SlideShare ist ein Scribd-Unternehmen logo

Navigating the jungle of Secure Coding Standards

C
ChantalWauters

In a world where software can be found everywhere and potential security holes can be exploited at any time to gain unprivileged access to important systems, most organizations make some efforts to ensure the software they produce is safe and secure. Usually this is done in the form of black-box testing or penetration testing, which is great, but an even better way is of course to produce software that is more secure and reliable in the first place. To do so, it is helpful to leverage industry coding standards, but there is a veritable jungle of information to tackle, including security coding standards (i.e. CERT, OWASP, CWE) and numerous domain-specific standards (i.e. MISRA, AUTOSAR, and a whole family of IEC 61508-based standards). It can be challenging to determine the set of coding standards that should be applied to a specific project, and even more challenging to do so in the middle of software development, when the already-existing software needs to suddenly be tuned to comply to such a standard.

Software
1 von 30
Navigating the Jungle of the Secure Coding Standards Michal Rozenau michal.rozenau@parasoft.com
The Jungle of the Secure Coding Standards CVE Do you know them? CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
Software Safety and Security Issues • Mariner 1 Spacecraft (1962) • Ariane 5 (1996) • Mars Climate Orbiter (1998) • LSAAS Buffer Overflow / SasserWorm (2004) • Bash „Shellshock” bug (2014) • OpenSSL „Heartbleed” bug (2014) Serious issues caused by software bugs
CVE List • Created by the MITRE Corporation • Not-for-profit company that operates multiple federally funded research and development centers • Initial list in 1999 contained 321 CVE entries • Currently contains over 112k entries • Maintained by 93 CNAs from 16 countries • CVE NumberingAuthorities • It’s alive • 11 new CNAs since Jan 2018 • over 1600 new CVEs already published in 2019 CommonVulnerabilities and Exposures Copyright © 2006-2017, CVE and the CVE logo are trademarks of The MITRE Corporation. • Examples: • „Heartbleed” (CVE-2014-0160) • „ShellShock” (CVE-2014-6271) • „Spectre” (CVE-2017-5715 and CVE-2017-5753) • „Meltdown” (CVE-2017-5754)
The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
CWE List • Community initiative • Managed by MITRE Corporation • Categorization of the known issues • 806 weaknesses in CWE 3.2 • Hierarchical representation Common Weakness Enumeration CWE-787: Out-of-boundsWrite The software writes data past the end, or before the beginning, of the intended buffer. ParentOf: • CWE-121 Stack-based Buffer Overflow • CWE-122 Heap-based Buffer Overflow • CWE-124 Buffer Underwrite ('Buffer Underflow') Copyright © 2006-2017, CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
CQE • Community initiative • Managed by the MITRECorporation • CWE-like industry standard for software quality • Still a draft (v. 0.9) • 112 Quality Issues Common Quality Enumeration CQE-9221: Excessive Code Complexity The code is too complex, as calculated using a well-defined, quantitative measure. Parent of: • CQE-9222 Excessive Cyclomatic Complexity • CQE-9223 Excessive Halstead Complexity • CQE-9225 Excessively Deep Nesting • CQE-9226 ExcessiveAttack Surface CQE, CWE, and the CQE logo are trademarks of The MITRE Corporation.
The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
Functional Safety Standards • DO-178C / ED-12C • Aviation • IEC 61508 • General purpose • ISO 26262 • Automotive • IEC 62279 / EN 50128 • Railway • IEC 62061 • Machinery ... • IEC 62304 • Medical
IEC 61508 and Static analysis • Table A.9 – Software verification • Table B.1 – Design and coding standards • Table B.8 – Static Analysis Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Static analysis R HR HR HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Control Flow Analysis R HR HR HR 4. Data Flow Analysis R HR HR HR 9. Static analysis of run time error behaviour R R R HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 1. Use of coding standard to reduce likelihood of errors HR HR HR HR 2. No dynamic objects R HR HR HR 8. No automatic type conversion R HR HR HR
The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
Coding Standards • MISRA C • MISRA C++ • JSF AV C++ Coding Standard • SEI CERT C Coding Standard • SEI CERT C++ Coding Standard • AUTOSAR C++14 Guidelines Commonly used C and C++ standards
