Spring Edition 2017

Welcome to the Spring 2017 Edition of the CERT Secure Coding Standards eNewsletter! 
It's the season of new growth (at least here in Pittsburgh), and the big news for the Secure Coding team is the release of the new  C++ Coding Standard. We would like to thank Aaron Ballman for his dedication and perseverance to improving the C++ Coding Standard to a level that was ready for publication. It has been a lengthy endeavor. In addition to developing and editing the C++ coding rules, Aaron has also made the CERT C and C++ coding rules accessible to many developers by contributing practical implementations to the Clang and Clang-tidy projects. We also thank the other contributors to the C++ rules and the publication.  There are too many to list here, and they are included in the document's introduction.

We are looking to grow our team and have several open positions in secure coding and software assurance.  If you, or someone you know, are looking to use your skills to improve the state of the art and practice of coding securely or secure development and software assurance in general, information is below.

We also recently published a few blogs and just presented at the SEI's Software Solutions Symposium. If you missed them, links are below.

As always, we hope you find this information useful.  As you are reviewing the new C++ Coding Standard or any of our other materials, let us know your thoughts about our work and send us any comments or ideas you have on what we should do next.


Bob Schiela


This C++ Coding Standard joins the SEI CERT C Coding Standard that was released in 2016. The 2016 edition of the SEI CERT C++ Coding Standard reflects a decade of research and includes 83 new rules that take into account features of the C++ language that are not part of the C language. The majority of the SEI CERT C Coding Standard also provides guidance that is important for developing secure C++ programs, and they should both be used by C++ development programs.
Open Positions in SEI CERT Secure Coding Team

We currently have a few opportunities to join our Secure Coding team.  If you are interested in researching and developing improvements to the state of the art and practice in secure coding, secure development, and software assurance and you have the qualifications, please contact us.

Recent Events

Bob Schiela gave a presentation at the Software Assurance Community of Practice (SwA CoP) meeting in early December.

There were several noteworthy additions to the  SEI Blog:
The SEI hosted the Software Solutions Symposium 2017 last week from March 20-23 in Arlington, VA that was well attended by government and industry. Here is a sample from about 50 presentations and tutorials from the Symposium that you may be interested in. If you didn't attend, the materials from the conference should be available from the website soon.
  • Carol Woody taught "Security Risk Management Using the Security Engineering Risk Analysis (SERA) Method Tutorial" on March 20, 2017.
  • Nancy Mead presented "Using Malware Analysis to Identify Overlooked Security Requirements" on March 21, 2017.
  • Carol Woody presented "Security Measurement - Establishing Confidence That Security Is Sufficient" on March 22, 2017.
  • Carol Woody presented "Risks in the Software Supply Chain" on March 22, 2017.
  • Nancy Mead, William Newhouse, James Over, and Girish Seshagiri presented "Secure Software Workforce Development" on March 22, 2017.
  • Carol Woody presented "Building Secure Software for Mission Critical Systems" on March 22, 2017.
  • David Svoboda taught "Secure Coding Tutorial" on March 23, 2017.
  • Chris Alberts taught "Security Risk Management Using the Security Engineering Risk Analysis (SERA) Method Tutorial" on March 23, 2017.

SEI CERT Secure Coding Standard Updates

CERT C Coding Standard

Editors: David Svoboda, SEI/CERT

No C rules were added or removed.

CERT C++ Secure Coding Standard

Editors: David Svoboda, SEI/CERT

No C++ rules were added.

CERT Oracle Secure Coding Standard for Java

Editor: David Svoboda, SEI/CERT

No Java rules were added or removed.

  • IDS56-J. Prevent arbitrary file upload has a bugfix in the Compliant Solution. The error check to abort if the uploaded file is neither a text file, image, or HTML file bound its checks together with  ||  when it should have used  && .
CERT Secure Coding Standard for Android

Editor:  Lori Flynn, SEI/CERT

No Android rules were added, removed, deprecated, or substantively changed.

CERT Perl Secure Coding Standard

Editor: David Svoboda, SEI/CERT

No Perl rules were added or removed.

Our People

In our eNewsletters, we highlight the staff members behind our secure coding research. In this issue we feature Dr. Will Klieber.

Dr. Will Klieber  is a researcher at the CERT Division of the Software Engineering Institute. His current focus is on automated repair of common types of bugs that give rise to security vulnerabilities. He has worked on static analysis of Android apps and the detection of potentially malicious Java source code. Prior to joining the CERT Division, Klieber was a doctoral student at Carnegie Mellon University's Computer Science Department, where he completed his PhD thesis in the area of Quantified Boolean Formulas (QBF) and its application to the verification of hardware and software.

Join the SEI CERT Secure Coding Community