Coding Rules for Reliable Software

There are 74 critical coding and architecture weaknesses to avoid in source code because of their impact on the availability, fault tolerance, recoverability, and data integrity of an application. For those familiar with the Common Weakness Enumeration (CWE), a repository of known software weaknesses managed The MITRE Corporation, and a reference point for developers and tools, the Reliability standard includes 35 weaknesses and 39 child weaknesses ("children") that map back to the CWE and have CWE identifiers.

Reliability measures the risk of potential application failures and the stability of an application when confronted with unexpected conditions. Reliability is the degree to which a system, product, or component performs specified functions under specified conditions for a specified period of time. The reason for checking and monitoring Reliability is to prevent or at least reduce application downtime, outages, data corruption, and errors that directly affect users.

To follow the standard guidelines, your source code should NOT contain these 74 critical weaknesses known to severely impact reliability. Detection of these weaknesses can be automated on source code through static analysis.

Who Developed the Software Reliability Standard?

The project team was led by Dr. Bill Curtis, CISQ Founding Executive Director and Chief Scientist at CAST Research Labs. The team consisted of delegates from CISQ sponsor organizations Accenture, Atos, Booz Allen Hamilton, CAST, CGI, Cognizant, ISHPI, Northrop Grumman, Synopsys, Tech Mahindra, and Wipro in addition to experts from the Software Engineering Institute at Carnegie Mellon University and the Common Weakness Enumeration project at The MITRE Corporation.

Who is Using the Software Reliability Standard?

The standard is used by government and industry organizations including the U.S. Department of State, U.S. General Services Administration, U.S. Army, U.S. Air Force, Northrop Grumman, CGI, Cognizant, Tech Mahindra, Manulife, Telefonica, BNY Mellon, and others. The standard is freely available to use, reference, and download.

Which Tools Support the Code Quality Standards?

The code quality standards from CISQ are comprised of software weaknesses (CWEs) that can be detected in source code through static code analysis. CAST and Synopsys (tool vendors) contributed to development of the standards and support the standards in their tools. Most static analysis tools identify some, if not all, critical CWEs. Ask tool vendors about support for measuring CWEs and the CISQ standards for Reliability, Security, Performance Efficiency, and Maintainability.

Are you a tool vendor that supports CWEs and code quality standards? To be listed for reference, contact us.