ISO/IEC 24772-1:2024
(Main)Programming languages - Avoiding vulnerabilities in programming languages - Part 1: Language-independent catalogue of vulnerabilities
Programming languages - Avoiding vulnerabilities in programming languages - Part 1: Language-independent catalogue of vulnerabilities
This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
Langages de programmation — Conduite pour éviter les vulnérabilités dans les langages de programmation — Partie 1: Catalogue de vulnérabilités indépendant du langage
General Information
- Status
- Published
- Publication Date
- 28-Oct-2024
- Current Stage
- 6060 - International Standard published
- Start Date
- 29-Oct-2024
- Due Date
- 19-Nov-2024
- Completion Date
- 29-Oct-2024
Relations
- Effective Date
- 06-Jun-2022
Overview
ISO/IEC 24772-1:2024 is a language-independent catalogue that enumerates vulnerabilities in programming languages and describes avoidance mechanisms for use in systems where assured behaviour is required (security, safety, mission‑critical and business‑critical software). The standard presents generic descriptions of vulnerabilities and their mechanisms of failure so the guidance can be applied across many programming languages, development processes, code review activities and toolchains.
Key topics
The document organizes practical, technical guidance into clear sections:
General vulnerability issues and primary avoidance mechanisms
- Predictable execution and sources of unpredictability in language specification and usage
- Strategies to reduce language-driven indeterminacy
Language‑independent catalogue of vulnerabilities
- Type system weaknesses and misuse
- Bit representations and platform-dependent effects
- Floating‑point arithmetic pitfalls
- Enumerator issues and conversion errors
- String termination and related string handling faults
- Buffer boundary violations (buffer overflows)
- Unchecked array indexing and copying
- Pointer type conversions and pointer arithmetic
- Null pointer dereference and similar runtime failures
For each vulnerability the standard provides:
- A generic description of the application vulnerability
- Related coding guidelines
- Mechanism of failure
- Applicable language characteristics
- Avoidance or mitigation measures
- Implications for language design and evolution
Applications
ISO/IEC 24772-1:2024 is intended to be used where predictable, safe and secure software behaviour is essential:
- Software developers and engineers implementing secure and safety‑critical systems
- Code reviewers and maintainers who need a language‑independent reference to spot common class vulnerabilities
- Language designers and implementers evaluating language features and evolution for safety/security implications
- Tool vendors and static analysis authors creating language‑agnostic checks for vulnerabilities
- Safety and security architects integrating coding guidance into assurance cases and development lifecycle
Practical benefits include improved secure coding practices, reduced runtime vulnerabilities (e.g., buffer overflows, unchecked indexing), and guidance that supports portability and deterministic behavior across platforms.
Related standards
This Part 1 is the language‑independent element of the ISO/IEC 24772 series. It complements language‑specific guidance, industry secure‑coding guidelines and organisational safety/security standards by providing a generic catalogue that can be mapped into language‑specific rules, coding standards and static analysis policies.
Keywords: programming languages, vulnerabilities, secure coding, buffer overflow, type system, floating‑point, language‑independent, ISO/IEC 24772-1, safety‑critical, mission‑critical.
Frequently Asked Questions
ISO/IEC 24772-1:2024 is a standard published by the International Organization for Standardization (ISO). Its full title is "Programming languages - Avoiding vulnerabilities in programming languages - Part 1: Language-independent catalogue of vulnerabilities". This standard covers: This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
This document enumerates approaches and techniques to avoid software programming language vulnerabilities in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. In general, the description of the vulnerabilities and description of avoidance mechanisms are applicable to the software developed, reviewed, or maintained for any application. Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.
