
Ask HN: Resources on secure coding in C? - kensentme
The C programming language is not going away anytime soon. Today there&#x27;s much focus on the security pitfalls of C. For new C programmers this is great news, as they have the opportunity to learn secure coding practices from the beginning and not develop unsecure habits.<p>Can you recommend any resources on secure development for new C programmers?
======
BudVVeezer
I would highly recommend looking at the CERT C Coding Standards, which are
available for free:
[https://www.securecoding.cert.org/confluence/display/c/SEI+C...](https://www.securecoding.cert.org/confluence/display/c/SEI+CERT+C+Coding+Standard)

One thing to note, they split them into recommendations and rules.
Recommendations are more stylistic and open to debate, whereas violations of
rules generally result in definite security concerns.

------
sarciszewski
[https://github.com/paragonie/awesome-
appsec#c](https://github.com/paragonie/awesome-appsec#c)

[https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/](https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)

Not many.

If anyone has any resources to suggest, we'd like to increase our section in
the Awesome Appsec list for C programming too. :)

------
jwdunne
[http://c.learncodethehardway.org/](http://c.learncodethehardway.org/) by Zed
Shaw is an introduction to C that seems to have emphasis on writing secure C
programs. It's an introduction to C so I'm not sure if it's a comprehensive
guide to security in C but it does aim to teach C with security in mind,
especially buffer overflows.

~~~
coolsunglasses
Zed's advice is pretty controversial among the veteran C programmers I know,
so I'd hesitate to recommend LCTHW except as an introduction to C rather than
a security-minded thing.

~~~
jwdunne
Thanks. I'd actually be interested in hearing more about their opinion on the
book, it'll help with my own development.

~~~
random778
[http://hentenaar.com/dont-learn-c-the-wrong-way](http://hentenaar.com/dont-
learn-c-the-wrong-way)

------
appleskin
This is loosely related but if I were you I would want to know about it. Casey
Muratori is doing a series on game development in C. I find it educational and
entertaining.

[https://handmadehero.org/](https://handmadehero.org/)

------
vu3rdd
Highly recommend the Coursera Course called "software security".

[https://www.coursera.org/course/softwaresec](https://www.coursera.org/course/softwaresec)

------
jwdunne
[http://spinroot.com/gerard/pdf/P10.pdf](http://spinroot.com/gerard/pdf/P10.pdf)

Here is another interesting read, though again not comprehensive.

------
cylinder714
David A. Wheeler’s Secure Programming HOWTO: [http://www.dwheeler.com/secure-
programs/](http://www.dwheeler.com/secure-programs/)

------
kjs3
Seconding CERT. Lots of good advice. Certainly the place to start.

Along the same lines are the MISRA guidelines, though they are 1) targeted
more towards embedded systems and 2) stupidly not freely available. There's an
ISO standard for secure C coding (ISO/IEC TS 17961:2013) which is also not
free. While you might not get to source document, there are hundreds of sites
that summarize the requirements and recommendations.

SANS has a secure coding track worth checking out.

There's a tremendous amount of useful stuff in the NIST SAMATE project.

The OpenBSD folks write a lot about secure C coding.

Mozilla has some pretty good general advice at
[https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines)

So does Apple:
[https://developer.apple.com/library/mac/documentation/Securi...](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html)

~~~
sarciszewski
It's depressing that those are not free. :\

