Whitepaper: Accelerating MISRA C & SEI CERT C Compliance with Dedicated Reporting and Workflow Management

There are lots of coding standards to choose from. Choose the right coding standard for your project to establish a baseline for quality and achieve compliance.

Learn how to reduce the manual effort of documenting and reporting compliance to auditors and assessors with automated, developer-centric workflows that enhance the static analysis process and accelerate compliance activities.

Know where you stand with security coding standards

Download the whitepaper to find out how to minimize the burden of introducing a coding standard into your workflow.

Focus areas:
  • How to choose a coding standard
  • What compliance really means
  • MISRA compliance requirements
  • SEI CERT C conformance
  • How to accelerate compliance with workflow management

There are many coding standards to choose from: MISRA, SEI CERT, AUTOSAR, JSF, UL 2900 and others. Is there one good coding standard to use for safety and security? What if the project needs to comply with more than one coding standard? The recommended best practice is to associate certain coding guidelines with a specific goal for code compliance, such as safety or security.

MISRA and AUTOSAR C++ are for improving safety while SEI CERT is used for improving security. However, there is a significant overlap between these standards. MISRA C 2012 covers security quite well. Yet, CERT has broader support for security and treats the subject more thoroughly.

In general, it’s not recommended to strive for compliance with more than one standard, mostly because of the overlap. However, it’s feasible to pick one primary standard and extend it with selected guidelines from other standards that make sense for the project.

What qualifies as MISRA or CERT compliant? How do you provide due diligence and adherence? It’s best to have a clear definition of compliance to a specified standard if you’re developing a software for external customers. The definition of compliance should be an inherent, precisely defined part of business negotiations. Luckily, in some cases, the standards themselves provide such guidance.

In response to ambiguity about compliance requirements, a dedicated document titled MISRA Compliance 2016: Achieving Compliance with MISRA Coding Guidelines was created to clarify requirements. This document precisely defines how to achieve compliance and what kind of documentation shall be prepared to prove achieved compliance.

The SEI CERT C coding standard does not require a lot of documentation to claim compliance:

“Conformance to the CERT C Coding Standard requires that the code not contain any violations of the rules specified in this standard. If an exceptional condition is claimed, the exception must correspond to a predefined exceptional condition, and the application of this exception must be documented in the source code.”

A typical developer workflow during active software development consists of coding, local unit testing, submitting code to source control, initiating a continuous integration (CI) build and receiving feedback from such a build, fixing errors, and continuing to the next function to implement. Introducing a coding standard into this process is time-consuming and intrusive. As a result, many of industry standards highly recommend automated static analysis to help enforce and document coding standard compliance.

  • Parasoft C/C++test provides dedicated reporting for documenting compliance to MISRA C. A dashboard on the Parasoft web portal provides at-a-glance views on the current state of the project. Each of these dashboard widgets is linkable to a more detailed view such detailed violation reports, files and source code.

Parasoft C/C++test also provides the necessary reports needed to document MISRA compliance as outlined in MISRA Compliance 2016: Achieving Compliance with MISRA Coding Guidelines. Automating these reports is a major time saver, greatly reducing the amount of manual work required to document project compliance.

  • Although the SEI CERT C standard doesn’t require specific compliance reports it does require a project to document conformance to the rulesets (e.g. L1, L2 and fully compliant.) Parasoft C/ C++test includes a dedicated dashboard for CERT C conformance.

Team leads can use this dashboard view to dig deeper into specific areas of concern and assign tasks to developers to increase conformance over time. Viewing the results in context of the risk assessment framework used by the coding standard itself (for instance, seeing specific violations of L1 guidelines), significantly streamlines the process. Automating this reporting reduces the amount of analysis team leads and architects need to perform in order to achieve CERT C conformance.

Safety critical projects may emphasize a standard such as MISRA C, but also include critical rules from a security standard such as SEI CERT C. To accelerate compliance, two elements are essential:

  1. Short feedback loops for developers working with IDEs
  2. CI/CD scans for process management and reports generation.

Automation via static analysis is key to not only achieving compliance/conformance to the rule set but also reducing the manual effort of documenting and reporting compliance to auditors and assessors. The approach recommended in this paper includes an augmented developer workflow that leverages Parasoft C/C++test to help assess and monitor compliance on a daily basis, with dedicated reporting tools to support teams in managing and achieving compliance.

About Parasoft

Parasoft helps organizations continuously deliver quality software with its market-proven, integrated suite of automated software testing tools. Supporting the embedded, enterprise, and IoT markets, Parasoft’s technologies reduce the time, effort, and cost of delivering secure, reliable, and compliant software by integrating everything from deep code analysis and unit testing to web UI and API testing, plus service virtualization and complete code coverage, into the delivery pipeline. Bringing all this together, Parasoft’s award winning reporting and analytics dashboard delivers a centralized view of quality enabling organizations to deliver with confidence and succeed in today’s most strategic ecosystems and development initiatives — security, safety-critical, Agile, DevOps, and continuous testing.