Major development work continues on the
CERT C++ Coding Standard, which has a long list of added, changed, and removed rules in this newsletter. We are also reorganizing both the
Java Coding Guidelines and the
The CERT Oracle Coding Standard for Java to make them easier to navigate. Part of this effort is to adopt the unique identifiers from the coding standard
(see Guidelines) to the secure coding guidelines. We are updating all the Java rules and guidelines for Java Standard Edition (SE) 8, and we encourage the community to participate in this project. As part of this change, we have created a new section in the Java rules for rules involving characters and strings:
04. Characters and Strings (STR).
Lori Flynn and Will Klieber led a team of Carnegie Mellon University grad students (Will Snavely, Jonathan Burket, Jonathan Lim, and Wei Shen) on a semester-long project that significantly enhanced DidFail, our static taint flow analyzer for sets of Android apps. First, the team developed a new framework for testing the DidFail analyzer, which includes a setup for cloud-based testing and instrumentation to measure performance of the analyzer. The new setup for cloud-based testing enables us to take advantage of Amazon's powerful virtual machines and to use virtual machines in parallel for faster test completion. Second, DidFail was modified to use the most current version of FlowDroid and Soot, and the new version of DidFail was able to successfully process three times as many apps as it was able to previously, from a set of 90 apps randomly chosen from a large collection. Third, initial enhancements were made to DidFail, which moved us closer to the goal of analyzing all types of components and shared static fields. Fourth, the team developed new test apps, which test the analytical features added to DidFail. Finally, testing was done, using this improved DidFail analyzer and the cloud-based testing framework, on the new test apps and also on apps from the Google Play store. The grad students did excellent work, and Lori and Will are currently working with them to write an SEI technical report that will detail the testing framework, enhancements to DidFail, newly developed test apps, and test results. The new code developed for this project will be published soon.
How are you using the CERT Secure Coding Standards?
As a reader of this eNewsletter, we want to hear from you.
Submit your comments and let us know how you are using CERT Secure Coding Standards.
Aaron Ballman has over a decade of experience writing commercial compilers for various languages, and is a Security Software Engineer for CERT. He is an active developer on the clang open source C/C++/Objective-C compiler.
