ISO/IEC JTC 1/SC 22/OWG:Vulnerabilities	Maintained by Jim Moore, James.W.Moore@ieee.org	If you don't see two frames, click here.

Disclaimer

ISO/IEC Project 22.24772:
Guidance for Avoiding Vulnerabilities through Language Selection and Use

All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the safety, security, and privacy of a system.

The OWGV project is preparing comparative guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code evaluation tools that can discover and eliminate coding errors that lead to vulnerabilities.

The project is preparing an ISO/IEC Technical Report containing guidance to users of programming languages on how to avoid the vulnerabilities that exist in the programming language selected for a particular project. The document is tentatively scheduled for publication in January, 2009.

Currently, the group enjoys the participation of representatives from many of the important programming languages and hopes to attract more. The group plans to obtain information about vulnerabilities and their treatment from initiatives such as the Common Vulnerabilities and Exposures database and the CERT Secure Coding Initiative.

[ Project Organization ] [ Project Status ]

The work of OWG:Vulnerabilities is supplemented by an archived mailer and by a wiki.

You can use Google to search this web site:

Entire WebOWGV Web Site

Project Organization

ISO / IEC JTC1 / SC22 has the scope of "programming languages and their environments". The OWG:Vulnerabilities (OWGV) is a working group reporting to SC 22. It has been assigned responsibility for project 22.24772 to write "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use." More information regarding the project can be found in our FAQ.

Because the group is an OWG (Other Working Group) rather than the more typical WG (Working Group), the parent body, SC 22, must explicitly decide to continue the OWGV at each annual meeting of SC 22.

Leadership:

SC 22 Officers: Rex Jaeschke (Chair) Sally Seitz, ANSI (Secretariat) OWG:Vulnerabilities Officers: John Benito (Convener) Jim Moore (Secretariat)	(Email addresses are shown as images to prevent automatic harvesting.)

Identified Participants:

Many individuals have attended meetings or participated via email. The following persons are officers of OWGV or identified points of contact for participating organizations:

Participant	Point of contact for a National Body (see below)	Liaison with a Working Group of ISO / IEC JTC1 / SC22	Liaison with another Standardization Body or other Organization
John Benito (convener)		.
Ben Brosgol			Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology
Paul Caseley			UK MOD
Rod Chapman			SPARK
Franco Gasperoni	France
Cesar Gonzalez-Perez			ISO/IEC JTC1 / SC7 / WG19
Roman Grahle	Germany
Chris Hills			MISRA C
Kiyoshi Ishihata	Japan
Rex Jaeschke	US
Derek Jones	UK
Stephen Michell	Canada
Ed de Moel			MDC (MUMPS)
Jim Moore (secretary)
Dan Nagle		WG5 (Fortran)	J3 (Fortran)
Erhard Ploedereder		WG9 (Ada)	Ada-Europe
Tom Plum		WG14 (C) WG21 (C++)*	ECMA TC39 / TG2 (C#)
Clive Pygott			MISRA C++
Robert Seacord			CERT
Bill Spees			US FDA
Nick Stoughton	.	SC22 (POSIX)	Austin Group
Barry Tauber		WG4 (Cobol)	J4 (Cobol)
Tullio Vardanega	Italy
* Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Those interested in representing their national body or participating in a national "shadow group" should contact the standards body of the nation in which they reside or work. In the case of the following nations, a point of contact has been identified. (All email addresses are shown as images to discourage automatic harvesting of them):

Canada	SCC	Steve Michell
France	AFNOR	Franco Gasperoni
Germany	DIN	Roman Grahle
Italy	UNI	Tullio Vardanega
Japan	JSA	Kiyoshi Ishihata
UK	BSI IST-5	Derek Jones
USA	INCITS CT22	Rex Jaeschke

Status of Formal Standards Process

Completed

[Listed in reverse chronological order]

28 Sep 2007	SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110]
21 Sep 2006	SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.
13 Mar 2006	Prepared disposition of the comments received on New Work Item Proposal [N0007]
6 Oct 2005	Plan for "Moving Forward" [N0004]
5 Oct 2005	SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]: Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.
2 Oct 2005	SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.
Jun-Sep 2005	New Work Item Proposal was balloted by SC22 and JTC1 to authorize project. [N0001]

History

The work of the study group leading to creation of the OWGV is summarized on the History page.

Disclaimer

Most of the items contained in this web site and its associated files and directories are preliminary working material of ISO/IEC JTC 1/SC 22, subject to review and correction.

The web site is maintained for the convenience of the participants in SC 22/OWG:Vulnerabilities by: