1、Information technology Progra mming languages Guidance to avoiding vulnerabilities in programming languages through language selection and useCAN/CSA-ISO/IEC TR 24772:12(ISO/IEC TR 24772:2010, IDT)National Standard of CanadaNOT FOR RESALE.PUBLICATION NON DESTINE LA REVENTE.Legal Notice for Standards
2、Canadian Standards Association (CSA) standards are developed through a consensus standards development process approved by the Standards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA a
3、dministers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards.Disclaimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, exp
4、ress or implied, including, without limitation, implied warranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or its non-infringement of any third partys intellectual property rights. CSA does not warrant the accuracy, completeness, or curre
5、ncy of any of the information published in this document. CSA makes no representations or warranties regarding this documents compliance with any applicable statute, rule, or regulation. IN NO EVENT SHALL CSA, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECT
6、ORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT , INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHE
7、R BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY , ARISING OUT OF OR RESUL TING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this docu
8、ment available, CSA is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experienc
9、e to use and apply its contents, and CSA accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA is a private not-for-profit company that publishes voluntary standards and related documents. CSA h as no power, nor
10、 does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownershipAs between CSA and the users of this doc ument (whether it be i n printed or electronic form), CSA is the o wner, or the authorized licensee, of all
11、 works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected by patents and applications for patents. W
12、ithout limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that protect CSAs and/or others intellectual property and may give rise to a right in CSA and/or others to seek legal redress for such use, modification, copying, or disclosure. To the ext
13、ent permitted by licence or by law, CSA reserves all intellectual property rights in this document.Patent rightsAttention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA shall not be held responsible for identifying any or all such pate
14、nt rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility.Authorized use of this documentThis document is being provided by CSA for informational and non-commercial use only. The user of this document is
15、authorized to do only the following:If this document is in electronic form:.load this document onto a computer for the sole purpose of reviewing it;.search and browse this document; and.print this document if it is in PDF format. Limited copies of this doc ument in print or paper form may be distrib
16、uted only to persons who are authorized by CSA to h ave such copies, and only if this Legal Notice appears on each such copy.In addition, users may not and may not permit others to.alter this document in any way or remove this Legal Notice from the attached standard;.sell this document without autho
17、rization from CSA; or.make an electronic copy of this document.If you do not agree with any of the terms and conditions contained in this Legal Notice, you may not load or use this document or make any copies of the co ntents hereof, and if you do make such copies, you are required to destroy them i
18、mmediately. Use of this document constitutes your acceptance of the terms and conditions of this Legal Notice.CSA Standards Update ServiceCAN/CSA-ISO/IEC TR 24772:12March 2012Title: Information technology Programming languages Guidan ce to avoiding vulnerabilities in programming languages through la
19、nguage selection and usePagination: 95 pages (CSA/1CSA/5, ivii, and 131 text)To register for e-mail notification about any updates to this publicationgo to shop.csa.caclick on E-mail Services under MY ACCOUNTclick on CSA Standards Update ServiceThe List ID that you will need to register for updates
20、to this publication is 2421523.If you require assistance, please e-mail techsupportcsa.ca or call 416-747-2233.Visit CSAs policy on privacy at csagroup.org/legal to find out how we protect your personal information.The Canadian Standards Association (CSA), under whose auspices this National Standard
21、 has been produced, was chartered in 1919 and accredited by the Standards Council of Canada to the National Standards system in 1973. It is a not-for-profit, nonstatutory, voluntary membership association engaged in standards development and certification activities. CSA standards reflect a national
22、 consensus of producers and users i ncluding manufacturers, consumers, retailers, unions and professional organizations, and governmental agencies. The standards are used widely by industry and commerce and often adopted by municipal, provincial, and federal governments in their regulations, particu
23、larly in the fields of health, safety, building and construction, and the environment. Individuals, companies, and associations across Canada indicate their support for CSAs standards development by volunteering their time and skills to CSA Committee work and supporting the Associations objectives t
24、hrough sustaining memberships. The more than 7000 committee volunteers and the 2000 sustaining memberships together form CSAs total membership from which its Directors are chosen. Sustaining memberships represent a major source of income for CSAs standards development activities. The Association off
25、ers certification and testing services in support of and as an extension to its standards development activities. To ensure the integrity of its certification process, the Association regularly and continually audits and inspects products that bear the CSA Mark. In addition to its head office and la
26、boratory complex in Toronto, CSA has regional branch offices in major centres across Canada and inspection and testing agencies in eight countries. Since 1919, the Association has developed the necessary expertise to meet its corporate mission: CSA is an independent service organization whose missio
