SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Robert Schiela

Saved on

compared with

New Version Current

changes.mady.by.user Robert Schiela

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated DISA STIG V4 to R8.

...

DoD acquisition programs are specifying the Application Security and Development Security Technical Implementation Guide (STIG) in requests for proposal (RFPs). Below is information for the last two versions of the Application Security and Development STIG, Version 4, Release 1 and 8 and Version 3, Release 10.

Application Security and Development STIG, Version 4, Release

...

8 [DISA

...

2018]

Section 2.1 of the Application Security and Development STIG Overview, "Security Assessment Information", requires that "...coding standards, application vulnerability scan reports, and automated code review results are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."

The proper application of this CERT Secure Coding standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 4, Release 18:

  • (APSC-DV-001995: CAT II) The application must not be vulnerable to race conditions.
  • (APSC-DV-002000: CAT II) The application must terminate all network connections associated with a communications session at the end of the session.
  • (APSC-DV-002510: CAT I) The application must protect from command injection.
  • (APSC-DV-002520: CAT II) The application must protect from canonical representation vulnerabilities.
  • (APSC-DV-002530: CAT II) The application must validate all input.
  • (APSC-DV-002560: CAT I) The application must not be subject to input handling vulnerabilities.
  • (APSC-DV-002590: CAT I) The application must not be vulnerable to overflow attacks.
  • (APSC-DV-003215: CAT III) The application development team must follow a set of coding standards.
  • (APSC-DV-003235: CAT II) The application must not be subject to error handling vulnerabilities.

...

  • (APP2120.3: CAT II) The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.
  • (APP2120.4: CAT II) The Program Manager will ensure testers are provided training on an annual basis.
  • (APP2060.3: CAT II) The Designer will follow the established coding standards established for the project.
  • (APP2060.4: CAT II) The Designer will not use unsafe functions documented in the project coding standards.
  • (APP5010: CAT III) The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.

...