A lot has happened so far this summer. You may have seen the recent Secure Coding Update concerning CERT's new tool.
DidFail analyzes sets of Android apps for the leakage of sensitive information from a sensitive source to a restricted sink. The tool is
free of charge and available to the public for download.
Will Klieber presented
Android Taint Flow Analysis for App Sets (slides) at the
ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis in June.
Amar Bhosale graduated, with a nice Master's thesis,
Precise Static Analysis of Taint Flow for Android Application Sets, describing our Android taint flow analysis, in depth.
David Svoboda and
Robert Seacord's presentation
Inside the CERT Oracle Secure Coding Standard for Java [CON2368] was accepted at
JavaOne 2014. Along with
Yozo TODA, Lead Analyst at the JPCERT Coordination Center, David also had a second talk accepted:
Anatomy of Another Java Zero-Day Exploit [CON2120]. We are looking forward to another successful JavaOne conference this year.
The SEI report titled
Improving the Automated Detection and Analysis of Secure Coding Violations has been published on the SEI website. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.
Aaron Ballman has returned from a successful C++ Standards meeting in Rapperswil, Switzerland, with big plans to update the
CERT C++ Secure Coding Standard, which are being formulated on the
C++ Coding Standard Development Guidelines page. Please feel free to join the discussion as we plan this major update.
Carol Lallier has finished retrofitting the off-line changes to
The CERT C Coding Standard, Second Edition with the wiki, so the wiki now contains the fully synchronized "in development" version of this coding standard. The book remains the official standard against which SCALe assessments will be performed.
We continue to develop the Android secure coding standard on the
Android Secure Coding wiki, and thanks go to everyone who has contributed with helpful comments! If you are an Android, Java, or C expert and would like to also contribute to completing this standard, we would be grateful for your input.
Otherwise, we have been quite busy with
Source Code Analysis Laboratory (SCALe) assessments, which has led to a smattering of improvements to
The CERT Oracle Secure Coding Standard for Java as we evolve rules to be clearer and more precise and to simplify conformance. Many of these changes are listed in the Java section below.
Please enjoy the rest of your summer-get out there and work on your
tans!
How are you using the CERT Secure Coding Standards?
As a reader of this eNewsletter, we want to hear from you.
Submit your
comments about how you are using CERT Secure Coding Standards.