CERT Secure Coding Standard refers to a family of language-specific rule sets — for C, C++, Java, and Perl — maintained by the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute (SEI). Each standard documents specific coding errors that lead to undefined behavior, memory corruption, or exploitable vulnerabilities, and pairs every rule with a unique identifier (like ARR38-C or ERR33-C), a risk assessment, and compliant/noncompliant code examples. The C standard alone spans 14 categories, from preprocessor misuse (PRE) to environment handling (ENV), and static analysis vendors like LDRA, Klocwork, and Parasoft build certified checkers directly against it. Unlike CWE, which catalogs weakness types abstractly, CERT rules are actionable: they tell a developer exactly which function call or pattern to avoid and why. This post breaks down where the standard came from, how its rules are prioritized, and how it fits alongside CWE and MISRA in a modern AppSec program.
Application Security
What is the CERT Secure Coding Standard
CERT secure coding standards give C, C++, and Java developers rule-by-rule guidance — with IDs, risk scores, and fix patterns — for avoiding exploitable bugs.
Bob
Application Security Engineer
1 min read
Related articles in Application Security
Application Security
Finding vulnerable code hidden inside shaded and uber JARs
JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.
July 16, 2026Read
Application Security
ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS
A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.
July 16, 2026Read
Application Security
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
July 16, 2026Read
Never miss an update
Weekly insights on software supply chain security, delivered to your inbox.