[Cyph0n]

To anyone experienced with CERT C++: are there rules in the standard that are critical for secure code, but not easy to discover without extensive experience?

For instance, I went through the I/O section, and most of the rules seem quite intuitive even to a novice C++ programmer like myself.

[temac]

I'm currently working on a system that had no locking order defined (and no any other proper way to prevent or handle deadlocks) -- and looking at the face of my colleagues when I announced that, a good proportion (maybe even the majority) never heard about that kind of stuff before (and they typically have been programming for >5 years)

It disturbed me a little because this is the kind of stuff you learn in school, and they all have been there. Maybe they did not paid enough attention. Given the kind of programs we are writing, I could be rejecting candidates who don't cite deadlocks has a classic problem, and give a locking order as a classic solution to avoid them, even if they are right out of school.

All of that to say: IMO "novice" or "experienced" C++ programmer very often bear the risk of not really predicting the ability to write correct and maintainable code, because for the experienced ones, they can very well never have had any serious approach or mentors to get them to a decent mindset, while at the same time a smart and motivated novice can quickly figure out more and more of what matters, given some predispositions, a proper mentor, and/or a project inducing that.

If you find some of the CERT rules basic, you will quickly find most of them in that case. However, they are still useful to be used as a checklist, or for programmers who don't care enough about programming, or simply have been busy implementing piles of features in some kind of spaghetti code (and fixing 10% of the resulting bugs during 75% of their time) during a decade, etc.

[daemin]

I get the feeling this comes out of the divide between people treating programming like a craft, and those treating it just as a means to get something working.

Those that treat it like a craft aim to understand what they are doing, how to do things better.

Those that treat it like "just a job" or a means to an end don't want to know or learn anything beyond what is immediately required to do the task.

An example could be using "git push --force" if git push returns with errors

[BudVVeezer]

What's considered critical or difficult to discover is a bit subjective, but:

It's easy to forget that alignment is important on some architectures (other than for performance reasons), so be careful when using placement new: https://www.securecoding.cert.org/confluence/display/cpluspl...

This may seem obvious, but even the C++ committee got this one wrong when they created auto_ptr (which has since been removed from the standard): https://www.securecoding.cert.org/confluence/display/cpluspl...

This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush: https://www.securecoding.cert.org/confluence/display/cpluspl...

[duneroadrunner]

> This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush

If memory safety is actually important to you, there's now an actual practical solution: SaferCPlusPlus[1].

A tool to automatically retrofit memory safety to existing C/C++ code is in early development (but resources are limited so it might be a while).

[1] shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus

[hermitdev]

I've not read through the CERT C++ rules (yet), but I highly recommend reading "Secure Coding in C and C++" [0]. Expectedly, there's a good discussion on bounds checking. But, nearly half the book is dedicated to integer underflow/overflow (and signed/unsigned) issues (which most devs either ignore or are oblivious to). It's not a panacea, but if you're write C/C++ without thinking about security and how things can go wrong, it can be a real eye opener.

[0] https://www.amazon.com/Secure-Coding-2nd-Software-Engineerin...

[duneroadrunner]

I haven't read the book. What's the gist of the recommendations for addressing those issues? SaferCPlusPlus addresses the signed/unsigned issue by providing compatible substitutes[1] for "int" and "size_t" that automatically handle it. And it addresses the integer underflow/overflow issue by recommending another compatible "int" substitute[2] and introducing the concept (but not yet the implementation) of "quarantined" types for untrusted input values.

[1] https://github.com/duneroadrunner/SaferCPlusPlus#cint-csize_...

[2] https://github.com/robertramey/safe_numerics

[hermitdev]

A lot of it involves techniques for detecting that overflow will occur (without actually doing the computation - because in C/C++, once you've signed overflow, you're already into undefined behavior).

[nickpsecurity]

Just found slides of the integer stuff, too, for anyone without the book.

http://www.sis.pitt.edu/jjoshi/courses/IS2620/Spring07/Lectu...

[koja86]

I think it is pretty basic but with nice explanations, examples, it's pretty complete and it is free so you can basically hand it to someone willing to learn these things.

Some recommendations seem little bit like "don't make mistakes" but still I like it.

[wyldfire]

I've not got experience w/CERT C++, so caveats. IMO, the major utility in releasing these guidelines publicly is that developers of clang-tidy and other open source static checkers can freely access the guides that will allow them to check for compliance.

Kudos to the SEI.