It is beginning to feel like spring here in Pittsburgh: the temperature has not fallen below zero degrees for several days now, and it has even briefly stopped snowing. Many of the updates to the secure coding wiki have been in the CERT C Coding Standard space as Carol Lallier synchronizes changes from the manuscript of the upcoming
Addison Wesley book.
This project is nearing completion-we are currently reviewing the page proofs, which are due back to the publisher on March 7. Overall, the project is on schedule and the books are still expected to be available on or about April 18, 2014.
The SEI has launched a new version of the
CERT website. The site has been redesigned to improve the user experience, to better represent the key capabilities and current research functions of the SEI's CERT Division, and to enable one-click access to the site's most in-demand resources (such as
Secure Coding).
Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering), Lori Flynn, Limin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering), Will Klieber, Fred Long, Dean F. Sutherland, and David Svoboda published an SEI technical report, Mobile SCALe: Rules and Analysis for Secure Java and Android Coding, describing Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project. This is work is also being performed in collaboration with Masaki Kubo and Yozo Toda of
JPCERT, both of whom have just completed their yearly pilgrimage to Pittsburgh to meet with the secure coding team.
Finally, David Svoboda and Robert Seacord have both been asked to join the security review team to review submissions for the JavaOne Security Track. The call for proposals should be out soon, so it's not too early to begin thinking about submissions. Dan Plakosh and Robert Seacord are also running a Software Security for Mobile Platforms Minitrack at HICCS-48, January 5-8, 2015. See the events section below for details.
Mobile SCALE
In March, we kick off the first post in a series on the
SEI blog about our work on Android Secure Coding rules and guidelines. The first post focuses on the initial development of our Android rules and guidelines, done in 2013. The next post in this series will focus on the development of two tools that analyze information flow within and between Android apps. Later this year, we will publish a third post about our ongoing Android secure coding work: expanding the coding rules and guidelines beyond Java and further development of our newest static analysis tool. The posts may be viewed at
blog.sei.cmu.edu.
How are you using the CERT Secure Coding Standards?
As a reader of this eNewsletter, we want to hear from you.
Submit your comments about how you are using CERT Secure Coding Standards.