Summer Edition 2016


news
Welcome to the Summer 2016 Edition of the CERT Secure Coding Standards eNewsletter! 

 
Another season is upon us, and we have been busy with the upcoming and recent events and activities described in this newsletter. We hope you had a great summer and are getting ready for the fall (and new fiscal year for some).
 
Register Now!


Our Secure Coding Symposium is scheduled for 8 September 2016 in the Arlington, VA area. We will have great speakers from government, industry, and academia who will talk about future trends affecting Secure Coding, including keynotes from Dr. Peter Fonash of DHS and Mary Ann Davidson of Oracle.  Registration for the symposium is still open; there are fewer than 20 seats still available!


C++ Standard Reviewers Needed


The  SEI CERT C++ Coding Standard is entering the final technical review stage before its pending publication later this Fall. Anyone interested in the content of the standard should review topics and mention any issues or suggestions as a comment on the rules pages so that we can address all issues and respond to questions. We are focusing on the rules (not the recommendations) at this time.


We plan to publish the CERT C++ Coding Standard as a free PDF, similar to the release of the SEI CERT C Coding Standard. We appreciate all help in making sure that the standard reflects the best practices of the community. All constructive contributors will be recognized in the standard when published.


CERT Secure Coding in Java Professional Certificate Released


A few weeks ago, we released the  CERT Secure Coding in Java Professional Certificate. It joins the CERT Secure Coding in C and C++ Professional Certificate that was released earlier this year. They are both eLearning professional development offerings. Each Professional Certificate teaches secure software concepts and secure coding best practices for the respective programming language.


In these certificate programs, students take two courses of self-paced, online material and complete a required examination. The certificate programs are especially helpful for providing secure coding training for very large groups of developers, or for individuals or small teams of developers. We also offer instructor-led training at customer sites, designed for groups of 15-30 per delivery session.


Events
Upcoming Events


Don't forget to register for our Secure Coding Symposium on 8 September, 2016  in the Arlington VA area.


CERT, the Software Engineering Institute, and Carnegie Mellon University are hosting the upcoming  ISO WG14/PL22.11 C Standard meeting in Pittsburgh on 17-21 October 2016. Several members of our team will be participating, including Dan Plakosh, Aaron Ballman, and David Svoboda.



Lori Flynn is chair of the SPLASH co-hosted workshop, Mobile! 2016, which will take place 31 October, 2016 in Amsterdam, The Netherlands. Please consider submitting a paper or just attending this workshop on mobile application development and analysis.


David Svoboda will give three presentations at  JavaOne 2016 in September:
  • Inside the CERT Oracle Secure Coding Standard for Java
  • Exploiting Java Serialization for Fun and Profit
  • The Java Security Architecture: How and Why
The following papers and tutorials have been accepted to the Security Development Conference in November:
  • Static Analysis Alert Audits: Formal Lexicon & Rules by David Svoboda, Lori Flynn, and Will Snavely
  • Automated Code Repair Based on Inferred Specifications by William Klieber
  • Tutorial: Beyond errno: Error Handling in C by David Svoboda 
Recent Events


Mark Sherman presented "Construction and Implementation of CERT Secure Coding Rules Improving Automation of Secure Coding" at the Safe and Secure Systems and Software Symposium (S5) on 13 July 2016. The presentation was co-developed by Mark Sherman and Aaron Ballman.


Mark Sherman presented "Risks in the Software Supply Chain," at  Abstractions on 18-20 August 2016 in Pittsburgh, PA.


Mark Sherman and Bob Schiela presented the webinar From Secure Coding to Secure Software on 17 August 2016.



standardupdates
SEI CERT Secure Coding Standard Updates


CERT C Coding Standard


Editors: Aaron Ballman, SEI/CERT

             Martin Sebor, Red Hat, Inc.




Changed
No C rules were added or removed.


New Clang Checkers


CERT C++ Secure Coding Standard


Editors: Aaron Ballman, SEI/CERT

             Martin Sebor, Red Hat, Inc.


Added
Changed
Removed
 
New Clang Checkers


CERT Oracle Secure Coding Standard for Java


Editors: David Svoboda, SEI/CERT

             Brad Senetza, Oracle


 
Changed
No Java rules were added or removed.


CERT Secure Coding Standard for Android


Editors: Fred Long, Aberystwyth University

             Lori Flynn, SEI/CERT


No Android rules were added, removed, deprecated, or substantively changed.


CERT Perl Secure Coding Standard


Editor: David Svoboda, SEI/CERT


No Perl rules were added, removed, deprecated, or substantively changed.


OurPeople

Our People
   
In the eNewsletter, we highlight the staff members behind our secure coding research. This issue we feature Aaron Ballman.


Aaron Ballman is a Software Security Engineer at CERT. He is an active developer on the Clang open source C/C++/Objective-C compiler, focusing primarily on front-end development. Aaron has over a decade of experience writing commercial compilers for various programming languages, as well as developing cross-platform C and C++ frameworks.


He is the author of Ramblings on REALbasic (2009), the CERT C++ Coding Standard (Coming Soon!), and one of the authors of the CERT C Coding Standard (2014). He is currently a voting member of ISO/IEC JTC1/SC22/WG21, the C++ standards committee.



When he's not writing code, Aaron is a Women's Flat Track Roller Derby official who skates under the name Flash Drive, a director for Penobscot Community Health Care, and the caretaker of two dogs, two cats, and six chickens.
 
Join the SEI CERT Secure Coding Community







Software Engineering Institute, Carnegie Mellon University | 4500 Fifth Avenue | Pittsburgh | PA | 15213