News
Welcome to the inaugural monthly newsletter for the CERT secure coding standards. Our goal is to provide you with timely information concerning updates to the CERT secure coding standards and to make you aware of other interesting news and events related to secure coding. Because this is the first edition of the newsletter, it will probably be a bit longer than most. If you wish to unsubscribe, just use the SafeUnsubscribe link at the end of this newsletter.
The CERT Division's Secure Coding Initiative has been developing secure coding standards since 2006. InformIT recently published an article called C Secure Coding Rules: Past, Present, and Future, which focuses primarily on the history and future of the CERT C Secure Coding Standard.
Industry is widely adopting the CERT secure coding standards. Representatives of many organizations have visited our wiki. At October 2011's annual SecCon conference, Cisco Systems Inc. announced its adoption of the CERT C Secure Coding Standard as a baseline programming standard in its product development. Recently, Oracle has integrated all of the CERT secure coding standards into their existing Secure Coding Standards. This adoption is the most recent step of a long collaboration: the CERT Division and Oracle previously collaborated on The CERT Oracle Secure Coding Standard for Java.
Given the fluid nature of languages and coding standards, guidelines can change between publication cycles. We are codifying the deprecation rules and are looking for feedback from users and vendors to ensure the deprecation process is as painless as possible. Please provide feedback on the Deprecations page.
In addition to working on secure coding standards for C, C++, Java, and Perl on the public wiki, we have also begun efforts to create secure coding standards for various other languages, including Ada, C#, Fortran, Python, JavaScript, and SPARK. We will share these with the public once they move beyond the embarrassing stage. If you would like to contribute to the development of these standards, please contact us at [email protected]. New Edition of Secure Coding in C and C++ Addresses Code Changes and New Threats
To address advances and changes in the C and C++ coding languages, and to address new threats faced by programmers working in these languages, Software Engineering Institute (SEI) researcher Robert C. Seacord has authored Secure Coding in C and C++, Second Edition. Seacord, a senior member of the SEI technical staff and technical manager of the CERT Secure Coding Initiative, also authored the original 2005 edition. The book has been published by Addison-Wesley Professional as part of its SEI Series.
SAVE 35%+ FREE Shipping within the U.S., just enter the discount code SEACORD during checkout.
Language Standard Updates
CERT C Secure Coding Standard Editors: Martin Sebor (Cisco Systems), Aaron Ballman (SEI)
John Benito from Blue Pilot has been updating the CERT C Secure Coding Standard for C11, starting by changing references to TR 24731-1 to C11 Annex K.
CERT C++ Secure Coding Standard
Editors: Martin Sebor (Cisco Systems), Aaron Ballman (SEI)
No C++ rules were added, removed, deprecated, or substantively changed last month.
CERT Oracle Secure Coding Standard for Java Editors: Adam O'Brien (Oracle), David Svoboda (SEI)
Added The following rules were added as part of a new appendix of rules that are specific to the development of Java Apps for the Android platform:
CERT Perl Secure Coding Standard
Editor: David Svoboda (SEI)
No Perl rules were added, removed, deprecated, or changed last month.
Upcoming Events / Training
Members of the Secure Coding Initiative will be giving three presentations at the JavaOne 2013 conferenceSession ID: CON6396 Don't Be Pwned: A Very Short Course on Secure Programming in Java - Dean Sutherland and Robert Seacord Session ID: CON3122 Anatomy of a Java Zero-Day Exploit - David Svoboda Session ID: TUT5599 The Java Security Architecture: How and Why - David Svoboda
Mini-Track Announcement | Hawaii International Conference on Systems Sciences
Software Security for Mobile Platforms January 6-9, 2014 Hilton Waikoloa, Big Island, Hawaii
Secure Coding in C and C++ CourseThis four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. This course may be offered by special arrangement at customer sites. Our People Each month we will highlight staff members behind our secure coding research. This month we feature Robert Seacord and Martin Sebor.
Robert C. Seacord is a senior vulnerability analyst in the CERT� Program at the Software Engineering Institute (SEI) in Pittsburgh, PA where he leads the Secure Coding Initiative. Robert is the author of The CERT C Secure Coding Standard (Addison-Wesley, 2008) and Secure Coding in C and C++ (Addison-Wesley, 2002) as well as co-author of two other books. Robert is an adjunct professor at Carnegie Mellon University and a technical expert for ISO/IEC JTC1/SC22/WG14, the international standardization working group for the programming language C.
Martin Sebor is a technical leader in the C and C++ compiler tool chain group in the Network Operating Systems Group at Cisco Systems, Inc., where he works on compilers and related development tools as well as the Cisco networking operating system IOS. Among Martin's responsibilities is leading the development and deployment of Cisco Secure Coding Standards. Martin's expertise includes the C and C++ languages and development tools, and the POSIX standard. Martin is Cisco's representative to the C and C international standards committees (PL22.11 and PL22.16 subgroups of the INCITS technical committee for Programming Languages, PL22).
Secure Coding Resources Watch Robert Seacord discuss avoiding future security incidents from the recent CERT Virtual Event-- A Discussion with CERT Experts: Constructing a Secure Cyber Future
Listen to Martin Sebor and Julia Allen discuss Cisco's Adoption of CERT Secure Coding Standards
Read "Silent Elimination of Bounds Checks" by Robert Seacord on the InformIT website
|