MISRA C / C++ • MISRA C: • MISRAC:1998 (Guidelines for the use of the C language in vehicle based software) • MISRAC:2004 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 Amendment 1 (Additional security guidelines for MISRA C:2012) • MISRA C++: • MISRAC++:2008 (Guidelines for the use of the C++ language in critical systems) • Covers C++03 • Focused on Safety-related aspects
MISRA C / C++ • Rule 2.1 • A project shall not contain unreachable code • Rule 2.2 • There shall be no dead code • Rule 11.1 • Conversions shall not be performed between a pointer to a function and any other type • Rule 19.2 • The union keyword should not be used MISRA C:2012 rule examples:
JSF++ AV Coding Standard (C++) • Created by Lockhead Martin • Coding Standards for the System Development and Demonstration Program • Part of the Joint Strike Fighter program (aka F-35) • Released in 2005 • Covers C++03 • Focused on Safety-related aspects
SEI CERT C / C++ Coding Standard • CERT C: • The CERT C Secure Coding Standard (2008) • The CERT C Coding Standard (2013) • SEI CERT C Coding Standard (2016) • Actively maintained / updated using Confluence • CERT C++ • SEI CERT C++ Coding Standard (2016) • Actively maintained / updated using Confluence • Covers C++14 • Focused on Security-related aspects
SEI CERT C / C++ Coding Standard • CON50-CPP • Do not destroy a mutex while it is locked • DCL50-CPP • Do not define a C-style variadic function • EXP51-CPP • Do not delete an array through a pointer of the incorrect type • FIO50-CPP • Do not alternately input and output from a file stream without an intervening positioning call CERT C++ rule examples:
AUTOSAR C++14 Coding Guidelines • Guidelines for the use of the C++14 language in critical and safety-related systems • Part of the AUTOSARAdaptive Platform • Released twice a year: 17-03, 17-10, 18-03, 18-10, ? • Based on MISRAC++:2008 • Adapted to cover C++14 • Contains traceability to MISRA C++, JSF++,CERT C++ and C++ Core Guidelines
Bonus: C++ Core Guidelines • Announced by Bjarne Stroustrup in 2015 • A set of guidelines for using C++ well • Focused on modern C++ (currently C++17) • Living document under continuous improvement. No stable version yet. • Hosted on github: https://github.com/isocpp/CppCoreGuidelines
Best practices Which Coding Standard is good for me? Do not try to reinvent the wheel! You need to decide based on the specifics of your project!
Best practices Coding Standard # of guidelines Details MISRAC 2012 (w/ Amendment 1) 173 156 rules, 17 directives CERT C Guidelines 307 121 rules, 186 recommendations AUTOSAR C++14 Coding Guidelines 344 319 required, 25 advisory CERT C++ Rules 163 83 C++ specific rules, 80 relevant C rules MISRAC++ 2008 228 198 required, 18 advisory, 12 document How can I handle such a large number of guidelines to follow? Use an automated tool!
Best practices • Does the tool support the chosen coding standard(s) fully / partially? • If the tool qualification is required by the functional safety standard: • is the tool certified? • does the toold provide the qualification kit? • Can the tool produce analysis reports in a form required to do compliance analysis? • Can the tool produce analysis reports in a form easy to read by the developers? • Does the tool integrate cleanly with used IDEs, build and CI systems? • Does the tool take advantage of the risk scoring algorithms to help prioritize found defects? • [...] How can I choose the right tool? Find the tool that can be efficiently used in your ecosystem!
Best practices The tool reports a lot. What do I start with? Focus on the new issues first! Use risk scoring algorithms to initially prioritize violations! Triage and prioritize violations that need to be addressed! SEI CERT C++ Risk Assessment Summary, ©2018 Carnegie Mellon University
Best practices How can I ensure continuous improvement? Make sure developers fix found problems! Use CI to find newly introduced defects early!
Best practices How do I know if my project is compliant? Perform compliance measurements!
Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508Vulnerabilities Weaknesses / Code Issues Functional Safety Standards Coding Standards
Summary • Wisely choose appropriate coding standard(s) • Use right automated tool(s) • Set up realistic goals • Focus on the newly written code first • Prioritize defects based on their severity / importance • Measure compliance level • Perform continuous testing to find defects early Best practices
Navigating the Jungle of Secure Coding Standards Thank you for your attention! Questions? Please, come visit us Hall 4, Booth 378 Michal Rozenau

