CERT C, CERT C++

Implement a disciplined, repeatable, and security-focused development process by incorporating application security measures into your design and coding processes

  • Plug into our Automated Static Analysis tools
  • Eliminate insecure coding practices
  • Eliminate undefined behaviors
  • Avoid commonly exploited vulnerabilities
  • Improve your overall system quality

 

Application Security Independent Study by SEI

Application- Security- Independent -Study-by-SEI

 

Learn how PRQA’s QA·C analyzer discovered violations of the CERT C standard completely missed by other static analysis tools.

QA·C 8.2 Enforcement of CERT® C

QA·C 8.2 enforces 135 CERT® C rules. Full details of the enforcement can be found on the CERT® C website.

QA·C++ 3.2 Enforcement of CERT® C++

QA·C++ 3.2 enforces 141 CERT® C++ rules. Full details of the enforcement can be found on the CERT® C++ website.

What are CERT® C and CERT® C++?

The CERT® Secure Coding Standards for C and C++ are standards that provide rules and recommendations that target insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities.

Created by the Software Engineering Institute (SEI) for Embedded Developers

The Software Engineering Institute is a research and development center primarily funded by the U.S. Department of Defense and the Department of Homeland Security.

The CERT Division at SEI is operated by Carnegie Mellon University and responsible for publishing these standards.

The CERT® C and C++ coding standards are the result of studying over 20 years of documented software vulnerability cases.

Created-by-the- Software- Engineering- Institute -(SEI) -for- Embedded- Developers

What is a software vulnerability?

CERT describes a vulnerability as a software defect that affects security when it is present in information systems.

The defect may be minor, in that it does not affect the performance or results produced by the software, but nevertheless may be exploited by an attack that results in a significant breach of security.

CERT estimates that up to 90% of reported security incidents result from the exploitation of defects in software code or design.

What-is-a-software- vulnerability

How PRQA’s CERT Add-Ons help you build more secure software

Automatically test against rulesets for secure coding in C and C++

PRQA’s CERT Add-Ons automatically tests against security vulnerabilities derived from a database containing over 20 years worth of documented vulnerability cases.

Automatically-test- against- rulesets-for-secure- coding- in- C- and- C++

Eliminate-the-root- causes-of- vulnerabilities

Eliminate the root causes of vulnerabilities

Guarantee the absence of coding errors; insecure coding practices and undefined behaviors that are commonly found to be the root causes of vulnerabilities.

Maximize dependability, trustworthiness, and resilience

Automated static analysis combined with a CERT® C and C++ Add-Ons help you produce software that executes predictably and correctly; minimize exposure to security vulnerabilities and weaknesses; and create code that can resist most known as well as new attacks.

You will know that your code is dependable, trustworthy, and resilient before your code is even compiled.

Maximize- dependability- trustworthiness- and-resilience

Automatically- track-report-and -demonstrate-CERT C and C++ compliance

Automatically track, report, and demonstrate CERT C and C++ compliance

Manually tracking, reporting, and demonstrating compliance to a security coding standard isn’t feasible for large development teams working on enterprise-level codebases.

CERT® C and C++ add-ons automates compliance tracking, reporting to key stakeholders, and the documentation required to demonstrate compliance to external parties.

Relationship with CWE

(Common Weakness Enumeration)

CWE provides a comprehensive repository of known weaknesses, while the CERT® C Secure Coding standard identifies insecure coding constructs that may expose a weakness in the software.

Not all CERT® C coding guidelines map directly to weaknesses in the CWE, because some coding errors can manifest themselves in various ways that do not directly correlate to any given weakness. Similarly, not all weaknesses identified by CWE are present in the coding standard as some are related to high level design.

CWE is made up of a series of views, such as the dictionary view and the development view. The CWE-734 view enumerates weaknesses addressed by the CERT® C Secure Coding Standard and includes 103 out of the 799 total CWEs. Developers can fully or partially prevent the weaknesses identified in CWE-734 if they adhere to the CERT® coding standard.

Find out the CWE mapping to our static analyzer for C: QA·C

Relationship-with- CWE

Who is this product for:

CISOs, CTOs, and embedded security professionals that need to ensure the creation of secure software that is free of vulnerabilities.

Development directors, application managers, and developers that need to chart progress towards compliance to the CERT standard internally and provide objective evidence of this progress externally.

Software architects and VPs of engineering that need their development teams to produce secure software in less time by catching and correcting vulnerabilities in their code early and often.

Quality assurance professionals who need their team to build CERT compliant code using a tool that only flags up relevant issues.

"The easier the tool is to use, the more people will want to use it, which means better code and ultimately less long-term costs for Presagis. The ability of QA·C++ to automate a significant portion of our coding standard means more time for developers to focus on product development instead of chasing problems."

- Presagis

Keep scrolling