12

I am looking for a comprehensive record of secure coding practices in C++. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..

NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.

LE: As suggested by MSalters in comments this question has been split into two separate questions one for C++ and one for C. Also see Secure C coding practices.

Community
  • 1
  • 1
Shinnok
  • 6,279
  • 6
  • 31
  • 44
  • 5
    If you're intending to make such a list, I recommend making two. C and C++ need entirely different lists. You can't recommend "Use `std::string` instead of `char*`" to C programmers. – MSalters Jan 24 '11 at 09:43
  • Maybe books from here: http://stackoverflow.com/questions/388242/the-definitive-c-book-guide-and-list – rve Jan 24 '11 at 09:46
  • @MSalters that's a good point, though it's kind of hard to do that now that we have replies and comments rolling. Any ideas how can i split them the right way, without losing the current activity? – Shinnok Jan 24 '11 at 10:12
  • Split done. This one has been converted to a C++ one since most of the C only answers already here can be applied to C++ too, but not otherwise. C only question can be found at http://stackoverflow.com/questions/4780873/secure-c-coding-practices. – Shinnok Jan 24 '11 at 10:23
  • 1
    Consider adding a C++-faq tag. –  Jan 24 '11 at 14:19
  • 1
    @Will: Please do not use the `c++-faq` tag lightly. We strive to keep a small body of really frequently asked question in there, rather than adding anything that seems interesting. – sbi Jan 25 '11 at 14:13
  • While a good question, it might be a better fit for programmers. – John Dibling Jan 25 '11 at 15:10

6 Answers6

4

The book Writing Secure Code (only sample pages in this link) is very good at explaining security issues and how to avoid them. The book has been out for a while, but most of the topics covered are still relevant.

atakli
  • 128
  • 1
  • 9
klynch
  • 1,076
  • 2
  • 9
  • 15
4

Herb Sutter "Exceptional C++" and "C++ Coding Standards". Invaluable.

Marshall Cline C++ faq. Will tell you everything about common pitfalls. Free online.

thorsten müller
  • 5,621
  • 1
  • 22
  • 30
1

The SEI CERT C++ Coding Standard is especially developed to cover all kind of security issues. CERT stands for Computer Emergency Response Team, which is an expert group that handles computer security incidents.

atakli
  • 128
  • 1
  • 9
Paul Jansen
  • 1,216
  • 1
  • 13
  • 35
1

I found this book very useful Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

It has a lot of examples for both Linux (posix) and Windows unlike the previous mentioned Writing Secure Code, Second Edition.

atakli
  • 128
  • 1
  • 9
1

The Joint Strike Fighter Air Vehicle C++ Coding Standards is a good start, even though it does apply mostly to reliability rather than security.

Alexander Dzhoganov
  • 226
  • 2
  • 9
0

Let me kick it off

  • Avoid dynamically allocated memory using malloc
  • (related) use fixed size array when ever possible, or infact in C++ avoid C style arrays when practical
  • avoid the use of (void *)
hhafez
  • 38,949
  • 39
  • 113
  • 143