modify an existing C code application that violates several C code rules and recommendations. Your task is to locate the issues, based on the readings for this course, identify the rule(s) or recommendation(s) being violated and then fix the code. You w
Week5
Introduction
https://www.securecoding.cert.org/confluence/display/c/Introduction
Automatically Generated Code
https://www.securecoding.cert.org/confluence/display/c/Automatically+Generated+Code
Conformance Testing
https://www.securecoding.cert.org/confluence/display/c/Conformance+Testing
Deprecations
https://www.securecoding.cert.org/confluence/display/c/Deprecations
Development Process
https://www.securecoding.cert.org/confluence/display/c/Development+Process
Government Regulations
https://www.securecoding.cert.org/confluence/display/c/Government+Regulations
Risk Assessment
https://www.securecoding.cert.org/confluence/display/c/Risk+Assessment
Scope
https://www.securecoding.cert.org/confluence/display/c/Scope
System Qualities
https://www.securecoding.cert.org/confluence/display/c/System+Qualities
Taint Analysis
https://www.securecoding.cert.org/confluence/display/c/Taint+Analysis
Tool Selection and Validation
https://www.securecoding.cert.org/confluence/display/c/Tool+Selection+and+Validation
Usage
https://www.securecoding.cert.org/confluence/display/c/Usage
Vulnerability Metric
https://www.securecoding.cert.org/confluence/display/c/Vulnerability+Metric
Level 1- Rules - Read the following subheading on this site
https://www.securecoding.cert.org/confluence/display/c/EXP33-C.+Do+not+read+uninitialized+memory
EXP33-C. Do not read uninitialized memory
EXP34-C. Do not dereference null pointers
ARR38-C. Guarantee that library functions do not form invalid pointers
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator
STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string
STR38-C. Do not confuse narrow and wide character strings and functions
MEM30-C. Do not access freed memory
MEM34-C. Only free memory allocated dynamically
FIO30-C. Exclude user input from format strings
FIO34-C. Distinguish between characters read from a file and EOF or WEOF
FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successful
ENV32-C. All exit handlers must return normally
ENV33-C. Do not call system()
SIG30-C. Call only asynchronous-safe functions within signal handlers
ERR33-C. Detect and handle standard library errors
MSC32-C. Properly seed pseudorandom number generators
MSC33-C. Do not pass invalid data to the asctime() function
Week 6
Level 1- Recommendations
https://www.securecoding.cert.org/confluence/display/c/PRE01-C.+Use+parentheses+within+macros+around+parameter+names
PRE01-C. Use parentheses within macros around parameter names
PRE02-C. Macro replacement lists should be parenthesized
PRE09-C. Do not replace secure functions with deprecated or obsolescent functions
PRE10-C. Wrap multistatement macros in a do-while loop
PRE11-C. Do not conclude macro definitions with a semicolon
DCL20-C. Explicitly specify void when a function accepts no arguments
EXP20-C. Perform explicit tests to determine success, true and false, and equality
INT17-C. Define integer constants in an implementation-independent manner
INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array
STR00-C. Represent characters using an appropriate type
STR02-C. Sanitize data passed to complex subsystems
STR06-C. Do not assume that strtok() leaves the parse string unchanged
STR07-C. Use the bounds-checking interfaces for string manipulation
MEM00-C. Allocate and free memory in the same module, at the same level of abstraction
FIO01-C. Be careful using functions that use file names for identification
FIO20-C. Avoid unintentional truncation when using fgets() or fgetws()
FIO21-C. Do not create temporary files in shared directories
ENV01-C. Do not make assumptions about the size of an environment variable
SIG02-C. Avoid using signals to implement normal functionality
Describe a Software Security Tool
Describe a software security tool you have used are or interested in using to help mitigate software vulnerabilities.
Provide the URL, the price, and the features. If possible provide screen shots of actually using tool.
Pick a tool that has not been described by another student. Or provide additional details not listed in the other student's post.