Found 2 comments on HN
generic_user · 2017-04-06 · Original thread
Its a bit tricky I think.

> A secure coding standard form CERT should focus entirely on describing conventions and program properties that do not already follow from the standard as a matter of correctness.

from CERT 1.7 "The wiki also contains two platform-specific annexes at the time of this writing; one annex for POSIX and one for Windows. These annexes have been omitted from this standard because they are not part of the core standard."

So while the CERT does use some examples from system interfaces its not a standard for programming the system interfaces for POSIX or Windows. It looks like there trying to limit the standard to ISO C. The examples you gave fall into the system interface category. POSIX is huge and the same for Windows, much bigger then ISO C.

I think in order to explain conventions for a system interface you really need a longer form publication like a book. So you can take 50 pages to describe an interface and how to use it and show examples etc.

The best way that I have found to figure this stuff out is the standard way. You get a copy of all the relevant standards as a foundation, ISO, POSIX, Window and stuff like CERT. Then you you get some of the system programming books (listed below). Then you find get some good reference code that show best practice. usually code from the operating system or utilities. Lastly read all the compiler docs and tool docs to set up the best code analysis framework you can.

These are a few system programming books that I use.

(best intro book) GNU/Linux Application Programming https://www.amazon.com/GNU-Linux-Application-Programming/dp/...

UNIX Systems Programming https://www.amazon.com/UNIX-Systems-Programming-Communicatio...

Advanced Programming in the UNIX Environment https://www.amazon.com/Advanced-Programming-UNIX-Environment...

Windows System Programming https://www.amazon.com/Programming-Paperback-Addison-Wesley-...

The Linux Programming Interface http://www.man7.org/tlpi/

edit: I'm not sure your skill level, you may have seen all of those but I posted them regardless. There is a lot of security and convention in those books.

gte910h · 2010-03-23 · Original thread
This post only contains non-aff links

While I'm certainly good at C, and have been the guy people asked the C and C toolchain questions at a couple places I've worked, I'd say you're in for more than 1 book to grok the topics you've expressed interest in, and haven't met the single book that does all you want.

1: If you're a python programmer, I do suggest staying with pure C and AWAY from C++. You have little use case for it if you can mix python and C and it is literally pain incarnate while you do not know every little bit of it and/or work with people who do not know every little bit of it.

2: Secondly, a single book on C will not get you where you're going. You will need several.

3: I'd stick with K&R for reference, but then go to the following two books for threading and all the other stuff like networking:

You need these two books to get down C and it's ecosystem (make, autotools, etc): Advanced Unix Programming by Rochkind (Really good explanation of signals especially): http://www.amazon.com/Advanced-UNIX-Programming-Marc-Rochkin...

Gnu/Linux Application Programming by M. Tim Jones (Recovers some of the same stuff as AUP, but does better with the toolchain): http://www.amazon.com/GNU-Linux-Application-Programming/dp/1...

If you want to go more advanced, this is likely the correct book: Advanced Programming in the Unix Environment: http://www.amazon.com/Advanced-Programming-UNIX-Environment-...

Although if you're diving deep into networking, this is likely the correct book: Unix Networking Programming: Vol I by Stevens:

http://www.amazon.com/Unix-Network-Programming-Sockets-Netwo...

Get dozens of book recommendations delivered straight to your inbox every Thursday.