New Podcast: The Build Security In Maturity Model
Gary McGraw, Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from 78 high-performing organizations.
Winter Edition of the Secure Coding Newsletter
Read about the latest work we're doing related to Clang and standards updates.
New Secure Coding in Java Course
Fred Long and David Svoboda have built a four-day course on Secure Coding in Java, based on the CERT Oracle Coding Standard for Java.
Research into API Usability and Security
We're studying how to design APIs that are usable by programmers for developing secure code.
New Versions of DidFail Tool Released
New versions of DidFail, a tool that detects potential leaks of sensitive information in Android apps, are now available.
Clang Thread Safety Analysis Tool
Google and the CERT Secure Coding Initiative developed Clang Thread Safety Analysis, a tool that uses annotations to declare and enforce thread safety policies in C and C++ programs.
Compiler-Enforced Buffer Overflow Elimination
The Compiler-Enforced Buffer Overflow Elimination tool is a research prototype that prevents buffer overflows in multithreaded code and has additional features not found in other memory safety mechanisms.
SCALe Demonstration Videos
Watch demonstration videos of Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards. Explore the collection
Secure Coding in C and C++ Course
We offer this four-day course to help you identify and prevent common programming errors in C and C++, plus understand how these errors can lead to code that is vulnerable to exploitation.
Our Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments. This reduction is accomplished by preventing coding errors or discovering and eliminating security flaws during implementation and testing.
The CERT Division has been extremely successful in the development of secure coding standards, which have been adopted at corporate levels by companies such as Cisco and Oracle, and the development of the Source Code Analysis Laboratory (SCALe), which supports conformance testing of systems against these coding standards. The success of the secure coding standards and SCALe contributed to the impetus for including software assurance requirements in the National Defense Authorization Act (NDAA) for Fiscal Year 2013.
Eliminating vulnerabilities during development can result in a two to three orders-of-magnitude reduction in the total cost of repairing the code versus making the repairs afterwards. To achieve these goals, it is necessary to determine how to develop verifiably secure code within budget and on schedule.