Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Robert C. Seacord
May 2015 - Conference Paper A Course-Based Usability Analysis of Cilk Plus and OpenMP

Topics: Secure Coding

Authors: Michael Coblenz (Carnegie Mellon School of Computer Science), Robert C. Seacord, Brad Myers, Joshua Sunshine (Institute for Software Research), Jonathan Aldrich

In this paper, the authors compare Cilk Plus and OpenMP to evaluate the design tradeoffs in the usability and security of these two approaches.

July 2014 - Technical Note Performance of Compiler-Assisted Memory Safety Checking

Topics: Secure Coding

Authors: David Keaton, Robert C. Seacord

This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely available.

June 2014 - Technical Note Improving the Automated Detection and Analysis of Secure Coding Violations

Topics: Secure Coding

Authors: Daniel Plakosh, Robert C. Seacord, Robert W. Stoddard, David Svoboda, David Zubrow

This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.

May 2014 - Webinar Heartbleed: Analysis, Thoughts, and Actions

Topics: Network Situational Awareness, Secure Coding

Authors: Will Dormann, Robert Floodeen, Brent Kennedy, William Nichols, Jason McCormick, Robert C. Seacord

Panelists discussed the impact of Heartbleed, methods to mitigate the vulnerability, and ways to prevent crises like this in the future.

April 2014 - Article Secure Coding in C and C++: Strings and Buffer Overflows

Topics: Secure Coding

Authors: Robert C. Seacord

In this sample chapter, Robert Seacord discusses mitigation strategies that can be used to help eliminate vulnerabilities resulting from buffer overflows.

April 2014 - Article Accessing Shared Atomic Objects from within a Signal Handler in C

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord describes how to safely access shared objects from a signal handler.

April 2014 - Book The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition

Topics: Secure Coding

Authors: Robert C. Seacord

In this book, Robert Seacord provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99.

April 2014 - Article Secure Coding in C and C++: An Interview with Robert Seacord

Topics: Secure Coding

Authors: Robert C. Seacord, Danny Kalev (No Affiliation)

In this article, Danny Kalev talks to Robert Seacord about the new edition of his book, dangerous features in C11, and advice for making your code more secure.

April 2014 - Presentation Why Can’t Johnny Program Securely?

Topics: Secure Coding

Authors: Robert C. Seacord

In this presentation, given at InfoSec World 2014 in April 2014, Robert Seacord discusses the challenges of coding software securely and how standards can help.

March 2014 - Article Preface to The CERT C Coding Standard, second edition

Topics: Secure Coding

Authors: Robert C. Seacord

In this preface, Robert Seacord introduces his book The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems.

January 2014 - Podcast Raising the Bar - Mainstreaming CERT C Secure Coding Rules

Topics: Secure Coding

Authors: Robert C. Seacord, Julia H. Allen

In this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.

September 2013 - Article Java Coding Guidelines for Reliability

Topics: Secure Coding

Authors: Fred Long (Aberystwyth University), Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

In this sample chapter, the authors describe how to avoid obscure techniques and code that is difficult to understand and maintain when programming in Java.

September 2013 - Video Don’t Be Pwned: A Short Course on Secure Programming in Java

Topics: Secure Coding

Authors: Robert C. Seacord, Dean F. Sutherland

In this JavaOne 2013 video, developers of the CERT Oracle Secure Coding Standard for Java describe exploits that compromised Java programs in the field.

September 2013 - Presentation Don’t Be Pwned: A Short Course on Secure Programming in Java

Topics: Secure Coding

Authors: Dean F. Sutherland, Robert C. Seacord, David Svoboda

In this presentation, the developers of the CERT Oracle Secure Coding Standard for Java present real exploits that have compromised Java programs in the field.

August 2013 - Book Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs

Topics: Secure Coding

Authors: Robert C. Seacord

In this book, Robert Seacord brings together expert guidelines, recommendations, and code examples to help you use Java code to perform mission-critical tasks.

June 2013 - Article C Secure Coding Rules: Past, Present, and Future

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord offers a history of secure coding work and provides details about the ISO/IEC TS 17961 C Secure Coding Rules.

June 2013 - Article Silent Elimination of Bounds Checks

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord shows how compiler optimizations can eliminate causality in software and increase software faults, defects, and vulnerabilities.

May 2013 - White Paper Strengths in Security Solutions

Topics: Cybersecurity Engineering, Secure Coding

Authors: Arjuna Shunn (Microsoft), Carol Woody, Robert C. Seacord, Allen D. Householder

In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.

April 2013 - Webinar Secure Coding - Avoiding Future Security Incidents

Topics: Secure Coding

Authors: Robert C. Seacord

In this 2013 webinar, Robert Seacord discusses secure coding as part of preventing security incidents.

