Fall Edition 2016

Welcome to the Fall 2016 Edition of the CERT Secure Coding Standards eNewsletter! 
Another season has passed, and while we had a pleasant and mild start to the season, it's now getting cold in Pittsburgh. 

In this newsletter, we highlight some recent and upcoming changes to the wiki accounts and structure, in addition to changes in the guidelines.  We also highlight recent and future events that you might be interested in.  Many of these events were open to the public, so we have linked to the materials in case you were unable to attend.

We hope you find this information useful.  As we prepare to finish this year and get ready for the next, let us know your thoughts about our work and send us any challenges you think we should address.


Bob Schiela

SEI CERT Standard Publications

We have developed and published a set of  errata for the  SEI CERT C Coding Standard, 2016 Edition.  We will continue to publish identified errata in this location.

We expect the final version of the  SEI CERT C++ Coding Standard to be available in the next couple of months. We plan to publish this standard as a free PDF, similar to the release of the  SEI CERT C Coding Standard, 2016 Edition

Secure Coding Wiki Changes to Registered Accounts

There are some dormant accounts on the wiki. To more efficiently manage our site license, in early January 2017, we will disable accounts that have not been active (i.e., at least logged in) within the last 180 days.  We will also disable accounts that were created more than 30 days ago if the user has not yet logged into it.

We will retain user history, contributions, and comments with attribution even after the accounts are disabled.  However, users will no longer be able to log in unless they contact us to reactivate their account. 

We will continue this policy moving forward and disable accounts that haven't been used in 180 days or that were created where the user did not log into it for more than 30 days.

We will also require that all registered accounts contain a valid email addresses in the user's profile.  We will begin disabling accounts that do not have valid email addresses starting 1 July 2017 (following the initial 180 day window for inactive accounts).

Secure Coding Wiki Changes to Structure

Each language section now has a "Related Guidelines" summary page for each related coding standard (e.g., MISRA, MITRE CWE). These pages list the relationships that exist between CERT rules/recommendations and guidelines in external coding standards. These pages are automatically generated from the individual rule/recommendation pages.
Each language section now has a "Risk Assessments" summary page that displays all rule/recommendation risk assessments for the language. These pages are automatically generated from the individual rule/recommendation pages.
We also developed  guidelines for those who contribute content to the wiki, such as tool vendors that add mappings to rules.

Recent Events

Bob Schiela and the Software Engineering Institute hosted the CERT Secure Coding Symposium on 8 September 2016 in Washington, DC. 
David Svoboda alsogave the following presentations at   JavaOne 2016 in September:
CERT, the Software Engineering Institute, and Carnegie Mellon University hosted the  ISO/IEC WG14/PL22.11 C Standard meeting in Pittsburgh on 17-21 October 2016. Several members of our team participated, including Dan Plakosh, Aaron Ballman, and David Svoboda.

Team members made the following presentations at the  SEI 2016 Research Review, which took place at the SEI in Pittsburgh on 25-26 October 2016. Links to the Secure Coding topics appear below; you can see a list of  all presentations from the Research Review in the SEI's digital library.
Lori Flynn chaired the SPLASH co-hosted workshop,  Mobile! 2016, which took place on 31 October 2016 in Amsterdam, The Netherlands.

The following papers and tutorials were presented at the   IEEE CyberSecurity Development (SecDev) Conference, 3-4 November 2016:
Mark Sherman presented Experiences Developing an IBM Watson Cognitive Processing Application to Support Q&A of Application Security (Software Assurance) Diagnostics  (co-authored with Lori Flynn and Chris Alberts) at the AAAI 2016 Fall Symposium on 18 November 2016.

Upcoming Events

Bob Schiela will present at the Software Assurance Community of Practice (SwA CoP) meeting in early December.

We plan to release the SEI CERT C++ Coding Standard in the next couple of months. Watch for our notices.

David Svoboda will give a Secure Coding Tutorial at the   Software Solutions Symposium 2017, in Arlington, VA on March 2017, where other software engineering and security presentations and hands-on tutorials will be given. Topics include machine learning and software engineering, security engineering risk analysis, requirements elicitation, and software supply chain risk management.  Registration is now open.

SEI CERT Secure Coding Standard Updates

CERT C Coding Standard

Editors: Aaron Ballman, SEI/CERT
             David Svoboda, SEI/CERT

No C rules were added or removed.


New Clang Checkers

CERT C++ Secure Coding Standard

Editors: Aaron Ballman, SEI/CERT
             David Svoboda, SEI/CERT

No C++ rules were added.


Due to the upcoming initial publication of the SEI CERT C++ Coding Standard 2017 Edition, several rules were renumbered to remove gaps in the rule titles for a chapter.


New Clang Checkers

CERT Oracle Secure Coding Standard for Java

Editor: David Svoboda, SEI/CERT

No Java rules were added or removed.


CERT Secure Coding Standard for Android

Editor:  Lori Flynn, SEI/CERT

No Android rules were added, removed, deprecated, or substantively changed.

CERT Perl Secure Coding Standard

Editor: David Svoboda, SEI/CERT

No Perl rules were added, removed, deprecated, or substantively changed.

Our People
In the enewsletter, we highlight the staff members behind our secure coding research. In this issue we feature Dr. Lori Flynn.

Dr. Lori Flynn is a software security researcher at the CERT Division of Carnegie Mellon University's Software Engineering Institute. Her research focuses on automating analysis of software for security. Prior to joining the SEI, she co-invented a patented static analysis method to create signatures for polymorphic viruses. Flynn is part of the CERT team that developed   DidFail, the first static taint flow analyzer for Android app sets, and she is currently working on a research project that will increase its precision while retaining its speed. She also leads a research project working to accurately and automatically classify and prioritize alerts from code analysis tools.

Join the SEI CERT Secure Coding Community