Empfohlen

MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
Automotive IQ
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
AdaCore
 
MISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the futureMISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the future
AdaCore
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Riscure
 
An Introduction to MISRA C:2012
An Introduction to MISRA C:2012An Introduction to MISRA C:2012
An Introduction to MISRA C:2012
PRQA
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
 

Empfohlen

MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
Automotive IQ
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
AdaCore
 
MISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the futureMISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the future
AdaCore
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Riscure
 
An Introduction to MISRA C:2012
An Introduction to MISRA C:2012An Introduction to MISRA C:2012
An Introduction to MISRA C:2012
PRQA
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
AdaCore
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
Riscure
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
AdaCore
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
PROIDEA
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
The Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast ComplianceThe Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast Compliance
Perforce
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
Riscure
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
RootedCON
 
Tego's CEO Presentation at Woodside on August 15th, 2014
Tego's CEO Presentation at Woodside on August 15th, 2014Tego's CEO Presentation at Woodside on August 15th, 2014
Tego's CEO Presentation at Woodside on August 15th, 2014
Kelly Stark
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
mohannadalhanahnah
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Andrey Karpov
 
C Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C ProgrammingC Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C Programming
Tonex
 

Weitere ähnliche Inhalte

Was ist angesagt?

HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
AdaCore
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 

Was ist angesagt? (20)

An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
The Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast ComplianceThe Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast Compliance
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
 
Tego's CEO Presentation at Woodside on August 15th, 2014
Tego's CEO Presentation at Woodside on August 15th, 2014Tego's CEO Presentation at Woodside on August 15th, 2014
Tego's CEO Presentation at Woodside on August 15th, 2014
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 

Ähnlich wie Navigating the jungle of Secure Coding Standards

C Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C ProgrammingC Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C Programming
Tonex
 
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian GötzingerMASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
Ievgenii Katsan
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
Perforce
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
Perforce
 
Accelerating MISRA and CERT coding standards compliance with dedicated report...
Accelerating MISRA and CERT coding standards compliance with dedicated report...Accelerating MISRA and CERT coding standards compliance with dedicated report...
Accelerating MISRA and CERT coding standards compliance with dedicated report...
ChantalWauters
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 

Ähnlich wie Navigating the jungle of Secure Coding Standards (20)

Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
 
C Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C ProgrammingC Programming and Coding Standards, Learn C Programming
C Programming and Coding Standards, Learn C Programming
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
 
Achieve iso 26262 certification
Achieve iso 26262 certificationAchieve iso 26262 certification
Achieve iso 26262 certification
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Coding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR GuidelinesCoding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR Guidelines
 
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian GötzingerMASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian Götzinger
 
Webinar misra and security
Webinar misra and securityWebinar misra and security
Webinar misra and security
 
SAST, CWE, SEI CERT and other smart words from the information security world
SAST, CWE, SEI CERT and other smart words from the information security worldSAST, CWE, SEI CERT and other smart words from the information security world
SAST, CWE, SEI CERT and other smart words from the information security world
 
AdnanAlbujuq_2
AdnanAlbujuq_2AdnanAlbujuq_2
AdnanAlbujuq_2
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic Standard
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
Accelerating MISRA and CERT coding standards compliance with dedicated report...
Accelerating MISRA and CERT coding standards compliance with dedicated report...Accelerating MISRA and CERT coding standards compliance with dedicated report...
Accelerating MISRA and CERT coding standards compliance with dedicated report...
 
