Ask HN: Resources on secure coding in C?

[kensentme]

The C programming language is not going away anytime soon. Today there's much focus on the security pitfalls of C. For new C programmers this is great news, as they have the opportunity to learn secure coding practices from the beginning and not develop unsecure habits.

Can you recommend any resources on secure development for new C programmers?

[BudVVeezer]

I would highly recommend looking at the CERT C Coding Standards, which are available for free: https://www.securecoding.cert.org/confluence/display/c/SEI+C...

One thing to note, they split them into recommendations and rules. Recommendations are more stylistic and open to debate, whereas violations of rules generally result in definite security concerns.

[sarciszewski]

https://github.com/paragonie/awesome-appsec#c

https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/

Not many.

If anyone has any resources to suggest, we'd like to increase our section in the Awesome Appsec list for C programming too. :)

[jwdunne]

http://c.learncodethehardway.org/ by Zed Shaw is an introduction to C that seems to have emphasis on writing secure C programs. It's an introduction to C so I'm not sure if it's a comprehensive guide to security in C but it does aim to teach C with security in mind, especially buffer overflows.

[ggreer]

I strongly encourage people to avoid Learn C the Hard Way. It's neither a good introduction to C nor a good guide to secure C. Reading through, I couldn't help but wince at the inaccuracies and oversights. I hate to say it, but the guide is irredeemable.

Who am I to say such things? Well... I learned C almost 20 years ago. I haven't spent the whole time since then writing it, but I'd like to think I'm pretty good. You may even use some of the stuff I've written, such as ag[1].

1. https://github.com/ggreer/the_silver_searcher

[coolsunglasses]

Zed's advice is pretty controversial among the veteran C programmers I know, so I'd hesitate to recommend LCTHW except as an introduction to C rather than a security-minded thing.

[jwdunne]

Thanks. I'd actually be interested in hearing more about their opinion on the book, it'll help with my own development.

[random778]

http://hentenaar.com/dont-learn-c-the-wrong-way

[appleskin]

This is loosely related but if I were you I would want to know about it. Casey Muratori is doing a series on game development in C. I find it educational and entertaining.

https://handmadehero.org/

[vu3rdd]

Highly recommend the Coursera Course called "software security".

https://www.coursera.org/course/softwaresec

[jwdunne]

http://spinroot.com/gerard/pdf/P10.pdf

Here is another interesting read, though again not comprehensive.

[cylinder714]

David A. Wheeler’s Secure Programming HOWTO: http://www.dwheeler.com/secure-programs/

[kjs3]

Seconding CERT. Lots of good advice. Certainly the place to start.

Along the same lines are the MISRA guidelines, though they are 1) targeted more towards embedded systems and 2) stupidly not freely available. There's an ISO standard for secure C coding (ISO/IEC TS 17961:2013) which is also not free. While you might not get to source document, there are hundreds of sites that summarize the requirements and recommendations.

SANS has a secure coding track worth checking out.

There's a tremendous amount of useful stuff in the NIST SAMATE project.

The OpenBSD folks write a lot about secure C coding.

Mozilla has some pretty good general advice at https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

So does Apple: https://developer.apple.com/library/mac/documentation/Securi...

[sarciszewski]

It's depressing that those are not free. :\