Safeguard
Application Security

What is the CERT Secure Coding Standard

CERT secure coding standards give C, C++, and Java developers rule-by-rule guidance — with IDs, risk scores, and fix patterns — for avoiding exploitable bugs.

Bob
Application Security Engineer
1 min read

CERT Secure Coding Standard refers to a family of language-specific rule sets — for C, C++, Java, and Perl — maintained by the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute (SEI). Each standard documents specific coding errors that lead to undefined behavior, memory corruption, or exploitable vulnerabilities, and pairs every rule with a unique identifier (like ARR38-C or ERR33-C), a risk assessment, and compliant/noncompliant code examples. The C standard alone spans 14 categories, from preprocessor misuse (PRE) to environment handling (ENV), and static analysis vendors like LDRA, Klocwork, and Parasoft build certified checkers directly against it. Unlike CWE, which catalogs weakness types abstractly, CERT rules are actionable: they tell a developer exactly which function call or pattern to avoid and why. This post breaks down where the standard came from, how its rules are prioritized, and how it fits alongside CWE and MISRA in a modern AppSec program.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.