Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Coding Practices

This content area describes methods, techniques, processes, tools, and runtime libraries that can prevent or limit exploits against vulnerabilities. Each document describes the development and technology context in which the coding practice is applied, as well as the risk of not following the practice and the type of attacks that could result.

Title Updated Authors
Phkmalloc 2013-07-31 Robert C. Seacord
OpenBSD 2013-07-31 Daniel Plakosh
MITRE CWE and CERT Secure Coding Standards 2013-07-25 Robert C. Seacord, Robert Martin
Assume that Human Behavior Will Introduce Vulnerabilities into Your System 2013-06-26 William L. Fithen
Do Not Perform Arithmetic with Unvalidated Input 2013-06-26 William L. Fithen
Never Use Unvalidated Input as Part of a Directive to any Internal Component 2013-06-26 William L. Fithen
Treat the Entire Inherited Process Context as Unvalidated Input 2013-06-26 William L. Fithen
Do Not Use the "%n" Format String Specifier 2013-06-26 William L. Fithen
Be Suspicious about Trusting Unauthenticated External Representation of Internal Data Structures 2013-06-26 William L. Fithen
Handle All Errors Safely 2013-06-26 William L. Fithen
If Emulation of Another System Is Necessary, Ensure that It Is as Correct and Complete as Possible 2013-06-26 William L. Fithen
Carefully Study Other Systems Before Incorporating Them into Your System 2013-06-24 William L. Fithen
Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage 2013-06-24 William L. Fithen
Use Well-Known Cryptography Appropriately and Correctly 2013-06-21 William L. Fithen
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations 2013-06-20 William L. Fithen
Follow the Rules Regarding Concurrency Management 2013-06-20 William L. Fithen
Ensure that Input Is Properly Canonicalized 2013-06-20 William L. Fithen
Guidelines Overview 2013-06-20 William L. Fithen
Ensure that the Bounds of No Memory Region Are Violated 2013-06-20 William L. Fithen
Use Authorization Mechanisms Correctly 2013-06-20 William L. Fithen
Use Authentication Mechanisms, Where Appropriate, Correctly 2013-06-19 William L. Fithen
Vstr 2013-05-20 Daniel Plakosh
strncpy_s() and strncat_s() 2013-05-14 Daniel Plakosh
SEI: Coding Practices 2013-05-14 Daniel Plakosh, Robert C. Seacord
strlcpy() and strlcat() 2013-05-14 Daniel Plakosh
strncpy() and strncat() 2013-05-14 Daniel Plakosh
OpenBSD's strlcpy() and strlcat() 2013-05-14 Daniel Plakosh
strcpy_s() and strcat_s() 2013-05-14 Daniel Plakosh
strcpy() and strcat() 2013-05-14 Daniel Plakosh
fgets() and gets_s() 2013-05-14 Robert C. Seacord
C++ std::string 2013-05-14 Daniel Plakosh
Consistent Memory Management Conventions 2013-05-13 Daniel Plakosh
Strong Typing 2013-05-10 Robert C. Seacord
Safe Integer Operations 2013-05-10 Daniel Plakosh
Runtime Analysis Tools 2013-05-10 Daniel Plakosh
Detection and Recovery 2013-05-10 Daniel Plakosh
Range Checking 2013-05-10 Daniel Plakosh, Robert C. Seacord
Randomization 2013-05-10 Robert C. Seacord
Null Pointers 2013-05-10 Daniel Plakosh
Heap Integrity Detection 2013-05-10 Daniel Plakosh
Guard Pages 2013-05-10 Daniel Plakosh
Compiler Checks 2013-05-10 Robert C. Seacord
Arbitrary Precision Arithmetic 2013-05-10 Robert C. Seacord
Windows XP SP2 2013-05-10 Robert C. Seacord
Strsafe.h 2013-05-10 Daniel Plakosh
SafeStr 2013-05-10 Daniel Plakosh
memcpy_s() and memmove_s() 2008-10-06 Daniel Plakosh
Subscribe to Coding Practices