Dailydave mailing list archives

Re: Robert Seacord on the CERT C Secure Coding Standard

From: Robert Seacord <rcs () cert org>
Date: Wed, 17 Dec 2008 10:09:39 -0500


Marius,

You can also look at www.securecoding.cert.org. This is a wiki, where we (CERT and the community) are developing secure 
coding standards for C, C++, and Java).  We also have a project on secure design patterns, which is not public yet but  
will hopefully be made public early next year.  Anyone can create an account and comment on any of the publically 
available coding standards.

As I mentioned in the article, we are also working on a security annex for the next revision of the C standard.  I 
would love to see more involvement from the security community in the evolution of the C programming language. In 
particular, I am planning to circulate a draft proposal for this annex in January.

Thanks,
rCs

-----Original Message-----
From: wishi [mailto:brouce () gmx net]
Sent: Wednesday, December 17, 2008 9:22 AM
To: Robert Seacord
Subject: Re: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard

Robert Seacord schrieb:

informIT published an interview with me written by David Chisnall:

http://www.informit.com/articles/article.aspx?p=1315064

David asked some interesting questions about security and the future of the C programming language.

rCs


Interesting article. I recently searched for detailed information regarding secure programming in C.
I found (http://www.cert.org/secure-coding/) which focuses white papers or books by Gary McGraw and Robert Seacord.

I personally think that secure coding, especially in C, is essential and extremely important, because ~60% of all 
exploits I see are buffer overruns. Which is a problem, that's not solving itself.

Does anyone know where to find more information how to write secure code and how to develop "bulletproof program 
concepts"? I never found anything focusing this aspect on a pure technical level.

Many courses, lots of material, teaches exploiting techniques. Most often this isn't very constructive, because the 
answers to these exploitations isn't better code. Firewalls i. e. are a network based answer to a pure software based 
problem ;).


Thanks,
Marius
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Faster, smashter. (fwd) sinan . eren (Dec 09)
- Re: Faster, smashter. (fwd) security curmudgeon (Dec 09)
- Re: Faster, smashter. (fwd) BEES INC (Dec 10)
  - Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
    - Re: Faster, smashter. (fwd) BEES INC (Dec 11)
    - Re: Faster, smashter. (fwd) Jon Passki (Dec 11)
    - Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 16)
    - Message not available
    - Re: Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 17)
  - Re: Faster, smashter. (fwd) sinan . eren (Dec 10)
    - Re: Faster, smashter. (fwd) Matthew Wollenweber (Dec 11)
  - Re: Faster, smashter. (fwd) Robert Lemos (Dec 11)
- Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)
  - Re: Faster, smashter. (fwd) Charles Miller (Dec 11)