A lot has happened so far this summer. You may have seen the recent Secure Coding Update concerning CERT's new tool. DidFail analyzes sets of Android apps for the leakage of sensitive information from a sensitive source to a restricted sink. The tool is free of charge and available to the public for download.

Will Klieber presented Android Taint Flow Analysis for App Sets (slides) at the ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis in June.

Amar Bhosale graduated, with a nice Master's thesis, Precise Static Analysis of Taint Flow for Android Application Sets, describing our Android taint flow analysis, in depth.  

David Svoboda and Robert Seacord's presentation Inside the CERT Oracle Secure Coding Standard for Java [CON2368] was accepted at JavaOne 2014. Along with Yozo TODA, Lead Analyst at the JPCERT Coordination Center, David also had a second talk accepted: Anatomy of Another Java Zero-Day Exploit [CON2120]. We are looking forward to another successful JavaOne conference this year.

The SEI report titled Improving the Automated Detection and Analysis of Secure Coding Violations has been published on the SEI website. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.

Aaron Ballman has returned from a successful C++ Standards meeting in Rapperswil, Switzerland, with big plans to update the CERT C++ Secure Coding Standard, which are being formulated on the C++ Coding Standard Development Guidelines page. Please feel free to join the discussion as we plan this major update.

Carol Lallier has finished retrofitting the off-line changes to The CERT C Coding Standard, Second Edition with the wiki, so the wiki now contains the fully synchronized "in development" version of this coding standard. The book remains the official standard against which SCALe assessments will be performed.

We continue to develop the Android secure coding standard on the Android Secure Coding wiki, and thanks go to everyone who has contributed with helpful comments! If you are an Android, Java, or C expert and would like to also contribute to completing this standard, we would be grateful for your input.

Otherwise, we have been quite busy with Source Code Analysis Laboratory (SCALe) assessments, which has led to a smattering of improvements to The CERT Oracle Secure Coding Standard for Java as we evolve rules to be clearer and more precise and to simplify conformance. Many of these changes are listed in the Java section below.
Please enjoy the rest of your summer-get out there and work on your tans!