ISO/IEC 24772-1:2024 is classified under the following ICS (International Classification for Standards) categories: 35.060 - Languages used in information technology. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 24772-1:2024 has the following relationships with other standards: It is inter standard links to ISO/IEC TR 24772-1:2019. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
ISO/IEC 24772-1:2024 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
International
Standard
ISO/IEC 24772-1
First edition
Programming languages — Avoiding
2024-10
vulnerabilities in programming
languages —
Part 1:
Language-independent catalogue of
vulnerabilities
Langages de programmation — Conduite pour éviter les
vulnérabilités dans les langages de programmation —
Partie 1: Catalogue de vulnérabilités indépendant du langage
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Communication .1
3.2 Execution model .1
3.3 Properties .2
3.4 Safety and security .3
3.5 Vulnerabilities .3
3.6 Specific vulnerabilities .3
4 Using this document . 4
4.1 Purpose of this document .4
4.2 Applying this document .5
4.3 Structure of this document .6
5 General vulnerability issues and primary avoidance mechanisms . 7
5.1 General vulnerability issues .7
5.1.1 Predictable execution .7
5.1.2 Sources of unpredictability in language specification .8
5.1.3 Sources of unpredictability in language usage .9
5.2 Primary avoidance mechanisms .9
6 Programming language vulnerabilities.11
6.1 General .11
6.2 Type system [IHN]. 12
6.2.1 Description of application vulnerability . 12
6.2.2 Related coding guidelines . 12
6.2.3 Mechanism of failure . 12
6.2.4 Applicable language characteristics . 13
6.2.5 Avoiding the vulnerability or mitigating its effects . 13
6.2.6 Implications for language design and evolution .14
6.3 Bit representations [STR] .14
6.3.1 Description of application vulnerability .14
6.3.2 Related coding guidelines .14
6.3.3 Mechanism of failure . 15
6.3.4 Applicable language characteristics . 15
6.3.5 Avoiding the vulnerability or mitigating its effects . 15
6.3.6 Implications for language design and evolution .16
6.4 Floating-point arithmetic [PLF] .16
6.4.1 Description of application vulnerability .16
6.4.2 Related coding guidelines .16
6.4.3 Mechanism of failure .16
6.4.4 Applicable language characteristics .17
6.4.5 Avoiding the vulnerability or mitigating its effects .17
6.4.6 Implications for language design and evolution .18
6.5 Enumerator issues [CCB] .18
6.5.1 Description of application vulnerability .18
6.5.2 Related coding guidelines .19
6.5.3 Mechanism of failure .19
6.5.4 Applicable language Characteristics .19
6.5.5 Avoiding the vulnerability or mitigating its effects . 20
6.5.6 Implications for language design and evolution . 20
6.6 Conversion errors [FLC] . 20
6.6.1 Description of application vulnerability . 20
© ISO/IEC 2024 – All rights reserved
iii
6.6.2 Related coding guidelines . 20
6.6.3 Mechanism of failure .21
6.6.4 Applicable language characteristics .21
6.6.5 Avoiding the vulnerability or mitigating its effects .21
6.6.6 Implications for language design and evolution . 22
6.7 String termination [CJM] . 22
6.7.1 Description of application vulnerability . 22
6.7.2 Related coding guidelines . 22
6.7.3 Mechanism of failure . 22
6.7.4 Applicable language characteristics . 22
6.7.5 Avoiding the vulnerability or mitigating its effects . 23
6.7.6 Implications for language design and evolution . 23
6.8 Buffer boundary violation (buffer overflow) [HCB] . 23
6.8.1 Description of application vulnerability . 23
6.8.2 Related coding guidelines . 23
6.8.3 Mechanism of failure .24
6.8.4 Applicable language characteristics .24
6.8.5 Avoiding the vulnerability or mitigating its effects .24
6.8.6 Implications for language design and evolution . 25
6.9 Unchecked array indexing [XYZ] . 25
6.9.1 Description of application vulnerability . 25
6.9.2 Related coding guidelines . 25
6.9.3 Mechanism of failure . 25
6.9.4 Applicable language characteristics . 26
6.9.5 Avoiding the vulnerability or mitigating its effects . 26
6.9.6 Implications for language designers . 26
6.10 Unchecked array copying [XYW] .27
6.10.1 Description of application vulnerability .27
6.10.2 Related coding guidelines .27
6.10.3 Mechanism of failure .27
6.10.4 Applicable language characteristics .27
6.10.5 Avoiding the vulnerability or mitigating its effects . 28
6.10.6 Implications for language design and evolution . 28
6.11 Pointer type conversions [HFC] . 28
6.11.1 Description of application vulnerability . 28
6.11.2 Related coding guidelines . 28
6.11.3 Mechanism of failure . 29
6.11.4 Applicable language characteristics . 29
6.11.5 Avoiding the vulnerability or mitigating its effects . 29
6.11.6 Implications for language design and evolution . 29
6.12 Pointer arithmetic [RVG] . 29
6.12.1 Description of application vulnerability . 29
6.12.2 Related coding guidelines . 29
6.12.3 Mechanism of failure . 29
6.12.4 Applicable language characteristics . 30
6.12.5 Avoiding the vulnerability or mitigating its effects . 30
6.12.6 Implications for language design and evolution . 30
6.13 Null pointer dereference [XYH] . 30
6.13.1 Description of application vulnerability . 30
6.13.2 Related coding guidelines . 30
6.13.3 Mechanism of failure . 30
6.13.4 Applicable language characteristics . 30
6.13.5 Avoiding the vulnerability or mitigating its effects . 30
6.13.6 Implications for language design and evolution .31
6.14 Dangling reference to heap [XYK] . .31
6.14.1 Description of application vulnerability .31
6.14.2 Related coding guidelines .31
6.14.3 Mechanism of failure .31
6.14.4 Applicable language characteristics .32
© ISO/IEC 2024 – All rights reserved
iv
6.14.5 Avoiding the vulnerability or mitigating its effects .32
6.14.6 Implications for language design and evolution .32
6.15 Arithmetic wrap-around error [FIF] . 33
6.15.1 Description of application vulnerability . 33
6.15.2 Related coding guidelines . 33
6.15.3 Mechanism of failure . 33
6.15.4 Applicable language characteristics . 34
6.15.5 Avoiding the vulnerability or mitigating its effects . 34
6.15.6 Implications for language design and evolution . 34
6.16 Using shift operations for multiplication and division [PIK] . 34
6.16.1 Description of application vulnerability . 34
6.16.2 Related coding guidelines . 34
6.16.3 Mechanism of failure . 34
6.16.4 Applicable language characteristics . 34
6.16.5 Avoiding the vulnerability or mitigating its effects . 35
6.16.6 Implications for language design and evolution . 35
6.17 Choice of clear names [NAI] . 35
6.17.1 Description of application vulnerability . 35
6.17.2 Related coding guidelines . 36
6.17.3 Mechanism of Failure . 36
6.17.4 Applicable language characteristics . 36
6.17.5 Avoiding the vulnerability or mitigating its effects . 36
6.17.6 Implications for language design and evolution .37
6.18 Dead store [WXQ] .37
6.18.1 Description of application vulnerability .37
6.18.2 Related coding guidelines .37
6.18.3 Mechanism of failure .37
6.18.4 Applicable language characteristics .37
6.18.5 Avoiding the vulnerability or mitigating its effects . 38
6.18.6 Implications for language design and evolution . 38
6.19 Unused variable [YZS] . 38
6.19.1 Description of application vulnerability . 38
6.19.2 Related coding guidelines . 38
6.19.3 Mechanism of failure . 38
6.19.4 Applicable language characteristics . 38
6.19.5 Avoiding the vulnerability or mitigating its effects . 38
6.19.6 Implications for language design and evolution . 39
6.20 Identifier name reuse [YOW] . 39
6.20.1 Description of application vulnerability . 39
6.20.2 Related coding guidelines . 39
6.20.3 Mechanism of failure . 39
6.20.4 Applicable language characteristics . 40
6.20.5 Avoiding the vulnerability or mitigating its effects . 40
6.20.6 Implications for language design and evolution . 40
6.21 Namespace issues [BJL] .41
6.21.1 Description of application vulnerability .41
6.21.2 Related coding guidelines .41
6.21.3 Mechanism of Failure .41
6.21.4 Applicable language characteristics .41
6.21.5 Avoiding the Vulnerability or Mitigating its Effects .42
6.21.6 Implications for language design and evolution .42
6.22 Missing initialization of variables [LAV] .42
6.22.1 Description of application vulnerability .42
6.22.2 Related coding guidelines .42
6.22.3 Mechanism of failure .43
