This site graciously hosted
by our friends at




Secure Coding: The State of the Practice

Mark G. Graff

Prepared in 2001 for Para-Protect Services, Inc. [1]

Table of Contents

1.  Executive Summary
2.  Introduction
2.1  Problem Statement and Approach
2.2  About Sources For This Paper
3.  An Approach to Secure Coding
3.1  Introduction: What can be done
3.2  A Security Bestiary
3.2.1   Threats
3.2.2   General attacks
3.2.3   Trouble with environmental variables
4.  Elements of Secure Coding
4.1  Introduction
4.2  Architectural Principles
4.3  Design Ideas
4.4  Special Topics
4.4.1   Handling Temporary Files
4.4.2   Handling Privileges
4.4.3   Handling Random Numbers
4.5   Language-Specific Tips
4.5.1   C/C++ Tips
4.5.2   Java Tips
4.5.3   Perl/CGI Tips
4.6  Special Topics
4.6.1   Using Taint in Perl
4.6.2   Filtering Special Characters
4.6.3   Message Digests
4.6.4   Concerns About Setuid Shell Scripts
5.  Survey and Analysis of Related Standards
5.1  Standards bodies
5.2  Standards specific to secure coding
5.3  Other pertinent security standards
5.4  Pertinent quality assurance standards
5.5  Other resources
5.6  Details on selected existing standards, guidelines, and other resources
6.  Survey and Analysis of Available Literature
6.1  Best overall resources
6.2  Best resources for architecture
6.4  Best resources for programming methodology
6.5  Best resources for language- and platform-specific tips
6.6  Best resources for standards
7.  Survey and Analysis of Available Tools
7.1  The Status Quo
7.2  Approaches used by the tools
7.3  Leaders in the field
7.4  Product summaries from leading vendors
7.4.1   @stake
7.4.2   Cigital Security
7.4.3   University of Virginia
7.4.4   Avaya Labs Research
7.4.5   Rational Software
7.4.6   Wirex
7.4.7   Sanctum
7.4.8   Secure Labs, Inc.
7.4.9   Parasoft
7.5  Less popular, independent, and unsupported software
7.5.1   BOWall
7.5.2   bsyrin1
7.5.3   Buffy.pl
7.5.4   GCC bounds-checking patch
7.5.5   Pscan
7.5.6   StackShield
8.  Summary
8.1  Lessons learned
8.2  Directions for further study
9.  Bibliography
10.  Table of Acronyms

[1] Para-Protect Services, Inc., a network security services corporation, ceased operations in 2002. The current document is a non-proprietary version of an internal Para-Protect report.