SEI CERT C Coding Standard
The C rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.
Comments and Contributing
We provide access to the community members to contribute after subject matter expertise is verified.
For questions and comments about these standards, open a GitHub issue. For anything else, please submit feedback.
Front Matter
Rules
- Rule 01. Preprocessor (PRE)
- Rule 02. Declarations and Initialization (DCL)
- Rule 03. Expressions (EXP)
- Rule 04. Integers (INT)
- Rule 05. Floating Point (FLP)
- Rule 06. Arrays (ARR)
- Rule 07. Characters and Strings (STR)
- Rule 08. Memory Management (MEM)
- Rule 09. Input Output (FIO)
- Rule 10. Environment (ENV)
- Rule 11. Signals (SIG)
- Rule 12. Error Handling (ERR)
- Rule 13. Application Programming Interfaces (API)
- Rule 14. Concurrency (CON)
- Rule 48. Miscellaneous (MSC)
- Rule 50. POSIX (POS)
- Rule 51. Microsoft Windows (WIN)
Recommendations
- Rec. 01. Preprocessor (PRE)
- Rec. 02. Declarations and Initialization (DCL)
- Rec. 03. Expressions (EXP)
- Rec. 04. Integers (INT)
- Rec. 05. Floating Point (FLP)
- Rec. 06. Arrays (ARR)
- Rec. 07. Characters and Strings (STR)
- Rec. 08. Memory Management (MEM)
- Rec. 09. Input Output (FIO)
- Rec. 10. Environment (ENV)
- Rec. 11. Signals (SIG)
- Rec. 12. Error Handling (ERR)
- Rec. 13. Application Programming Interfaces (API)
- Rec. 14. Concurrency (CON)
- Rec. 48. Miscellaneous (MSC)
- Rec. 50. POSIX (POS)
- Rec. 51. Microsoft Windows (WIN)
Back Matter
- AA. Bibliography
- BB. Definitions
- CC. Undefined Behavior
- DD. Unspecified Behavior
- EE. Analyzers
- FF. Related Guidelines
- GG. Risk Assessments
CERT Manifest Files
As of 9/28/2018, the CERT manifest files are now available for use by static analysis tool developers to test their coverage of (some of the) CERT Secure Coding Rules for C, using many of 61,387 test cases in the Juliet test suite v1.2.
Secure C Coding Books and Downloads
SEI CERT C Coding Standard The CERT C Coding Standard, 2016 Edition provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99. It is downloadable as a PDF. ( errata )
Secure Coding in C and C++ identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.
Rules vs. Recomendations
This coding standard consists of rules and recommendations , collectively referred to as guidelines . Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. Learn more about the differences.
Source Code Analysis Laboratory (SCALe)
SCALe offers conformance testing of C language software systems against the CERT C Secure Coding Standard.
Contact Us
Contact us if you
- have questions about the Secure Coding wiki
- have recommendations for standards in development
- want to request privileges to participate in standards development
Thank You!
We acknowledge the contributions of the following folks, and we look forward to seeing your name here as well.
Attachments:
button_arrow_left.png (image/png) button_arrow_right.png (image/png) button_arrow_up.png (image/png) Secure_coding.png (image/png) cert-c-coding-standard.png (image/png) SEI CERT C Coding Standard 2016 cover.png (image/png)