Secure Coding

Robert Seacord Speaks at a Briefing on Capitol Hill

At the briefing, three speakers discussed what steps can be taken today to make significant improvements in Cybersecurity.
Read more (requires LinkedIn login)

New Service Available

Our experts can advise you on how to optimize your system for analyzing code to evaluate your software’s security.
Learn more about this new service

Watch Archive of CERT Cyber COI Event

In this day-long, interactive, virtual event, CERT researchers discussed current work associated with DoD cyber community of interest (COI) technology challenges and gaps.
Watch the archive of this event

Secure Coding Research

Robert Seacord describes the research his Secure Coding Team is conducting and the vision the team has to guide its work.
Watch the video

Research into API Usability and Security

We're studying how to design APIs that are usable by programmers for developing secure code.
Read more about this research

New Versions of DidFail Tool Released

New versions of DidFail, a tool that detects potential leaks of sensitive information in Android apps, are now available.
Download DidFail and learn more about it

Clang Thread Safety Analysis Tool

Google and the CERT Secure Coding Initiative developed Clang Thread Safety Analysis, a tool that uses annotations to declare and enforce thread safety policies in C and C++ programs.
Read more and download this tool

Compiler-Enforced Buffer Overflow Elimination

The Compiler-Enforced Buffer Overflow Elimination tool is a research prototype that prevents buffer overflows in multithreaded code and has additional features not found in other memory safety mechanisms.
Read more and download this tool

Java Coding Guidelines: Now Available Free Online

The CERT Division is making the content of its Java Coding Guidelines book available free online.
Browse the free guidelines

SCALe Demonstration Videos

Watch demonstration videos of Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards. Explore the collection
Explore the collection

Secure Coding in C and C++ Course

We offer this four-day course to help you identify and prevent common programming errors in C and C++, plus understand how these errors can lead to code that is vulnerable to exploitation.
Register for this course

Our Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments. This reduction is accomplished by preventing coding errors or discovering and eliminating security flaws during implementation and testing.

The CERT Division has been extremely successful in the development of secure coding standards, which have been adopted at corporate levels by companies such as Cisco and Oracle, and the development of the Source Code Analysis Laboratory (SCALe), which supports conformance testing of systems against these coding standards. The success of the secure coding standards and SCALe contributed to the impetus for including software assurance requirements in the National Defense Authorization Act (NDAA) for Fiscal Year 2013.

Eliminating vulnerabilities during development can result in a two to three orders-of-magnitude reduction in the total cost of repairing the code versus making the repairs afterwards. To achieve these goals, it is necessary to determine how to develop verifiably secure code within budget and on schedule.

We research secure coding.

We do research and development to create tools to support creation of secure code right from the start, and analytical tools to detect code vulnerabilities. We also work with the software development and security communities to research and develop secure coding standards for commonly used programming languages and for smartphone platforms (Android, iOS, Win8).

We participate in international standards development.

We participate in the development of international standards for programming languages to improve the security of these languages.

We provide SCALe conformance testing services.

We assess whether your software conforms to CERT secure coding standards through our Source Code Analysis Laboratory (SCALe).

Engage with Us

Help inform our research. Share what has worked for you, or let us know if you need support from our team.

Engage with Us

News & Announcements

Publications & Media

Secure Coding Wiki
In our recently restructured and redesigned wiki, members of the community can work with us to develop new secure coding rules and recommendations for the C, C++, Java, and Perl languages.

DidFail Report Released and Updated Versions of the Tool Available
New versions of DidFail, a tool detects potential leaks of sensitive information in Android apps, are available. The most recent enhancements to DidFail are described in the technical report Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets. 

Java Coding Guidelines Available Free Online
We have made the Java coding guidelines available online both to promote more widespread adoption of secure coding standards and as a thank you to the software security and software development communities that have collaborated with us to make secure coding initiatives a success.

Clang Thread Safety Analysis Tool
Google and the CERT Secure Coding Initiative developed Clang Thread Safety Analysis, a tool that uses annotations to declare and enforce thread safety policies in C and C++ programs.

SCALe Demonstration Videos Available
These videos, narrated by David Svoboda, illustrate the process of auditing a small C codebase using our Source Code Analysis Laboratory (SCALe).

Performance of Compiler-Assisted Memory Safety Checking
In this new SEI technical note, David Keaton and Robert Seacord describe the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely available.

The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition
In this book, Robert Seacord provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99.

DidFail Tool
The DidFail tool uses static analysis to detect potential leaks of sensitive information within a set of Android apps.

Java Coding Guidelines
In this book, Robert Seacord brings together expert guidelines, recommendations, and code examples to help you use Java code to perform mission-critical tasks.