Featured Webinar: AI-Enhanced API Testing: A No-Code Approach to Testing | Watch Now
SEI/CERT
Parasoft provides comprehensive support for CERT C and CERT C++ secure coding standards with complete coverage of all the CERT C/C++ guidelines including both rules and recommendations that are detectable by static analysis. Checker names, dashboards, and reports use the CERT naming convention to make conformance and auditing easier. A CERT conformance dashboard, which includes the CERT risk score, helps developers focus on the most critical violations.
The Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) has a set of guidelines to help developers create safer, more secure, and more reliable software. Started in 2006 at a meeting of the C Standard Committee, the first CERT C standard was published in 2008, and is constantly developing and evolving.
There’s a book form version published in 2016, but it doesn’t include the latest updates. This standard doesn’t have specific frozen releases like CWE Top 25 and OWASP Top 10. The standard arose from a large community of over 3,000 people with a focus on engineering and prevention. So the CERT secure coding standards focus on prevention of the root causes of security vulnerabilities rather than treating or managing the symptoms by searching for vulnerabilities.
The CERT coding guidelines are available for C, C++, Java, Perl, and Android. They fall into two main categories: rules and recommendations.
Rules are guidelines that are detectable by static analysis tools and require strict enforcement, while recommendations are guidelines that have a lower impact and are sometimes difficult to analyze automatically.
CERT includes a risk assessment system that combines the likelihood of occurrence, severity, and relative difficulty of mitigation. This helps developers prioritize which guideline violations are the most important to investigate. The inclusion of mitigation efforts to the guideline priority is an important addition to the CERT secure coding standards, which many other standards lack.
The CERT bullseye diagram reflects the cost factor. The center bullseye represents the highest severity guidelines, which are more difficult to fix. The benefit of this prioritization is focusing on the most critical violations that provide the biggest bang for the buck in security improvement while helping the development team filter out less important warnings.
SEI CERT C/C++ Conformance
According to the SEI CERT C documentation, conformance “requires that the code not contain any violations of the rules specified in this standard. If an exceptional condition is claimed, the exception must correspond to a predefined exceptional condition, and the application of this exception must be documented in the source code.”
Although conformance is less specific than standards such as MISRA, the principles remain similar. Rules should be followed and deviations are rare and well documentation. Recommendations should be used when possible and those that aren’t needed to be documented.
Violations that persist in the source code need to be documented. However, no deviation is acceptable for performance or usability and the onus is on the developer to demonstrate that the deviation will not lead to a vulnerability.
Parasoft C/C++test provides a comprehensive CERT compliance dashboard and reports. Individual compliance reports are available on demand based on the latest build of the software or any previous build.
These reports can be sorted and navigated to investigate violations in more detail. Also, a conformance test plan is available to correlate the CERT guideline with the appropriate Parasoft static analysis checker and is an important tool if conformance documentation is needed for audit purposes. In addition, all the interesting reports as specified by the team are available in a single PDF available for download for auditors.
Support for CERT C/C++ in Parasoft C/C++test
Parasoft provides comprehensive support for CERT C and CERT C++ secure coding standards with complete coverage of all the CERT C/C++ guidelines including both rules and recommendations that are detectable by static analysis. Checker names, dashboards, and reports use the CERT naming convention to make conformance and auditing easier. A CERT conformance dashboard, which includes the CERT risk score, helps developers focus on the most critical violations.
Elevate your software testing with Parasoft solutions.
Explore the Chapters
- Introduction »
- 1. Overview »
- 2. Static Analysis »
- 3. MISRA »
- 4. AUTOSAR C++ 14 »
- 5. SEI/CERT »
- 6. CWE »
- 7. Unit Testing »
- 8. Regression Testing »
- 9. Software Integration Testing »
- 10. Software System Testing »
- 11. Structural Code Coverage »
- 12. Requirements Traceability Matrix »
- 13. Tool Qualification »
- 14. Reporting & Analytics »