News
This summer, the Secure Coding Initiative has achieved several milestones in international standards adoption. For the ISO/IEC JTC 1/SC 22/WG 14 committee, which manages the C language standard, David Svoboda's document N1899 Integer Precision Bits was added to the list of items to consider for the next revision of the C language standard. This document was written to address a problem described in INT35-C. Use correct integer precisions in the CERT C Coding Standard. The ISO/IEC/ JTC 1/SC 22/WG 23 committee approved the standard ISO/IEC 17960, Code signing for source code, for final publication. The publication process is expected to be complete within 30 to 60 days. ISO/IEC 17960 is the culmination of a 4-year effort to make it possible for recipients of security-sensitive source code to re-create a verifiable audit trail detailing the origin of each modification to the code, using digital signatures.
Andrew Banks of MISRA gave a presentation at the VDA Automotive SYS conference in Potsdam, Germany, detailing plans to enhance MISRA C so that compliance to MISRA C will imply compliance to ISO/IEC TS 17961:2013, C secure coding rules. In addition, he presented plans to use the CERT C Coding Standard as input to the next edition of MISRA C. These steps essentially take a safety standard and augment it to address security as well, a welcome and much-needed development in automotive systems, the original market for MISRA C and still one of the most important.
In other news, Lori Flynn and Will Klieber wrote an article, "Smartphone Security," which will be published in the next edition of the IEEE Pervasive Computing Journal. The severe Stagefright vulnerabilities in the Android OS, which were publicly disclosed while the article was being reviewed by the journal, provide a good example of the widespread problem of vendors failing to provide critical security updates for even a majority of Android phones in use.
How are you using the CERT Secure Coding Standards?
As a reader of this eNewsletter, your input is important to us. Submit your comments and let us know how you are using CERT Secure Coding Standards.
Language Standards Updates
CERT C Coding Standard
Editors: Martin Sebor (Red Hat, Inc) and Aaron Ballman (SEI/CERT)
Added
Changed
CERT C++ Secure Coding Standard
Editors: Martin Sebor (Red Hat, Inc) and Aaron Ballman (SEI/CERT)
Added
Changed
Removed
CERT Oracle Secure Coding Standard for Java
Editors: Brad Senetza (Oracle) and David Svoboda (SEI/CERT)
Moved
No Java rules were added or removed.
CERT Secure Coding Standard for Android
Editors: Fred Long (Aberystwyth University) and Lori Flynn (SEI/CERT)
No Android rules were added, removed, deprecated, or substantively changed.
CERT Perl Secure Coding Standard
Editor: David Svoboda (SEI/CERT)
No Perl rules were added, removed, deprecated, or substantively changed.
Upcoming Events
Workshop: Third International Workshop on Mobile Development Lifecycle (MobileDeLi 2015) Organizers: Lori Flynn (CERT), Aharon Abadi, and Jeff Gray October 26, 2015, in Pittsburgh, Pennsylvania, United States Details at http://2015.splashcon.org/track/mobiledeli2015Collocated with the the ACM SIGPLAN conference on Systems, Programming, Languages and Applications: Software for Humanity (SPLASH)
Our People
In the eNewsletter, we highlight staff members behind our secure coding research. This month we feature David Keaton. David Keaton's background is in compilers and computer architecture. He has written compilers for systems ranging from embedded processors to supercomputers. David has two patents related to compiler-assisted security mechanisms. He is the convener of the international standards committee for the programming language C, ISO/IEC JTC 1/SC 22/WG 14 and has been a voting member of the C committee since 1990. David joined CERT in 2010, prior to which he was an independent consultant for 16 years. His work for CERT includes compiler prevention of integer overflows and buffer overflows.
|