For decades, Fortran was considered “safe by obscurity”, as it is used mainly in scientific, engineering, and HPC software not exposed to the internet or hostile environments. But the regulatory landscape has changed and enforcing security best practices in Fortran is now essential because legacy Fortran software still powers critical infrastructures (e.g., weather prediction, nuclear simulations, aerospace, defense, and financial modeling) and cybersecurity attacks have shown that any piece of code can become an attack target if it is part of a larger system. Overall, Fortran code is part of critical digital infrastructure, so that even 40-year-old numerical routines need to comply with the requirements of modern cybersecurity regulations.

Static Application Security Testing (SAST) is an automated process that analyzes source code to detect potential security vulnerabilities before the software is run. One of the key strengths of SAST lies in its ability to identify issues early in the development life cycle, where they are cheaper and easier to fix. Central to the effectiveness of SAST are well-maintained catalogs of known security vulnerabilities that provide definitions, documentation, and examples of common coding flaws.

Codee is the best-in-class static analyzer for Fortran and provides SAST reports to help comply with cybersecurity regulations. Our downloadable whitepaper explores how to bring modern secure development practices into Fortran code bases, by leveraging the Open Catalog for Security and its mappings to CWE, SEI CERT and ISO/IEC 24772-8 secure coding standards.