Entries Tagged as 'Secure Coding '

The Latest Research from the SEI

Malware , Resilience Management Model (RMM) , Secure Coding , Systems Engineering No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in secure codingCERT Resilience Management Modelmalicious-code reverse engineering,systems engineering, and incident management. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website. 

Read more...

Android, Heartbleed, Testing, and DevOps: An SEI Blog Mid-Year Review

Android , DevOps , Secure Coding , Testing 1 Comment »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In the first half of this year, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in secure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In the first six months of 2014 (through June 20), the SEI blog has logged 60,240 visits, which is nearly comparable with the entire 2013 yearly total of 66,757 visits. As we reach the mid-year point, this blog posting takes a look back at our most popular areas of work (at least according to you, our readers) and highlights our most popular blog posts for the first half of 2014, as well as links to additional related resources that readers might find of interest. 

Read more...

Heartbleed: Q&A

Secure Coding , Team Software Process (TSP) , Vulnerability Analysis 1 Comment »

By Will Dormann
Vulnerability Analyst
CERT Division

Will DormannThe Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: 

  • Would the vulnerability have been detected by static analysis tools? 
  • If the vulnerability has been in the wild for two years, why did it take so long to bring this to public knowledge now? 
  • Who is ultimately responsible for open-source code reviews and testing? 
  • Is there anything we can do to work around Heartbleed to provide security for banking and email web browser applications? 

In late April 2014, researchers from the Carnegie Mellon University Software Engineering Institute and Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, participated in a panel to discuss Heartbleed and strategies for preventing future vulnerabilities. During the panel discussion, we did not have enough time to address all of the questions from our audience, so we transcribed the questions and panel members wrote responses. This blog posting presents questions asked by audience members during the Heartbleed webinar and the answers developed by our researchers. (If you would like to view the entire webinar, click here.)

Read more...

Secure Coding to Prevent Vulnerabilities

Secure Coding , Vulnerability Analysis 2 Comments »

By Robert C. Seacord
Secure Coding Technical Manager 
CERT Division

Robert SeacordSoftware developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address code style issues (i.e., style guides), CERT secure coding standards focus on identifying unsafe, unreliable, and insecure coding practices, such as those that resulted in the Heartbleed vulnerability. For more than 10 years, the CERT Secure Coding Initiative at the Carnegie Mellon University Software Engineering Institutehas been working to develop guidance—most recently, The CERT C Secure Coding Standard: Second Edition—for developers and programmers through the development of coding standards by security researchers, language experts, and software developers using a wiki-based community process.  This blog post explores the importance of a well-documented and enforceable coding standard in helping programmers circumvent pitfalls and avoid vulnerabilities. 

Read more...

Two Secure Coding Tools for Analyzing Android Apps

Android , Secure Coding , Tools No Comments »

By Will Klieber 
Member of the Technical Staff 
CERT Division 

This blog post was co-authored by Lori Flynn

Will KlieberAlthough the Android Operating System continues to dominate the mobile device market (82 percent of worldwide market share in the third quarter of 2013), applications developed for Android have faced some challenging security issues. For example, applications developed for the Android platform continue to struggle with vulnerabilities, such as activity hijacking, which occurs when a malicious app receives a message (in particular, an intent) that was intended for another app but not explicitly designated for it. The attack can result in leakage of sensitive data or loss of secure control of the affected apps. Another vulnerability is exploited when sensitive information is leaked from a sensitive source to a restricted sink. This blog post is the second in a series that details our work to develop techniques and tools for analyzing code for mobile computing platforms. (A previous blog post, Secure Coding for the Android Platform, describes our team’s development of Android rules and guidelines.)

Read more...