Entries Tagged as 'Secure Coding '

Performance of Compiler-Assisted Memory Safety Checking

Secure Coding No Comments »

By David Keaton
Senior Researcher
CERT Secure Coding Initiative

David KeatonAccording to a 2013 report examining 25 years of vulnerabilities (from 1998 to 2012), buffer overflow causes 14 percent of software security vulnerabilities and 35 percent of critical vulnerabilities, making it the leading cause of software security vulnerabilities overall. As of July 2014, the TIOBE index indicates that the C programming language, which is the language most commonly associated with buffer overflows, is the most popular language with 17.1 percent of the market. Embedded systems, network stacks, networked applications, and high-performance computing rely heavily upon C. Embedded systems can be especially vulnerable to buffer overflows because many of them lack hardware memory management units. This blog post describes my research on the Secure Coding Initiative in the CERT Division of the Carnegie Mellon University Software Engineering Institute to create automated buffer overflow prevention.

Read more...

The Latest Research from the SEI

Malware , Resilience Management Model (RMM) , Secure Coding , Systems Engineering No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in secure codingCERT Resilience Management Modelmalicious-code reverse engineering,systems engineering, and incident management. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website. 

Read more...

Android, Heartbleed, Testing, and DevOps: An SEI Blog Mid-Year Review

Android , Big Data , DevOps , Secure Coding , Testing 1 Comment »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In the first half of this year, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in big datasecure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In the first six months of 2014 (through June 20), the SEI blog has logged 60,240 visits, which is nearly comparable with the entire 2013 yearly total of 66,757 visits. As we reach the mid-year point, this blog posting takes a look back at our most popular areas of work (at least according to you, our readers) and highlights our most popular blog posts for the first half of 2014, as well as links to additional related resources that readers might find of interest. 

Read more...

Heartbleed: Q&A

Secure Coding , Team Software Process (TSP) , Vulnerability Analysis 1 Comment »

By Will Dormann
Vulnerability Analyst
CERT Division

Will DormannThe Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: 

  • Would the vulnerability have been detected by static analysis tools? 
  • If the vulnerability has been in the wild for two years, why did it take so long to bring this to public knowledge now? 
  • Who is ultimately responsible for open-source code reviews and testing? 
  • Is there anything we can do to work around Heartbleed to provide security for banking and email web browser applications? 

In late April 2014, researchers from the Carnegie Mellon University Software Engineering Institute and Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, participated in a panel to discuss Heartbleed and strategies for preventing future vulnerabilities. During the panel discussion, we did not have enough time to address all of the questions from our audience, so we transcribed the questions and panel members wrote responses. This blog posting presents questions asked by audience members during the Heartbleed webinar and the answers developed by our researchers. (If you would like to view the entire webinar, click here.)

Read more...

Secure Coding to Prevent Vulnerabilities

Secure Coding , Vulnerability Analysis 2 Comments »

By Robert C. Seacord
Secure Coding Technical Manager 
CERT Division

Robert SeacordSoftware developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address code style issues (i.e., style guides), CERT secure coding standards focus on identifying unsafe, unreliable, and insecure coding practices, such as those that resulted in the Heartbleed vulnerability. For more than 10 years, the CERT Secure Coding Initiative at the Carnegie Mellon University Software Engineering Institutehas been working to develop guidance—most recently, The CERT C Secure Coding Standard: Second Edition—for developers and programmers through the development of coding standards by security researchers, language experts, and software developers using a wiki-based community process.  This blog post explores the importance of a well-documented and enforceable coding standard in helping programmers circumvent pitfalls and avoid vulnerabilities. 

Read more...