The SEI CERT Coding Standard for Fortran

This blog post is coauthored by Manuel Arenaz, lead contributor of the Fortran standard.

As security specialists, we are often asked to audit software and provide expertise on secure coding practices. Our research and efforts have produced several coding standards specifically dealing with security in popular programming languages, such as C, Java, and C++. This post describes our work on the SEI CERT Fortran Coding Standard, which provides a core of well-documented and enforceable coding guidelines for Fortran.

Fortran in the Modern Software Ecosystem

Fortran is one of the oldest high-level programming languages still in active use and remains a cornerstone of scientific, engineering, and high-performance computing (HPC) software. On the TIOBE Index from May 2026, Fortran was the 11th most-used programming language. Since the widely adopted Fortran 77 (F77) standard, the language has continuously evolved through major revisions, including Fortran 90, 95, 2003, 2008, 2018, and the recent Fortran 2023 standard, introducing modern features for modularity, interoperability, parallelism, and software engineering.

Fortran continues to power critical applications in areas such as climate and weather prediction, aerospace, nuclear energy, computational physics, and national security. Prominent Fortran-based applications include the U.S. Navy’s NEPTUNE weather-prediction model, the LS-DYNA finite-element solver for structural and crash simulations, and BLAS/LAPACK numerical linear algebra libraries widely used in scientific computing.

As these traditionally isolated scientific and HPC applications become increasingly integrated into modern, interconnected software ecosystems, the exposure of Fortran codebases to cybersecurity threats and software supply chain risks has significantly increased. In response, the Fortran community has shown growing interest in secure software development practices, vulnerability prevention, and secure coding standards. Recent efforts include the publication of ISO/IEC TR 24772-8 on avoiding vulnerabilities in Fortran and the emergence of static and software composition analysis tools targeting Fortran applications.

In addition, the recent emergence of specialized static analysis tools for Fortran now enables developers to provide an automated audit of a Fortran codebase by examining source code and producing diagnostic alerts that range from insecure coding practices and bugs to reliability and maintainability issues. These capabilities, comparable to those long available for C and C++, provide a practical foundation for modern secure software development in Fortran.

The SEI CERT Fortran Coding Standard is still young and growing. The C and Java standards each have more than 100 rules in over 15 sections. The Fortran standard currently has 25 guidelines, initially organized in several sections including:

Addressing Security Vulnerabilities in Fortran

Fortran shares many programming concepts and low-level capabilities with C and C++, including procedural programming, manual memory management, interoperability with external libraries, and performance-oriented design. At the same time, Fortran provides several features that are particularly well-suited for scientific and high-performance computing, including intrinsic multidimensional array operations, native array slicing and whole-array syntax, built-in support for numerical computation, explicit parallel programming constructs, and language-level facilities for efficient vectorization and mathematical optimization.

Historically, the Fortran community has focused on new features and improved performance rather than security. Our work on the SEI CERT Fortran Coding Standard centers on Fortran language and library issues that specifically address security, such as implicit declaration of variables, use of uninitialized variables, undefined behavior, out-of-bounds memory accesses, and proper argument checking.

The SEI CERT Fortran Coding Standard leverages the team’s knowledge of Fortran and several sources to provide relevant material on security. These include online resources such as the security and reliability checkers documented in the Codee Open Catalog and existing rules from the SEI CERT C Coding Standard that are applicable to Fortran due to similarities between the languages. For example, CERT Fortran guideline ARR01-F and CERT C rule ARR30-C both mandate that all indices to an array are within the bounds of the array.

Fortran has many of the same security issues that plague C and C++. A well-known critical issue common to all three languages is undefined behavior, which occurs when a program executes operations for which the language standard does not define a predictable result, allowing compilers to generate arbitrary behavior. In Fortran, undefined behavior may arise from issues such as the use of uninitialized variables, out-of-bounds array accesses, or invalid procedure interfaces. These situations are particularly dangerous because they can silently produce incorrect numerical results, application crashes, nondeterministic execution, or exploitable vulnerabilities that are difficult to detect and reproduce. This issue is discussed further in guideline MSC03-F in the SEI CERT Fortran Coding Standard, which illustrates undefined behavior through Fortran code that allows the compiler to remove a check to detect integer overflow entirely.

Unlike C and C++, Fortran historically supports implicit typing of variables, a language feature introduced in early versions of Fortran to reduce the amount of code programmers needed to write on systems with limited computing resources. Under implicit typing rules, undeclared variables are automatically assigned a type based on the first letter of their name, which can easily hide typographical mistakes and programming errors. In modern software, this behavior is considered dangerous because a misspelled variable name may silently introduce a new variable instead of triggering a compilation error, potentially leading to undefined behavior, incorrect numerical results, or security vulnerabilities. Guideline TYP02-F discusses this issue further.

Noncompliant Code Example

While a floating-point division of 7 / 2.5 = 2.8, an integer division produces 7 / 2 = 3 (with a remainder of 1). Since res starts with "R", it is still a real (floating-point) type, and so the program prints 3.0 rather than 3.

Compliant Solution

This program prints 2.8 using flang 22.1.7, or 2.79999995 using gfortran 15.2.1 on MacOS 26.5.

Modern Fortran has more safety features than classic C. For example, automatic memory management for allocatable arrays, array bounds checking, and stronger interfaces and argument checking. These features help prevent common classes of vulnerabilities such as memory leaks, invalid memory accesses, interface mismatches, and out-of-bounds errors, improving the reliability and security of scientific and high-performance computing applications. Guidelines PRC01-F, PRC02-F, and PRC03-F discuss these issues further.

What's Ahead for the SEI CERT Coding Standard for Fortran

The SEI CERT Fortran Coding Standard is now publicly accessible, but it is not finished. By making the standard publicly accessible, we invite the Fortran community to help us improve it by reviewing the existing guidelines and suggesting new ones. You can get involved by using GitHub's issues framework to start discussions about the standard. Or you can fork the project and submit a pull request with suggested improvements. The CERT Secure Coding team will review all pull requests and merge approved requests into the standard. We have released a recent video about the process of updating the SEI CERT Coding Standards in GitHub.

We hope to add several guidelines each week. Presumably the Fortran standard could grow to about the same size as the C or Java standards because all three languages are comparable in scope.