Industry coding standards
The evolution of coding standards has created new expectations and requirements for software architects and developers. There is an alphabet soup of organizations and standards, including: MISRA, CWE, CERT, STIGs and many others.
Here are a few of the current standards, with links to their sources.
MISRA, The Motor Industry Software Reliability Association, is an industry consortium that establishes and promotes best practices in engineering in the automotive industry. Their standards have been adopted by many industries and associations worldwide.
MISRA is a set of standards that predominately identify coding guidelines, not necessarily coding errors. If your project has not followed MISRA from the beginning, then enabling MISRA will in all likelihood cause the detection of a very large number of issues, most of which are not errors so much as coding guideline violations. Therefore, the inclusion of the MISRA checkers and taxonomy must be thought out in advance, before putting the checkers into your production system.
As of April 8, 2013, the current C version is MISRA C:2012 (MISRA C Version 3). This standard is not yet supported by Klocwork, but implementation is under way, and will be announced as it becomes available.
Common Weakness Enumeration - International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design.
Feb. 28, 2012, CWE announced that Klocwork Insight was one of 5 products to be awarded with CWE’s Official Certificates of CWE Compatibility. This means our customers can rest assured that our products are “CWE Compatible”, based on CWE’s own criteria. Great news for all our customers who care about creating more secure code!
CWE has published 2010 CWE/SANS Top 25 Most Dangerous Software Errors. This list includes detailed description of the causes and impacts of some very common coding issues.
CERT is located at Carnegie Mellon University's Software Engineering Institute. They study internet security vulnerabilities, research long-term changes in networked systems, and develop information and training to help improve security.
See the reference documentation for CERT C and C++ Secure Coding Standard IDs mapped to Klocwork C and C++ checkers
The STIGs and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems.
See the reference documenation for DISA STIG IDs mapped to Klocwork C and C++ checkers and DISA STIG IDs mapped to Klocwork Java checkers
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
Read more about Klocwork support for the OWASP Top Ten.