Re: CERT C Programming Language Secure Coding Standard

On Jul 31, 3:28 pm, Robert Seacord <r...@xxxxxxxxxxx> wrote:
We have made significant progress on the CERT C Programming Language
Secure Coding Standard since I first posted about this effort around a
year ago. In particular, the document was reviewed and endorsed by the
WG14 C language standards committee at the London meeting in April of
this year.

We would again like to invite the community to review and comment on the
current version of the standard available atwww.securecoding.cert.org
before we publish the final version. To do this, you can create an
account on the secure coding wiki and post your comments there.

There is some possibility that ISO/IEC WG14 may eventually publish this
document as a type III (informational) technical report and this
document may also be mined for ideas for the next major revision of the
C language standard. As a result, we would greatly appreciate your time
and expertise in reviewing the standard, and we will acknowledge your
contributions.

I'd say you could do with a bit of proof reading.

First, there is an example showing a macro modifying a global
variable, which supposedly leads to incorrect results when the macro
is used within a function having a local variable of the same name.
The example doesn't show this, and it doesn't produce the output that
you claim it does.

Second, you show an example that supposedly replaces the "puts"
function with a macro. That example doesn't compile. Apart from that,
the whole example doesn't make sense. There is a slight problem when
library functions can be implemented through macros, and there are
rare times when one has to make sure the real function is called, but
your explanation of the danger is way off the mark.

In general, it seems your webpage contains lots of comments that refer
to earlier versions of the document. This is really confusing. If a
comment says that the document should be changed, and you changed the
document, then leaving that comment there is just confusing.

.

Relevant Pages

  • Re: The annotated annotated annotated C standard
    ... If you wanted to discuss my review of the book, ... attack, ... not only is this the obsolete ANSI standard rather than the ISO ... Schildt believes that: ...
    (comp.programming)
  • Re: CERT C Programming Language Secure Coding Standard
    ... WG14 C language standards committee at the London meeting in April of ... We would again like to invite the community to review and comment on the ... current version of the standard available atwww.securecoding.cert.org ... There is some possibility that ISO/IEC WG14 may eventually publish this ...
    (comp.lang.c)
  • Re: WAYLTL in 2008 ?
    ... This is part of the review on Amazon... ... The solo line and accompaniment toss surprises our way almost evry ... well as any of the standard version I've heard (and is "accompanied" better than ... I'm running into both all over, and it's starting to irk me. ...
    (rec.music.classical.recordings)
  • Re: Can some1 review my code?
    ... Parsing your code through a lint like PyLint will suggest 'standard' way of doing things it will make things easier to read. ... A good way would be to write unit-test against your code out of the perspective of the intended use (so not just to execute stuff because it is there) then run it through a coverage program. ... If not try to figure out why and replace the affected algorithm with one that makes more sense. ... When done all this you might feel it is not necessary to review the code any more, which is then is a good moment to actually request a review :-) ...
    (comp.lang.python)
  • Re: [Lit.] Buffer overruns
    ... But of course my own faux pas points out the whole reason ... How much must a C programmer study the de jure standard? ... If peer review, ... alias "infobahn", and a Google search found many of those. ...
    (sci.crypt)