Software and Machine Vision Competencies
Software and Machine Vision CompetenciesSoftware and Machine Vision Competencies
Software and Machine Vision Competencies
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 

Kürzlich hochgeladen

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Kürzlich hochgeladen (20)

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 

Navigating the jungle of Secure Coding Standards

  • 1. Navigating the Jungle of the Secure Coding Standards Michal Rozenau michal.rozenau@parasoft.com
  • 2. The Jungle of the Secure Coding Standards CVE Do you know them? CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 3. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 4. Software Safety and Security Issues • Mariner 1 Spacecraft (1962) • Ariane 5 (1996) • Mars Climate Orbiter (1998) • LSAAS Buffer Overflow / SasserWorm (2004) • Bash „Shellshock” bug (2014) • OpenSSL „Heartbleed” bug (2014) Serious issues caused by software bugs
  • 5. CVE List • Created by the MITRE Corporation • Not-for-profit company that operates multiple federally funded research and development centers • Initial list in 1999 contained 321 CVE entries • Currently contains over 112k entries • Maintained by 93 CNAs from 16 countries • CVE NumberingAuthorities • It’s alive • 11 new CNAs since Jan 2018 • over 1600 new CVEs already published in 2019 CommonVulnerabilities and Exposures Copyright © 2006-2017, CVE and the CVE logo are trademarks of The MITRE Corporation. • Examples: • „Heartbleed” (CVE-2014-0160) • „ShellShock” (CVE-2014-6271) • „Spectre” (CVE-2017-5715 and CVE-2017-5753) • „Meltdown” (CVE-2017-5754)
  • 6. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 7. CWE List • Community initiative • Managed by MITRE Corporation • Categorization of the known issues • 806 weaknesses in CWE 3.2 • Hierarchical representation Common Weakness Enumeration CWE-787: Out-of-boundsWrite The software writes data past the end, or before the beginning, of the intended buffer. ParentOf: • CWE-121 Stack-based Buffer Overflow • CWE-122 Heap-based Buffer Overflow • CWE-124 Buffer Underwrite ('Buffer Underflow') Copyright © 2006-2017, CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
  • 8. CQE • Community initiative • Managed by the MITRECorporation • CWE-like industry standard for software quality • Still a draft (v. 0.9) • 112 Quality Issues Common Quality Enumeration CQE-9221: Excessive Code Complexity The code is too complex, as calculated using a well-defined, quantitative measure. Parent of: • CQE-9222 Excessive Cyclomatic Complexity • CQE-9223 Excessive Halstead Complexity • CQE-9225 Excessively Deep Nesting • CQE-9226 ExcessiveAttack Surface CQE, CWE, and the CQE logo are trademarks of The MITRE Corporation.
  • 9. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 10. Functional Safety Standards • DO-178C / ED-12C • Aviation • IEC 61508 • General purpose • ISO 26262 • Automotive • IEC 62279 / EN 50128 • Railway • IEC 62061 • Machinery ... • IEC 62304 • Medical
  • 11. IEC 61508 and Static analysis • Table A.9 – Software verification • Table B.1 – Design and coding standards • Table B.8 – Static Analysis Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Static analysis R HR HR HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Control Flow Analysis R HR HR HR 4. Data Flow Analysis R HR HR HR 9. Static analysis of run time error behaviour R R R HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 1. Use of coding standard to reduce likelihood of errors HR HR HR HR 2. No dynamic objects R HR HR HR 8. No automatic type conversion R HR HR HR
  • 12. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 13. Coding Standards • MISRA C • MISRA C++ • JSF AV C++ Coding Standard • SEI CERT C Coding Standard • SEI CERT C++ Coding Standard • AUTOSAR C++14 Guidelines Commonly used C and C++ standards
  • 14. MISRA C / C++ • MISRA C: • MISRAC:1998 (Guidelines for the use of the C language in vehicle based software) • MISRAC:2004 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 Amendment 1 (Additional security guidelines for MISRA C:2012) • MISRA C++: • MISRAC++:2008 (Guidelines for the use of the C++ language in critical systems) • Covers C++03 • Focused on Safety-related aspects
  • 15. MISRA C / C++ • Rule 2.1 • A project shall not contain unreachable code • Rule 2.2 • There shall be no dead code • Rule 11.1 • Conversions shall not be performed between a pointer to a function and any other type • Rule 19.2 • The union keyword should not be used MISRA C:2012 rule examples:
  • 16. JSF++ AV Coding Standard (C++) • Created by Lockhead Martin • Coding Standards for the System Development and Demonstration Program • Part of the Joint Strike Fighter program (aka F-35) • Released in 2005 • Covers C++03 • Focused on Safety-related aspects
  • 17. SEI CERT C / C++ Coding Standard • CERT C: • The CERT C Secure Coding Standard (2008) • The CERT C Coding Standard (2013) • SEI CERT C Coding Standard (2016) • Actively maintained / updated using Confluence • CERT C++ • SEI CERT C++ Coding Standard (2016) • Actively maintained / updated using Confluence • Covers C++14 • Focused on Security-related aspects
  • 18. SEI CERT C / C++ Coding Standard • CON50-CPP • Do not destroy a mutex while it is locked • DCL50-CPP • Do not define a C-style variadic function • EXP51-CPP • Do not delete an array through a pointer of the incorrect type • FIO50-CPP • Do not alternately input and output from a file stream without an intervening positioning call CERT C++ rule examples:
  • 19. AUTOSAR C++14 Coding Guidelines • Guidelines for the use of the C++14 language in critical and safety-related systems • Part of the AUTOSARAdaptive Platform • Released twice a year: 17-03, 17-10, 18-03, 18-10, ? • Based on MISRAC++:2008 • Adapted to cover C++14 • Contains traceability to MISRA C++, JSF++,CERT C++ and C++ Core Guidelines
  • 20. Bonus: C++ Core Guidelines • Announced by Bjarne Stroustrup in 2015 • A set of guidelines for using C++ well • Focused on modern C++ (currently C++17) • Living document under continuous improvement. No stable version yet. • Hosted on github: https://github.com/isocpp/CppCoreGuidelines
  • 21. Best practices Which Coding Standard is good for me? Do not try to reinvent the wheel! You need to decide based on the specifics of your project!
  • 22. Best practices Coding Standard # of guidelines Details MISRAC 2012 (w/ Amendment 1) 173 156 rules, 17 directives CERT C Guidelines 307 121 rules, 186 recommendations AUTOSAR C++14 Coding Guidelines 344 319 required, 25 advisory CERT C++ Rules 163 83 C++ specific rules, 80 relevant C rules MISRAC++ 2008 228 198 required, 18 advisory, 12 document How can I handle such a large number of guidelines to follow? Use an automated tool!
  • 23. Best practices • Does the tool support the chosen coding standard(s) fully / partially? • If the tool qualification is required by the functional safety standard: • is the tool certified? • does the toold provide the qualification kit? • Can the tool produce analysis reports in a form required to do compliance analysis? • Can the tool produce analysis reports in a form easy to read by the developers? • Does the tool integrate cleanly with used IDEs, build and CI systems? • Does the tool take advantage of the risk scoring algorithms to help prioritize found defects? • [...] How can I choose the right tool? Find the tool that can be efficiently used in your ecosystem!
  • 24. Best practices The tool reports a lot. What do I start with? Focus on the new issues first! Use risk scoring algorithms to initially prioritize violations! Triage and prioritize violations that need to be addressed! SEI CERT C++ Risk Assessment Summary, ©2018 Carnegie Mellon University
  • 25. Best practices How can I ensure continuous improvement? Make sure developers fix found problems! Use CI to find newly introduced defects early!
  • 26. Best practices How do I know if my project is compliant? Perform compliance measurements!
  • 27. Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
  • 28. Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508Vulnerabilities Weaknesses / Code Issues Functional Safety Standards Coding Standards
  • 29. Summary • Wisely choose appropriate coding standard(s) • Use right automated tool(s) • Set up realistic goals • Focus on the newly written code first • Prioritize defects based on their severity / importance • Measure compliance level • Perform continuous testing to find defects early Best practices
  • 30. Navigating the Jungle of Secure Coding Standards Thank you for your attention! Questions? Please, come visit us Hall 4, Booth 378 Michal Rozenau

Hinweis der Redaktion

  1. .