NCC Group expert leads development of new secure coding guidelines for C
The Technical Corrigendum for TS 17961, C Secure Coding Rule (ISO/IEC TS 17961:2013/Cor 1:2016) has been published on August 15, 2016. NCC Group Principal Security Consultant and C Standards Committee representative Robert C. Seacord served as project editor during the development of the Technical Specification and Technical Corrigendum.
ISO/IEC TS 17961 establishes a baseline set of requirements for analysers, including static analysis tools and C language compilers, to be applied by vendors that wish to diagnose insecure code beyond the requirements of the language standard. All rules are meant to be enforceable by static analysis. The criterion for selecting these rules is that analysers that implement these rules must be able to effectively discover secure coding errors without generating excessive false positives.
Prior to this work, source code security analysis has been performed in an ad-hoc manner by different vendors, resulting in non-uniform coverage of significant security issues. ISO/IEC TS 17961 enumerates secure coding rules and requires analysis engines to diagnose violations of these rules as a matter of conformance to the specification. These rules may be extended in an implementation-dependent manner, which provides a minimum coverage guarantee to customers of any and all conforming static analysis implementations.
ISO/IEC TS 17961 specifies rules for secure coding in the C programming language and includes code examples for each rule. Noncompliant code examples demonstrate language constructs that have weaknesses with potentially exploitable security implications; such examples are expected to elicit a diagnostic from a conforming analyser for the affected language construct. Compliant examples are expected not to elicit a diagnostic. ISO/IEC TS 17961 does not specify the mechanism by which these rules are enforced or any particular coding style to be enforced.
NCC Group provides Secure Coding Training (https://www.nccgroup.trust/us/our-services/security-consulting/security-training/) and Application Code Review Services (https://www.nccgroup.trust/us/our-services/security-consulting/application-security/) using a variety of static and dynamic analysis tools as well as manual code analysis.
ISO/IEC TS 17961:2013/Cor 1:2016, C Secure Coding Rules is available for purchase from ISO/IEC (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=72086)
If you are interested in contributing to the further development of an ISO/IEC C Safe/Secure Coding Rules International Standard please contact Robert Seacord at Robert.Seacord@nccgroup.trust.
Published date:  10 October 2016