Close Menu
geekfence.comgeekfence.com
    What's Hot

    Why AI Coding Agents Still Need Clear Specs – O’Reilly

    July 8, 2026

    How the FCC can protect IoT innovation in the 900 MHz band (Reader Forum)

    July 8, 2026

    The Download: worms fight pollution, and geoengineering faces reality

    July 8, 2026
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    Facebook Instagram
    geekfence.comgeekfence.com
    • Home
    • UK Tech News
    • AI
    • Big Data
    • Cyber Security
      • Cloud Computing
      • iOS Development
    • IoT
    • Mobile
    • Software
      • Software Development
      • Software Engineering
    • Technology
      • Green Technology
      • Nanotechnology
    • Telecom
    geekfence.comgeekfence.com
    Home»Software Engineering»The SEI CERT Coding Standard for Fortran
    Software Engineering

    The SEI CERT Coding Standard for Fortran

    AdminBy AdminJune 12, 2026No Comments6 Mins Read4 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    The SEI CERT Coding Standard for Fortran
    Share
    Facebook Twitter LinkedIn Pinterest Email


    This blog post is coauthored by Manuel Arenaz, lead contributor of the Fortran standard.

    As security specialists, we are often asked to audit software and provide expertise on secure coding practices. Our research and efforts have produced several coding standards specifically dealing with security in popular programming languages, such as C, Java, and C++. This post describes our work on the SEI CERT Fortran Coding Standard, which provides a core of well-documented and enforceable coding guidelines for Fortran.

    Fortran in the Modern Software Ecosystem

    Fortran is one of the oldest high-level programming languages still in active use and remains a cornerstone of scientific, engineering, and high-performance computing (HPC) software. On the TIOBE Index from May 2026, Fortran was the 11th most-used programming language. Since the widely adopted Fortran 77 (F77) standard, the language has continuously evolved through major revisions, including Fortran 90, 95, 2003, 2008, 2018, and the recent Fortran 2023 standard, introducing modern features for modularity, interoperability, parallelism, and software engineering.

    Fortran continues to power critical applications in areas such as climate and weather prediction, aerospace, nuclear energy, computational physics, and national security. Prominent Fortran-based applications include the U.S. Navy’s NEPTUNE weather-prediction model, the LS-DYNA finite-element solver for structural and crash simulations, and BLAS/LAPACK numerical linear algebra libraries widely used in scientific computing.

    As these traditionally isolated scientific and HPC applications become increasingly integrated into modern, interconnected software ecosystems, the exposure of Fortran codebases to cybersecurity threats and software supply chain risks has significantly increased. In response, the Fortran community has shown growing interest in secure software development practices, vulnerability prevention, and secure coding standards. Recent efforts include the publication of ISO/IEC TR 24772-8 on avoiding vulnerabilities in Fortran and the emergence of static and software composition analysis tools targeting Fortran applications.

    In addition, the recent emergence of specialized static analysis tools for Fortran now enables developers to provide an automated audit of a Fortran codebase by examining source code and producing diagnostic alerts that range from insecure coding practices and bugs to reliability and maintainability issues. These capabilities, comparable to those long available for C and C++, provide a practical foundation for modern secure software development in Fortran.

    The SEI CERT Fortran Coding Standard is still young and growing. The C and Java standards each have more than 100 rules in over 15 sections. The Fortran standard currently has 25 guidelines, initially organized in several sections including:

    Addressing Security Vulnerabilities in Fortran

    Fortran shares many programming concepts and low-level capabilities with C and C++, including procedural programming, manual memory management, interoperability with external libraries, and performance-oriented design. At the same time, Fortran provides several features that are particularly well-suited for scientific and high-performance computing, including intrinsic multidimensional array operations, native array slicing and whole-array syntax, built-in support for numerical computation, explicit parallel programming constructs, and language-level facilities for efficient vectorization and mathematical optimization.

    Historically, the Fortran community has focused on new features and improved performance rather than security. Our work on the SEI CERT Fortran Coding Standard centers on Fortran language and library issues that specifically address security, such as implicit declaration of variables, use of uninitialized variables, undefined behavior, out-of-bounds memory accesses, and proper argument checking.

    The SEI CERT Fortran Coding Standard leverages the team’s knowledge of Fortran and several sources to provide relevant material on security. These include online resources such as the security and reliability checkers documented in the Codee Open Catalog and existing rules from the SEI CERT C Coding Standard that are applicable to Fortran due to similarities between the languages. For example, CERT Fortran guideline ARR01-F and CERT C rule ARR30-C both mandate that all indices to an array are within the bounds of the array.

