Carnegie-Mellon Uni emits 'don't be stupid' list for C++ developers
Your hefty guide to avoiding the mistakes everyone makes
Carnegie-Mellon University's Software Engineering Institute has followed-up its secure C programming rules from last year with a similar set of standards for C++.
In the institute's announcement on Wednesday, it says it has put ten years into researching secure coding. The resulting SEI CERT C++ Coding Standard has 83 rules specific to features of C++ that aren't in C.
This is no mere listicle: it weighs in at 435 pages filled with rules for declarations and initialisation; expressions; integers; containers; characters and strings; memory management; I/O; expressions and error handling; object-oriented programming; concurrency; and miscellaneous rules such as “don't use std::rand() for generating pseudo-random numbers”.
As the document notes, the standard “is an essential element of coding in the C++ programming language … Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes).”
“This newly released C++ standard adds to our previously released C standard secure coding guidance for features that are unique to the C++ language. For example, this standard has guidance for object oriented programming and containers,” said CERT's Robert Schiela, technical manager, Secure Coding, in the canned release. “It also contains guidance for features that were added to C++14, like lambda objects.”
While specific to C++14, the guidelines in the standard can be applied to older versions, back to C++11.
The document's also available as a wiki. ®
Sponsored: Becoming a Pragmatic Security Leader