response teams (CSIRTs) ƒ Decrease remediation costs by eliminating vulnerabilities before software is deployed

© 2006 Carnegie Mellon University 4 Overall Thrusts

Advance the state of the practice in secure coding Identify common programming errors that lead to software vulnerabilities Establish standard secure coding practices Educate software developers

© 2006 Carnegie Mellon University 5 CERT Secure Coding Standards

Identify coding practices that can be used to improve the security of software systems under development Coding practices are classified as either rules or recommendations ƒ Rules need to be followed to claim compliance. ƒ Recommendations are guidelines or suggestions. Development of Secure Coding Standards is a community effort

© 2006 Carnegie Mellon University 6 Rules

Coding practices are defined as rules when ƒ Violation of the coding practice will result in a security flaw that may result in an exploitable vulnerability. ƒ There is an enumerable set of exceptional conditions (or no such conditions) where violating the coding practice is necessary to ensure the correct behavior for the program. ƒ Conformance to the coding practice can be verified.

© 2006 Carnegie Mellon University 7 Recommendations

Coding practices are defined as recommendations when ƒ Application of the coding practice is likely to improve system security. ƒ One or more of the requirements necessary for a coding practice to be considered a rule cannot be met.

© 2006 Carnegie Mellon University 8 Community Development Process

Rules are solicited from the community

Published as candidate rules and recommendations on the CERT Wiki accessible from: www.cert.org/secure-coding

Threaded discussions used for public vetting

Candidate coding practices are moved into a secure coding standard when consensus is reached

© 2006 Carnegie Mellon University 9 Scope

The secure coding standards proposed by CERT are based on documented standard language versions as defined by official or de facto standards organizations. Secure coding standards are under development for: ƒ C programming language (ISO/IEC 9899:1999) ƒ C++ programming language (ISO/IEC 14882-2003 ) Applicable technical corrigenda and documented language extensions such as the ISO/IEC TR 24731 extensions to the C library are also included.

© 2006 Carnegie Mellon University 10 Potential Applications

Establish secure coding practices within an organization ƒ may be extended with organization-specific rules ƒ cannot replace or remove existing rules Train software professionals Certify programmers in secure coding Establish base-line requirements for software analysis tools Certify software systems

© 2006 Carnegie Mellon University 11 System Qualities

Security is one of many system qualities that must be considered in the selection and application of a coding standard. System qualities with significant overlap ƒ Safety ƒ Reliability ƒ Availability System qualities that influence security ƒ Maintainability ƒ Understandability System qualities that make security harder ƒ Portability System qualities that may conflict with security ƒ Performance ƒ Usability

© 2006 Carnegie Mellon University 12 Implementation & Demo

Externally accessible system hosted on the CERT web site Software ƒ Atlassian's confluence wiki with unlimited named users Hardware ƒ One Dell PowerEdge 2850 ƒ Two Intel Xeon Processors at 3.0GHz/2MB Cache, 800MHz FSB ƒ Memory 2GB DDR2 400MHz (2X1GB ƒ Primary Controller Embedded RAID (ROMB) ƒ Three 73GB 10K RPM Ultra 320 SCSI Hard Drives

© 2006 Carnegie Mellon University 13 Demo

© 2006 Carnegie Mellon University 14 Future Directions

Provide similar products for other languages ƒ C++/CLI ƒ C# ƒ Java ƒ Ada ƒ Etc. Produce language independent guidance cross-referenced with specific examples from target languages

© 2006 Carnegie Mellon University 15 Questions

© 2006 Carnegie Mellon University 16 For More Information

Visit the CERT® web site http://www.cert.org/secure-coding/ Contact Presenter Robert C. Seacord [email protected] Contact CERT Coordination Center Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA 15213-3890

Hotline: 412-268-7090 CERT/CC personnel answer 8:00 a.m.–5:00 p.m. and are on call for emergencies during other hours.

Fax: 412-268-6989

E-mail: [email protected]

© 2006 Carnegie Mellon University 17