6.22.4 Applicable language characteristics .43
6.22.5 Avoiding the vulnerability or mitigating its effects .43
6.22.6 Implications for language design and evolution . 44
6.23 Operator precedence and associativity [JCW] . 44
© ISO/IEC 2024 – All rights reserved
v
6.23.1 Description of application vulnerability . 44
6.23.2 Related coding guidelines . 44
6.23.3 Mechanism of failure .45
6.23.4 Applicable language characteristics .45
6.23.5 Avoiding the vulnerability or mitigating its effects .45
6.23.6 Implications for language design and evolution .45
6.24 Side-effects and order of evaluation of operands [SAM] .45
6.24.1 Description of application vulnerability .45
6.24.2 Related coding guidelines . 46
6.24.3 Mechanism of failure . 46
6.24.4 Applicable language characteristics .47
6.24.5 Avoiding the vulnerability or mitigating its effects .47
6.24.6 Implications for language design and evolution .47
6.25 Likely incorrect expression [KOA] .47
6.25.1 Description of application vulnerability .47
6.25.2 Related coding guidelines .47
6.25.3 Mechanism of failure . 48
6.25.4 Applicable language characteristics . 48
6.25.5 Avoiding the vulnerability or mitigating its effects . 48
6.25.6 Implications for language design and evolution . 48
6.26 Dead and deactivated code [XYQ] . 49
6.26.1 Description of application vulnerability . 49
6.26.2 Related coding guidelines . 49
6.26.3 Mechanism of failure . 49
6.26.4 Applicable language characteristics . 50
6.26.5 Avoiding the vulnerability or mitigating its effects . 50
6.26.6 Implications for language design and evolution . 50
6.27 Switch statements and lack of static analysis [CLL].51
6.27.1 Description of application vulnerability .51
6.27.2 Related coding guidelines .51
6.27.3 Mechanism of failure .51
6.27.4 Applicable language characteristics .51
6.27.5 Avoiding the vulnerability or mitigating its effects .51
6.27.6 Implications for language design and evolution .52
6.28 Non-demarcation of control flow [EOJ] .52
6.28.1 Description of application vulnerability .52
6.28.2 Related coding guidelines .52
6.28.3 Mechanism of failure .52
6.28.4 Applicable language characteristics .52
6.28.5 Avoiding the vulnerability or mitigating its effects .52
6.28.6 Implications for language design and evolution . 53
6.29 Loop control variable abuse [TEX] . 53
6.29.1 Description of application vulnerability . 53
6.29.2 Related coding guidelines . 53
6.29.3 Mechanism of failure . 54
6.29.4 Applicable language characteristics . 54
6.29.5 Avoiding the vulnerability or mitigating its effects . 54
6.29.6 Implications for language design and evolution . 54
6.30 Off-by-one error [XZH] . 54
6.30.1 Description of application vulnerability . 54
6.30.2 Related coding guidelines . 55
6.30.3 Mechanism of failure . 55
6.30.4 Applicable language characteristics . 55
6.30.5 Avoiding the vulnerability or mitigating its effects . 55
6.30.6 Implications for language design and evolution . 55
6.31 Unstructured programming [EWD] . 56
6.31.1 Description of application vulnerability . 56
6.31.2 Related coding guidelines . 56
6.31.3 Mechanism of failure . 56
© ISO/IEC 2024 – All rights reserved
vi
6.31.4 Applicable language characteristics . 56
6.31.5 Avoiding the vulnerability or mitigating its effects . 56
6.31.6 Implications for language design and evolution .57
6.32 Passing parameters and return values [CSJ] .57
6.32.1 Description of application vulnerability .57
6.32.2 Related coding guidelines .57
6.32.3 Mechanism of failure .57
6.32.4 Applicable language characteristics . 58
6.32.5 Avoiding the vulnerability or mitigating its effects . 58
6.32.6 Implications for language design and evolution .59
6.33 Dangling references to stack frames [DCM].59
6.33.1 Description of application vulnerability .59
6.33.2 Related coding guidelines .59
6.33.3 Mechanism of failure .59
6.33.4 Applicable language characteristics . 60
6.33.5 Avoiding the vulnerability or mitigating its effects . 60
6.33.6 Implications for language design and evolution . 60
6.34 Subprogram signature mismatch [OTR] .61
6.34.1 Description of application vulnerability .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...