Spring has finally arrived in Pittsburgh, Pennsylvania, as we are now mowing the snow from our lawns instead of shoveling our driveways. Major development work continues on the
CERT C++ Coding Standard. We have also received some funding to continue this work into the next fiscal year, although the scope of the work still needs to be defined.
We have completed some additional steps since the significant reorganization reported in the last newsletter. We created a new public
Android Secure Coding Standard space where we plan to continue to develop coding standards for the Android platform. The Android-only rules and recommendations now have categories, similar to the other CERT standards. Much of the reorganization is not yet completed, so please excuse our mess (and some missing content) as we reorganize. We plan to rename the Android-only rules and recommendations, which currently start with DRD, to have a "-A" suffix. CERT rules from other coding standards that are also applicable to Android app development will remain unchanged.
Robert Seacord recently recorded Part 1 of a training video,
Secure Coding Rules for Java LiveLessons. It is currently available to
Safari Books Online subscribers as a Sneak Peek. Robert is currently recording Part 2 of the video to be released later this year. In
Secure Coding Rules for Java LiveLessons, he provides complementary coverage to the rules in
The CERT Oracle Secure Coding Standard for Java. The rules for which LiveLessons are available (for example,
IDS00-J. Prevent SQL Injection) now contain links to the corresponding LiveLessons; the links are listed in the Bibliography sections and marked with a
icon.
Robert Seacord just returned from Stuttgart, Germany, where he gave a keynote presentation on Automotive Vulnerabilities at the
Automotive Safety and Security Conference and met with a number of industry executives. Perhaps the most interesting idea to come out of these meetings is a keen interest in developing a combined security/safety standard for C language programming. Please contact us if you are interested in being involved in or contributing to such an effort. Robert will also be speaking at the
ISO 26262 Functional Safety Seminar sponsored by PRQA on May 12 in Detroit, Michigan.
Lori Flynn and Will Klieber published a new blogpost,
An Enhanced Tool for Securing Android Apps, which describes enhancements made to DidFail in late 2014 and an enterprise-level approach for using the tool.