By Lori Flynn
Member of the Technical Staff
CERT Secure Coding team
Although we’ve developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java’s application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of Defense.
This blog post, the first in a series, discusses the initial
development of our Android rules and guidelines. This initial
development included mapping our existing Java secure coding rules and
guidelines to Android applicability and also the creation of new
Android- only rules for Java secure coding.
By David Svoboda
CERT Secure Coding Team
blog post describes a research initiative aimed at eliminating
vulnerabilities resulting from memory management problems in C and C++.
Memory problems in C and C++ can lead to serious software
vulnerabilities including difficulty fixing bugs, performance
impediments, program crashes (including null pointer deference and out-of-memory errors), and remote code execution.
By Douglas C. Schmidt
part of an ongoing effort to keep you informed about our latest work,
I'd like to let you know about some recently published SEI technical
reports and notes. These reports highlight the latest work of SEI
technologists in information assurance and agile, the Team Software Process (TSP), CERT secure coding standards, resource allocation, fuzzing, cloud computing interoperability, and cloud computing at the tactical edge.
This post includes a listing of each report, author(s), and links where
the published reports can be accessed on the SEI website.
By David Keaton,
Senior Member of the Technical Staff
CERT Secure Coding Team
By analyzing vulnerability reports for the C, C++, Perl, and Java programming languages, the CERT Secure Coding Team
observed that a relatively small number of programming errors leads to
most vulnerabilities. Our research focuses on identifying insecure
coding practices and developing secure alternatives that software
programmers can use to reduce or eliminate vulnerabilities before
software is deployed. In a previous post, I described our work to identify vulnerabilities that informed the revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The CERT Secure Coding Team has also been working on the CERT C Secure Coding Standard,
which contains a set of rules and guidelines to help developers code
securely. This posting describes our latest set of rules and
recommendations, which aims to help developers avoid undefined and/or
unexpected behavior in deployed code.
Software Security Engineer
CERT Secure Coding Initiative
As security specialists, we are often asked to audit software and provide expertise on secure coding practices.
Our research and efforts have produced several coding standards
specifically dealing with security in popular programming languages,
such as C, Java, and C++. This posting describes our work on the CERT Perl Secure Coding Standard, which provides a core of well-documented and enforceable coding rules and recommendations for Perl, which is a popular scripting language.