News
We are still working hard to complete the CERT C Secure Coding Standard upgrade for C11. To do so, we need your help in reviewing the content and submitting comments on the wiki or by email. This is the last call for comments before publication.
Although we remain focused on security, we have begun to rename some of our publications to indicate that many of our coding standards go beyond security to address other quality attributes as well. This broader scope is reflected in the title of our must recent book, Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, and the upcoming revision to the CERT C Secure Coding Standard, which is tentatively titled The CERT C Coding Standard: 92 Rules for Developing Safe, Reliable, and Secure Systems, the tentative part being the number of rules. We hope you appreciate this direction as we expand our scope to address the broader range of issues our customers care about.
Our friend Milton Smith (Sr. Principal Security PM-Java Products, Java Platform Group Desk) brought the Java Platform Group, Product Management blog to our attention. All the product managers in the Java Platform Group, which includes Java SE, JavaFX, Java ME, and Javacard technology, blog here on topics primarily related to Java SE (generally), Java Security (broadly), Usability, and related areas of interest. If you don't already, you should also follow the CERT/Coordination Center blog, which may occasionally provide a counterpoint to Oracle's blog. CERT is committed to working with vendors such as Oracle to help resolve security issues, such as vulnerabilities, while remaining an independent voice. If you would like to contribute to this or other efforts, and want to contact us privately, please send email to [email protected].
Top 10 Coding Guidelines for Java
 As a reader of this eNewsletter, we want to hear from you. How are you using CERT Secure Coding Standards? Write to us, and we may feature your work.
Language Standards Updates
CERT C Secure Coding Standard
Editors: Martin Sebor (Cisco Systems), Aaron Ballman (SEI)
Guidelines Added
Added an exception for objects being an array of one element.
Renumbered the existing exception to start from 0 for consistency with other rules; added an exception allowing variable reuse in macros.
Changed from a rule to a recommendation; was previously listed as DCL34-C. Contents rewritten.
Updates applied during the course of review; serialization CS was rewritten.
Substantive updates applied during the course of review; now covers quick_exit handlers as well.
Updated and renamed during the course of review; was previously named "Do not depend on order of evaluation between sequence points."
Merged the exceptions into a single exception; updated the list of exceptional functions.
Removed UB from the Entropy compliant solution; reworded the rule for consistency during the course of review.
Updated and renamed during the course of review; was previously named "Do not modify constant values."
Updated the Windows CS to no longer use the GetFileType() API due to possible DoS concerns.
Changed from a rule to a recommendation; was previously listed as FLP33-C.
Updated to include information about pole errors.
Renamed during the course of review; previously was named "Beware of precision loss when converting integral types to floating point."
Updated the atomic integer CS wording to point out a potential race condition.
Updated to include wording about object lifetime; added an example of misusing automatic storage.
Removed the exception allowing you to ignore deallocation of nonallocated memory when the library accepts such behavior.
Updated during the course of review; the strrchr() CS was rewritten.
Updated with another NCCE/CS pair describing the behavior of the fopen() API on Windows.
Guidelines Deprecated & Removed
ARR31-C. Use consistent array notation across all source files
Only applicable to pre-standards K&R C; conforming C compilers issue errors in all circumstances.
CERT C++ Secure Coding Standard
Editors: Martin Sebor (Cisco Systems), Aaron Ballman (SEI)
No C++ rules were added, removed, deprecated, or substantively changed last month.
CERT Oracle Secure Coding Standard for Java
Editors: Adam O'Brien (Oracle), David Svoboda (SEI) A New Java Section Was Added:
It currently contains one rule:
Added a new exception to allow signed applets that specifically request to be sandboxed.
This is supported in Java 7 since update 25.
No Java rules were removed last month
CERT Perl Secure Coding Standard
Editor: David Svoboda (SEI)
No Perl rules were added, removed, deprecated, or substantively changed last month.
Upcoming Events and Training
CERT STEPfwd (Simulation, Training, and Exercise Platform) combines extensive research and innovative technology to offer a new solution to cybersecurity workforce development-helping practitioners and their teams build knowledge, skills, and experience in a continuous cycle of professional development. The goal of this approach is for cybersecurity professionals to use relevant knowledge, skills, and experience to successfully and effectively perform their duties-individually making improvements and collectively moving the organization forward.
FloCon
January 13-16, 2014
FloCon, a network security conference, takes place at the Francis Marion Hotel in Charleston, South Carolina. This open conference provides a forum for operational network analysts, tool developers, researchers, and other parties interested in the analysis of large volumes of traffic to showcase the next generation of flow-based analysis techniques. http://www.cert.org/flocon/
Mini-Track Announcement | Hawaii International Conference on Systems Sciences
Software Security for Mobile Platforms
January 6-9, 2014
Hilton Waikoloa, Big Island, Hawaii
MOOCs? Books? Forums? Just diving in? Accomplished software developers, language creators, and authors share their perspectives on the best way to learn a new programming language. This article is part of our Learn a New Programming Language feature. (Includes a contribution from Robert Seacord).
Our People
Each month we highlight staff members behind our secure coding research. This month we feature Dan Plakosh and John Benito.
John Benito is an independent consultant providing software development, project management, and software testing. He is the current Convener of ISO/IEC JTC 1/SC 22/WG14, the ISO group responsible for Standard C, the initial Convener of ISO/IEC JTC 1/SC 22 WG 23 (was OWG Vulnerabilities), the project editor for the Technical Report 24772, and a member of the INCITS PL22.11 (ANSI C) technical committee. John previously was a member of INCITS PL22.16 (ANSI C++) and the ISO Java Study group. He has been in software development, project management, and testing for over 38 years. John has been participating in International Standard development for the past 24 years and is the recipient of the INCITS Exceptional International Leadership Award.
 Dan Plakosh was the lead software engineer for the Systems Engineering Department at the Naval Surface Warfare Center (NSWCDD) before joining the SEI. Dan has over 15 years of software development experience in defense, research, and industry. Dan's principal areas of expertise include real-time distributed systems, network communications and protocols, systems engineering, real-time 2D and 3D graphics, and UNIX OS internals. Much of Dan's recent experience has been redesigning legacy-distributed systems to use the latest distributed communication technologies.
Read Secure Design Patterns by Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, and Kazuya Togashi.
|