27、n is to provide an open and effective forum for activities facilitating the exchange of goods and services through the use of standards, certification and related services to meet national and international needs.For further information on CSA services, write toCanadian Standards Association5060 Spe
28、ctrum Way, Suite 100Mississauga, Ontario, L4W 5N6CanadaThe Standards Council of Canada (SCC) is thecoordinating body of the National StandardsSystem, a coalition of independent, autonomousorganizations working towards the furtherdevelopment and improvement of voluntarystandardization in the national
29、 interest.The principal objects of the SCC are to fosterand promote voluntary standardization as a meansof advancing the national economy, benefiting thehealth, safety, and welfare of the public, assistingand protecting the consumer, facilitating domesticand international trade, and furthering inter
30、nationalcooperation in the field of standards.A National Standard of Canada (NSC) is a standardprepared or reviewed by an accredited Standards Development Organization (SDO) and approved by the SCC according to the requirements of CAN-P-2. Approval does not refer to the technical content of the stan
31、dard; this remains the continuing responsibility of the SDO. An NSC reflects a consensus of a number of capable individuals whose collective interests provide, to the greatest practicable extent, a balance of representation of general interests, producers, regulators, users (including consumers), an
32、d others with relevant interests, as may be appropriate to the subject in hand. It normally is a standard which is capable of making a significant and timely contribution to the national interest.Those who have a need to apply standards areencouraged to use NSCs. These standards are subjectto period
33、ic review. Users of NSCs are cautionedto obtain the latest edition from the SDO which publishes the standard.The responsibility for approving standards as National Standards of Canada rests with theStandards Council of Canada270 Albert Street, Suite 200Ottawa, Ontario, K1P 6N7CanadaAlthough the inte
34、nded primary application of this Standard is stated in its Scope, it is importantto note that it remains the responsibility of the users to judge its suitability for their particular purpose.Registered trade-mark of Canadian Standards AssociationCette norme est offerte en anglais seulement pour le m
35、oment. La CSA publiera la version enfranais ds quelle sera produite par lorganisme rdacteur.Reviewed byNational Standard of CanadaPublished in March 2012 by Canadian Standards AssociationA not-for-profit private sector organization5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-8
36、00-463-6727 416-747-4044Visit our Online Store at shop.csa.caApproved byStandards Council of CanadaCAN/CSA-ISO/IEC TR 24772:12Information technology Programming languages Guidance to avoiding vulnerabilities in programming languages through language selection and usePrepared by InternationalOrganiza
37、tionforStandardization/ International Electrotechnical CommissionCAN/CSA-ISO/IEC TR 24772:12Information technology Programming languages Guidance to avoiding vulnerabilities in programminglanguages through language selection and useCSA/4 Canadian Standards Association March 2012CAN/CSA-ISO/IEC TR 24
38、772:12Information technology Programming languages Guidance to avoiding vulnerabilities in programming languages through language selection and useCSA PrefaceStandards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technic
39、al Committee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Commi
40、ttee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).At the time of publication, ISO/IEC TR 24772:2010 is available from ISO and IEC in English only. CSA will publish the
41、 French version when it becomes available from ISO and IEC.This International Standard was reviewed by the CSA TCIT under the jurisdiction of the Strategic Steering Committee on Information Technology and deemed acceptable for use in Canada. From time to time, ISO/IEC may publish addenda, corrigenda
42、, etc. The CSA TCIT will review these documents for approval and publication. For a listing, refer to the CSA Information Products catalogue or CSA Info Update or contact a CSA Sales representative. This Standard has been formally approved, without modification, by the Technical Committee and has be
43、en approved as a National Standard of Canada by the Standards Council of Canada.March 2012 Canadian Standards Association 2012All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of thepublisher. ISO/IEC material is reprinted with per
44、mission. Where the words “this Technical Report” appear in the text, they should be interpreted as “this National Standard of Canada”.Inquiries regarding this National Standard of Canada should be addressed toCanadian Standards Association5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4
45、W 5N61-800-463-6727 416-747-4000http:/csa.caCAN/CSA-ISO/IEC TR 24772:12Information technology Programming languages Guidance to avoiding vulnerabilities in programminglanguages through language selection and useMarch 2012 Canadian Standards Association CSA/5To purchase CSA Standards and related publ
46、ications, visit CSAs Online Store at shop.csa.ca or call toll-free 1-800-463-6727 or 416-747-4044.CSA Standards are subject to periodic review, and suggestions for their improvement will be referred to the appropriate committee. To submit a proposal for change to CSA Standards, please send the follo
47、wing information to inquiriescsa.ca and include “Proposal for change” in the subject line:(a) Standard designation (number);(b) relevant clause, table, and/or figure number;(c) wording of the proposed change; and(d) rationale for the change.Reference numberISO/IEC TR 24772:2010(E)ISO/IEC 2010TECHNIC
48、AL REPORT ISO/IECTR24772First edition2010-10-01Information technology Programming languages Guidance to avoiding vulnerabilities in programming languages through language selection and use Technologies de linformation Langages de programmation Conduite pour viter les vulnrabilits dans les langages d
49、e programmation travers la slection et lusage de la langue ISO/IEC TR 24772:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in