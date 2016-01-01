Hacker News new | comments | show | ask | jobs | submit login
Software Engineering Institute Makes CERT C++ Coding Standard Freely Available (cmu.edu)
26 points by BudVVeezer 1 hour ago | hide | past | web | 6 comments | favorite





http://www.cert.org/downloads/secure-coding/assets/sei-cert-...

reply


Note to self: always check the thread before digging up this kind of stuff myself. Thanks!

reply


And C: http://www.cert.org/news/article.cfm?assetid=465486&article=...

reply


To anyone experienced with CERT C++: are there rules in the standard that are critical for secure code, but not easy to discover without extensive experience?

For instance, I went through the I/O section, and most of the rules seem quite intuitive even to a novice C++ programmer like myself.

reply


What's considered critical or difficult to discover is a bit subjective, but:

It's easy to forget that alignment is important on some architectures (other than for performance reasons), so be careful when using placement new: https://www.securecoding.cert.org/confluence/display/cpluspl...

This may seem obvious, but even the C++ committee got this one wrong when they created auto_ptr (which has since been removed from the standard): https://www.securecoding.cert.org/confluence/display/cpluspl...

This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush: https://www.securecoding.cert.org/confluence/display/cpluspl...

reply


I've not got experience w/CERT C++, so caveats. IMO, the major utility in releasing these guidelines publicly is that developers of clang-tidy and other open source static checkers can freely access the guides that will allow them to check for compliance.

Kudos to the SEI.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: