ISO/IEC 24772-1:2024
(Main)Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities
Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities
This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation — Partie 1: Catalogue de vulnérabilités indépendant du langage
General Information
- Status
- Published
- Publication Date
- 28-Oct-2024
- Current Stage
- 6060 - International Standard published
- Start Date
- 29-Oct-2024
- Due Date
- 19-Nov-2024
- Completion Date
- 29-Oct-2024
Relations
- Effective Date
- 06-Jun-2022
Overview
ISO/IEC 24772-1:2024 is an international standard from ISO and IEC addressing the critical need for identifying and mitigating vulnerabilities inherent in programming languages. Titled “Programming languages - Avoiding vulnerabilities in programming languages - Part 1: Language-independent catalogue of vulnerabilities”, this standard provides a comprehensive, language-neutral catalogue of vulnerabilities that may affect the security, safety, and reliability of software systems.
The scope of ISO/IEC 24772-1:2024 includes a detailed enumeration of common programming language vulnerabilities and the description of strategies and practices to avoid them. It is designed for use in the development, review, and maintenance of systems requiring assured behaviour, such as security-critical, safety-critical, mission-critical, and business-critical applications. The standard is applicable to software developed in any programming language, offering universally applicable guidance.
Key Topics
ISO/IEC 24772-1:2024 covers a broad spectrum of language-independent vulnerabilities and highlights mechanisms to mitigate them. Key topics include:
Vulnerability Identification
Systematic descriptions of vulnerabilities such as buffer overflows, unchecked array accesses, null pointer dereferences, conversion errors, dead code, and naming issues.Avoidance and Mitigation Techniques
General and specific strategies to avoid or reduce the impact of vulnerabilities, including coding guidelines, static analysis recommendations, and language feature usage.Mechanisms of Failure
Insights into how failures manifest from misused language constructs, unpredictable behaviour, or improper handling of data types and control flows.Applicability across Languages
Vulnerabilities and mitigation strategies are described in a generic way, making them relevant regardless of the programming language or platform in use.Implications for Language Design
Guidance and implications for the evolution of programming languages and recommendations for language designers to reduce inherent risks.
Applications
The practical value of ISO/IEC 24772-1:2024 extends to multiple domains where software reliability and security are paramount.
Secure Software Development
Enables software engineers and architects to recognize and mitigate vulnerabilities at all stages of the software development lifecycle, regardless of the chosen programming language.Safety-Related and Mission-Critical Systems
Essential for the development and certification of systems in sectors such as automotive, aerospace, healthcare, and industrial automation.Software Reviews & Audits
Provides a structured framework for code review, static analysis, and auditing processes focused on vulnerability detection and risk mitigation.Training & Best Practices
Serves as reference material for developing organizational coding standards, developer training programs, and fostering a culture of secure programming.Programming Language Design & Evolution
Valuable for language designers and compiler developers aiming to enhance security features and reduce typical pitfalls across existing and new programming languages.
Related Standards
ISO/IEC 24772-1:2024 is part of an evolving family of international standards on programming languages and software quality. Related standards include:
- ISO/IEC 27001 – Information Security Management Systems
- ISO/IEC 12207 – Software Life Cycle Processes
- ISO/IEC 15408 – Common Criteria for IT Security Evaluation
- ISO/IEC 25000 – Systems and Software Quality Requirements and Evaluation (SQuaRE)
- ISO/IEC 24772-2 – Further parts in the 24772 series, potentially covering language-specific vulnerabilities
By adhering to ISO/IEC 24772-1:2024, organizations can strengthen their approach to secure coding, contribute to safer software ecosystems, and align with recognized best practices in software assurance and cybersecurity.
Get Certified
Connect with accredited certification bodies for this standard
BSI Group
BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.
NYCE
Mexican standards and certification body.
Sponsored listings
Frequently Asked Questions
ISO/IEC 24772-1:2024 is a standard published by the International Organization for Standardization (ISO). Its full title is "Programming languages — Avoiding vulnerabilities in programming languages — Part 1: Language-independent catalogue of vulnerabilities". This standard covers: This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
ISO/IEC 24772-1:2024 is classified under the following ICS (International Classification for Standards) categories: 35.060 - Languages used in information technology. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 24772-1:2024 has the following relationships with other standards: It is inter standard links to ISO/IEC TR 24772-1:2019. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
ISO/IEC 24772-1:2024 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
International
Standard
ISO/IEC 24772-1
First edition
Programming languages — Avoiding
2024-10
vulnerabilities in programming
languages —
Part 1:
Language-independent catalogue of
vulnerabilities
Langages de programmation — Conduite pour éviter les
vulnérabilités dans les langages de programmation —
Partie 1: Catalogue de vulnérabilités indépendant du langage
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Communication .1
3.2 Execution model .1
3.3 Properties .2
3.4 Safety and security .3
3.5 Vulnerabilities .3
3.6 Specific vulnerabilities .3
4 Using this document . 4
4.1 Purpose of this document .4
4.2 Applying this document .5
4.3 Structure of this document .6
5 General vulnerability issues and primary avoidance mechanisms . 7
5.1 General vulnerability issues .7
5.1.1 Predictable execution .7
5.1.2 Sources of unpredictability in language specification .8
5.1.3 Sources of unpredictability in language usage .9
5.2 Primary avoidance mechanisms .9
6 Programming language vulnerabilities.11
6.1 General .11
6.2 Type system [IHN]. 12
6.2.1 Description of application vulnerability . 12
6.2.2 Related coding guidelines . 12
6.2.3 Mechanism of failure . 12
6.2.4 Applicable language characteristics . 13
6.2.5 Avoiding the vulnerability or mitigating its effects . 13
6.2.6 Implications for language design and evolution .14
6.3 Bit representations [STR] .14
6.3.1 Description of application vulnerability .14
6.3.2 Related coding guidelines .14
6.3.3 Mechanism of failure . 15
6.3.4 Applicable language characteristics . 15
6.3.5 Avoiding the vulnerability or mitigating its effects . 15
6.3.6 Implications for language design and evolution .16
6.4 Floating-point arithmetic [PLF] .16
6.4.1 Description of application vulnerability .16
6.4.2 Related coding guidelines .16
6.4.3 Mechanism of failure .16
6.4.4 Applicable language characteristics .17
6.4.5 Avoiding the vulnerability or mitigating its effects .17
6.4.6 Implications for language design and evolution .18
6.5 Enumerator issues [CCB] .18
6.5.1 Description of application vulnerability .18
6.5.2 Related coding guidelines .19
6.5.3 Mechanism of failure .19
6.5.4 Applicable language Characteristics .19
6.5.5 Avoiding the vulnerability or mitigating its effects . 20
6.5.6 Implications for language design and evolution . 20
6.6 Conversion errors [FLC] . 20
6.6.1 Description of application vulnerability . 20
© ISO/IEC 2024 – All rights reserved
iii
6.6.2 Related coding guidelines . 20
6.6.3 Mechanism of failure .21
6.6.4 Applicable language characteristics .21
6.6.5 Avoiding the vulnerability or mitigating its effects .21
6.6.6 Implications for language design and evolution . 22
6.7 String termination [CJM] . 22
6.7.1 Description of application vulnerability . 22
6.7.2 Related coding guidelines . 22
6.7.3 Mechanism of failure . 22
6.7.4 Applicable language characteristics . 22
6.7.5 Avoiding the vulnerability or mitigating its effects . 23
6.7.6 Implications for language design and evolution . 23
6.8 Buffer boundary violation (buffer overflow) [HCB] . 23
6.8.1 Description of application vulnerability . 23
6.8.2 Related coding guidelines . 23
6.8.3 Mechanism of failure .24
6.8.4 Applicable language characteristics .24
6.8.5 Avoiding the vulnerability or mitigating its effects .24
6.8.6 Implications for language design and evolution . 25
6.9 Unchecked array indexing [XYZ] . 25
6.9.1 Description of application vulnerability . 25
6.9.2 Related coding guidelines . 25
6.9.3 Mechanism of failure . 25
6.9.4 Applicable language characteristics . 26
6.9.5 Avoiding the vulnerability or mitigating its effects . 26
6.9.6 Implications for language designers . 26
6.10 Unchecked array copying [XYW] .27
6.10.1 Description of application vulnerability .27
6.10.2 Related coding guidelines .27
6.10.3 Mechanism of failure .27
6.10.4 Applicable language characteristics .27
6.10.5 Avoiding the vulnerability or mitigating its effects . 28
6.10.6 Implications for language design and evolution . 28
6.11 Pointer type conversions [HFC] . 28
6.11.1 Description of application vulnerability . 28
6.11.2 Related coding guidelines . 28
6.11.3 Mechanism of failure . 29
6.11.4 Applicable language characteristics . 29
6.11.5 Avoiding the vulnerability or mitigating its effects . 29
6.11.6 Implications for language design and evolution . 29
6.12 Pointer arithmetic [RVG] . 29
6.12.1 Description of application vulnerability . 29
6.12.2 Related coding guidelines . 29
6.12.3 Mechanism of failure . 29
6.12.4 Applicable language characteristics . 30
6.12.5 Avoiding the vulnerability or mitigating its effects . 30
6.12.6 Implications for language design and evolution . 30
6.13 Null pointer dereference [XYH] . 30
6.13.1 Description of application vulnerability . 30
6.13.2 Related coding guidelines . 30
6.13.3 Mechanism of failure . 30
6.13.4 Applicable language characteristics . 30
6.13.5 Avoiding the vulnerability or mitigating its effects . 30
6.13.6 Implications for language design and evolution .31
6.14 Dangling reference to heap [XYK] . .31
6.14.1 Description of application vulnerability .31
6.14.2 Related coding guidelines .31
6.14.3 Mechanism of failure .31
6.14.4 Applicable language characteristics .32
© ISO/IEC 2024 – All rights reserved
iv
6.14.5 Avoiding the vulnerability or mitigating its effects .32
6.14.6 Implications for language design and evolution .32
6.15 Arithmetic wrap-around error [FIF] . 33
6.15.1 Description of application vulnerability . 33
6.15.2 Related coding guidelines . 33
6.15.3 Mechanism of failure . 33
6.15.4 Applicable language characteristics . 34
6.15.5 Avoiding the vulnerability or mitigating its effects . 34
6.15.6 Implications for language design and evolution . 34
6.16 Using shift operations for multiplication and division [PIK] . 34
6.16.1 Description of application vulnerability . 34
6.16.2 Related coding guidelines . 34
6.16.3 Mechanism of failure . 34
6.16.4 Applicable language characteristics . 34
6.16.5 Avoiding the vulnerability or mitigating its effects . 35
6.16.6 Implications for language design and evolution . 35
6.17 Choice of clear names [NAI] . 35
6.17.1 Description of application vulnerability . 35
6.17.2 Related coding guidelines . 36
6.17.3 Mechanism of Failure . 36
6.17.4 Applicable language characteristics . 36
6.17.5 Avoiding the vulnerability or mitigating its effects . 36
6.17.6 Implications for language design and evolution .37
6.18 Dead store [WXQ] .37
6.18.1 Description of application vulnerability .37
6.18.2 Related coding guidelines .37
6.18.3 Mechanism of failure .37
6.18.4 Applicable language characteristics .37
6.18.5 Avoiding the vulnerability or mitigating its effects . 38
6.18.6 Implications for language design and evolution . 38
6.19 Unused variable [YZS] . 38
6.19.1 Description of application vulnerability . 38
6.19.2 Related coding guidelines . 38
6.19.3 Mechanism of failure . 38
6.19.4 Applicable language characteristics . 38
6.19.5 Avoiding the vulnerability or mitigating its effects . 38
6.19.6 Implications for language design and evolution . 39
6.20 Identifier name reuse [YOW] . 39
6.20.1 Description of application vulnerability . 39
6.20.2 Related coding guidelines . 39
6.20.3 Mechanism of failure . 39
6.20.4 Applicable language characteristics . 40
6.20.5 Avoiding the vulnerability or mitigating its effects . 40
6.20.6 Implications for language design and evolution . 40
6.21 Namespace issues [BJL] .41
6.21.1 Description of application vulnerability .41
6.21.2 Related coding guidelines .41
6.21.3 Mechanism of Failure .41
6.21.4 Applicable language characteristics .41
6.21.5 Avoiding the Vulnerability or Mitigating its Effects .42
6.21.6 Implications for language design and evolution .42
6.22 Missing initialization of variables [LAV] .42
6.22.1 Description of application vulnerability .42
6.22.2 Related coding guidelines .42
6.22.3 Mechanism of failure .43
6.22.4 Applicable language characteristics .43
6.22.5 Avoiding the vulnerability or mitigating its effects .43
6.22.6 Implications for language design and evolution . 44
6.23 Operator precedence and associativity [JCW] . 44
© ISO/IEC 2024 – All rights reserved
v
6.23.1 Description of application vulnerability . 44
6.23.2 Related coding guidelines . 44
6.23.3 Mechanism of failure .45
6.23.4 Applicable language characteristics .45
6.23.5 Avoiding the vulnerability or mitigating its effects .45
6.23.6 Implications for language design and evolution .45
6.24 Side-effects and order of evaluation of operands [SAM] .45
6.24.1 Description of application vulnerability .45
6.24.2 Related coding guidelines . 46
6.24.3 Mechanism of failure . 46
6.24.4 Applicable language characteristics .47
6.24.5 Avoiding the vulnerability or mitigating its effects .47
6.24.6 Implications for language design and evolution .47
6.25 Likely incorrect expression [KOA] .47
6.25.1 Description of application vulnerability .47
6.25.2 Related coding guidelines .47
6.25.3 Mechanism of failure . 48
6.25.4 Applicable language characteristics . 48
6.25.5 Avoiding the vulnerability or mitigating its effects . 48
6.25.6 Implications for language design and evolution . 48
6.26 Dead and deactivated code [XYQ] . 49
6.26.1 Description of application vulnerability . 49
6.26.2 Related coding guidelines . 49
6.26.3 Mechanism of failure . 49
6.26.4 Applicable language characteristics . 50
6.26.5 Avoiding the vulnerability or mitigating its effects . 50
6.26.6 Implications for language design and evolution . 50
6.27 Switch statements and lack of static analysis [CLL].51
6.27.1 Description of application vulnerability .51
6.27.2 Related coding guidelines .51
6.27.3 Mechanism of failure .51
6.27.4 Applicable language characteristics .51
6.27.5 Avoiding the vulnerability or mitigating its effects .51
6.27.6 Implications for language design and evolution .52
6.28 Non-demarcation of control flow [EOJ] .52
6.28.1 Description of application vulnerability .52
6.28.2 Related coding guidelines .52
6.28.3 Mechanism of failure .52
6.28.4 Applicable language characteristics .52
6.28.5 Avoiding the vulnerability or mitigating its effects .52
6.28.6 Implications for language design and evolution . 53
6.29 Loop control variable abuse [TEX] . 53
6.29.1 Description of application vulnerability . 53
6.29.2 Related coding guidelines . 53
6.29.3 Mechanism of failure . 54
6.29.4 Applicable language characteristics . 54
6.29.5 Avoiding the vulnerability or mitigating its effects . 54
6.29.6 Implications for language design and evolution . 54
6.30 Off-by-one error [XZH] . 54
6.30.1 Description of application vulnerability . 54
6.30.2 Related coding guidelines . 55
6.30.3 Mechanism of failure . 55
6.30.4 Applicable language characteristics . 55
6.30.5 Avoiding the vulnerability or mitigating its effects . 55
6.30.6 Implications for language design and evolution . 55
6.31 Unstructured programming [EWD] . 56
6.31.1 Description of application vulnerability . 56
6.31.2 Related coding guidelines . 56
6.31.3 Mechanism of failure . 56
© ISO/IEC 2024 – All rights reserved
vi
6.31.4 Applicable language characteristics . 56
6.31.5 Avoiding the vulnerability or mitigating its effects . 56
6.31.6 Implications for language design and evolution .57
6.32 Passing parameters and return values [CSJ] .57
6.32.1 Description of application vulnerability .57
6.32.2 Related coding guidelines .57
6.32.3 Mechanism of failure .57
6.32.4 Applicable language characteristics . 58
6.32.5 Avoiding the vulnerability or mitigating its effects . 58
6.32.6 Implications for language design and evolution .59
6.33 Dangling references to stack frames [DCM].59
6.33.1 Description of application vulnerability .59
6.33.2 Related coding guidelines .59
6.33.3 Mechanism of failure .59
6.33.4 Applicable language characteristics . 60
6.33.5 Avoiding the vulnerability or mitigating its effects . 60
6.33.6 Implications for language design and evolution . 60
6.34 Subprogram signature mismatch [OTR] .61
6.34.1 Description of application vulnerability .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...