    Fortran has many of the same security issues that plague C and C++. A well-known critical issue common to all three languages is undefined behavior, which occurs when a program executes operations for which the language standard does not define a predictable result, allowing compilers to generate arbitrary behavior. In Fortran, undefined behavior may arise from issues such as the use of uninitialized variables, out-of-bounds array accesses, or invalid procedure interfaces. These situations are particularly dangerous because they can silently produce incorrect numerical results, application crashes, nondeterministic execution, or exploitable vulnerabilities that are difficult to detect and reproduce. This issue is discussed further in guideline MSC03-F in the SEI CERT Fortran Coding Standard, which illustrates undefined behavior through Fortran code that allows the compiler to remove a check to detect integer overflow entirely.

    Unlike C and C++, Fortran historically supports implicit typing of variables, a language feature introduced in early versions of Fortran to reduce the amount of code programmers needed to write on systems with limited computing resources. Under implicit typing rules, undeclared variables are automatically assigned a type based on the first letter of their name, which can easily hide typographical mistakes and programming errors. In modern software, this behavior is considered dangerous because a misspelled variable name may silently introduce a new variable instead of triggering a compilation error, potentially leading to undefined behavior, incorrect numerical results, or security vulnerabilities. Guideline TYP02-F discusses this issue further.

    Noncompliant Code Example

    While a floating-point division of 7 / 2.5 = 2.8, an integer division produces 7 / 2 = 3 (with a remainder of 1). Since res starts with “R”, it is still a real (floating-point) type, and so the program prints 3.0 rather than 3.

    This program prints 2.8 using flang 22.1.7, or 2.79999995 using gfortran 15.2.1 on MacOS 26.5.

    Modern Fortran has more safety features than classic C. For example, automatic memory management for allocatable arrays, array bounds checking, and stronger interfaces and argument checking. These features help prevent common classes of vulnerabilities such as memory leaks, invalid memory accesses, interface mismatches, and out-of-bounds errors, improving the reliability and security of scientific and high-performance computing applications. Guidelines PRC01-F, PRC02-F, and PRC03-F discuss these issues further.

    What’s Ahead for the SEI CERT Coding Standard for Fortran

    The SEI CERT Fortran Coding Standard is now publicly accessible, but it is not finished. By making the standard publicly accessible, we invite the Fortran community to help us improve it by reviewing the existing guidelines and suggesting new ones. You can get involved by using GitHub’s issues framework to start discussions about the standard. Or you can fork the project and submit a pull request with suggested improvements. The CERT Secure Coding team will review all pull requests and merge approved requests into the standard. We have released a recent video about the process of updating the SEI CERT Coding Standards in GitHub.

    We hope to add several guidelines each week. Presumably the Fortran standard could grow to about the same size as the C or Java standards because all three languages are comparable in scope.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    Exploring Shader Graph in Unity

    July 7, 2026

    The Medium RSS Feed’s Missing Part

    July 6, 2026

    Grafana’s Approach to AI-Native Observability

    July 4, 2026

    Spring Boot OAuth2: Secure Authentication and Authorization

    July 3, 2026

    OOP: Object Oriented Programming

    July 2, 2026

    We Tried Agile and It Didn’t Work

    June 30, 2026
    Top Posts

    Understanding U-Net Architecture in Deep Learning

    November 25, 202560 Views

    Hard-braking events as indicators of road segment crash risk

    January 14, 202631 Views

    Redefining AI efficiency with extreme compression

    March 25, 202628 Views
    Don't Miss

    Why AI Coding Agents Still Need Clear Specs – O’Reilly

    July 8, 2026

    The following article originally appeared on Markus Eisele’s newsletter, The Main Thread, and is being…

    How the FCC can protect IoT innovation in the 900 MHz band (Reader Forum)

    July 8, 2026

    The Download: worms fight pollution, and geoengineering faces reality

    July 8, 2026

    How Imperial College London is accelerating dementia research with a modern data platform

    July 8, 2026
    Stay In Touch
    • Facebook
    • Instagram
    About Us

    At GeekFence, we are a team of tech-enthusiasts, industry watchers and content creators who believe that technology isn’t just about gadgets—it’s about how innovation transforms our lives, work and society. We’ve come together to build a place where readers, thinkers and industry insiders can converge to explore what’s next in tech.

    Our Picks

    Why AI Coding Agents Still Need Clear Specs – O’Reilly

    July 8, 2026

    How the FCC can protect IoT innovation in the 900 MHz band (Reader Forum)

    July 8, 2026

    Subscribe to Updates

    Please enable JavaScript in your browser to complete this form.
    Loading
    • About Us
    • Contact Us
    • Disclaimer
    • Privacy Policy
    • Terms and Conditions
    © 2026 Geekfence.All Rigt Reserved.

    Type above and press Enter to search. Press Esc to cancel.