In many of the current projects on OpenCA.org the used language is C/C++. Therefore specific tools should be used in order to prevent programming derived errors, such as buffer overflows, to be present in the code.

From an analysis we recently conducted, the most suitable option is the usage of the C/C++ language, together with the adoption of static analysis tools. In particular, it is advisable to use tools such as ITS4, RATS or Flawfinder to conduct a focused code review after every function or logical piece of code has been completed. This strategy can be employed by each developer to check for bugs in the code she is producing.

While programmers may use static analysis tools without modifying the level of reported warnings, it is highly recommended to regularly perform a full audit of the code base. This auditing phase can be carried out by using SPLINT with the options configured to have the highest number of warnings reported during the analysis.

If the checks are performed frequently enough, the tool will not report too many false positives, thus allowing for prompt verification of the interactions between different project components. After each function is checked for specific errors, it is also advisable to annotate it right way in order to facilitate the next auditing phase.