Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools; Final rept

摘要

This report describes the results of a study to evaluate the effectiveness of secure coding practices, including the use of static analysis tools coupled with secure coding rule sets such as the CERT C Programming Language Secure Coding Standard (CERT 07a) and the CERT C++ Programming Language Secure Coding Standard (CERT 07b). This study represents a joint effort between the CERT Secure Coding Initiative and JPCERT/CC. The CERT Secure Coding Initiative was established to work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. The goal of this effort is to reduce the number of vulnerabilities to a level where they can be handled by existing vulnerability analysis teams around the world and decrease remediation costs by eliminating vulnerabilities before software is deployed. JPCERT/CC is the first CSIRT (computer security incident response team) established in Japan. The objectives of the study were to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects. Two static analysis tools, Fortify Source Code Analysis (SCA) from Fortify Software and Compass/ROSE from Lawrence Livermore National Laboratory were selected for their extensibility as well as overall effectiveness. Checkers were then developed for each of the tools to check code for violations of the CERT C and C++ Secure Coding Standards. The tools were then provided to Software Research Associates, Inc., Japan, which evaluated the extended versions of Fortify SCA and Compass/ROSE on two existing projects: an electronic toll collection (ETC) system-related GUI application written in C++ and an IP-TV Service Protocol Stack (IP-TV) written in the C programming language. The project successfully extended source code analysis tools to discover software defects in both projects evaluated.