April 2013 - Video A Discussion with CERT Experts: Constructing a Secure Cyber Future

Topics: Secure Coding

Authors: Robert C. Seacord

In this video, Robert Seacord discusses what the CERT Division is doing to improve secure development practices.

November 2012 - Webinar Source Code Analysis Laboratory (SCALe)

Topics: Secure Coding

Authors: Robert C. Seacord

In this webinar, Robert Seacord discusses SCALe, a demonstration that software systems can be conformance tested against secure coding standards.

November 2012 - Webinar Source Code Analysis Laboratory (SCALe)

Topics: Secure Coding

Authors: Robert C. Seacord

In this webinar, Robert Seacord discusses SCALe, a demonstration that software systems can be tested for conformance to secure coding standards.

October 2012 - Video Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code

Topics: Secure Coding

Authors: Robert C. Seacord

In this video training, Robert Seacord provides an in-depth explanation of how to use common C language features to produce robust, secure, and reliable code.

July 2012 - Technical Note Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions

Topics: Secure Coding

Authors: Timothy Morrow, Robert C. Seacord, John K. Bergey, Philip Miller

In this report, the authors provide guidance for helping DoD acquisition programs address software security in acquisitions.

April 2012 - Technical Note Source Code Analysis Laboratory (SCALe)

Topics: Secure Coding

Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.

October 2011 - Article The CERT Oracle Secure Coding Standard for Java: Input Validation and Data Sanitization

Topics: Secure Coding

Authors: Fred Long (Aberystwyth University), David Svoboda, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland

In this sample chapter, the authors provide rules, assesses their risk, and provide noncompliant and compliant code and solutions to validate and sanitize the data.

September 2011 - Presentation Secure Coding in C++: Integers

Topics: Secure Coding

Authors: Robert C. Seacord

In this SD Best Practices 2006 presentation, Robert Seacord explains how to secure integers, a growing source of vulnerabilities in C and C++ programs.

September 2011 - Book The CERT Oracle Secure Coding Standard for Java

Topics: Secure Coding

Authors: Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

In this book, the authors provide the first comprehensive compilation of code-level requirements for building secure systems in Java.

June 2011 - White Paper An Online Learning Approach to Information Systems Security Education

Topics: Secure Coding

Authors: Norman Bier (Carnegie Mellon University), Marsha Lovett (Carnegie Mellon University), Robert C. Seacord

In this paper, the authors describe the development of a secure coding module that shows how to capture content, ensure learning, and scale to meet demand.

December 2010 - Technical Report Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems

Topics: Secure Coding

Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.

November 2010 - Presentation As-If Infinitely Ranged Integer Model

Topics: Secure Coding

Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Thomas Plum (Plum Hall, Inc.), Will Dormann, David Keaton, Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

This ISSRE 2010 paper describes the AIR Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping.

May 2010 - Technical Report Java Concurrency Guidelines

Topics: Secure Coding

Authors: Fred Long, Dhruv Mohindra, Robert C. Seacord, David Svoboda

In this report, the authors describe the CERT Oracle Secure Coding Standard for Java, which provides guidelines for secure coding in Java.

May 2010 - Technical Report Specifications for Managed Strings, Second Edition

Topics: Secure Coding

Authors: Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, David Svoboda

In this report, the authors describe a managed string library for the C programming language.

April 2010 - Technical Note As-If Infinitely Ranged Integer Model, Second Edition

Topics: Secure Coding

Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Will Dormann, David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.

February 2010 - White Paper MITRE, CWE, and CERT Secure Coding Standards

Topics: Secure Coding

Authors: Robert C. Seacord, Robert A. Martin

In this paper, the authors summarize the Common Weakness Enumeration (CWE) and CERT Secure Coding Standards and the relationship between the two.

February 2010 - White Paper Instrumented Fuzz Testing Using AIR Integers (Whitepaper)

Topics: Secure Coding

Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Will Dormann, David Keaton, Robert C. Seacord, Timothy Wilson, Thomas Plum (Plum Hall, Inc.)

In this paper, the authors present the as-if infinitely ranged (AIR) integer model, which provides a mechanism for eliminating integral exceptional conditions.

February 2010 - Presentation Instrumented Fuzz Testing Using AIR Integers (Presentation)

Topics: Secure Coding

Authors: Will Dormann, Robert C. Seacord

In this February 2010 presentation, Will Dormann and Robert Seacord describe how to conduct instrumented fuzz testing using as-if infinitely ranged integers.

January 2010 - Presentation Secure Coding Initiative

Topics: Secure Coding

Authors: Robert C. Seacord

In this 2010 presentation, Robert Seacord provides an overview of the Secure Coding Initiative of the CERT Division, Software Engineering Institute.

October 2009 - Technical Report Secure Design Patterns

Topics: Secure Coding

Authors: Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, Kazuya Togashi (JPCERT/CC)

In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.

September 2009 - Presentation TSP and Secure Coding

Topics: TSP

Authors: Noopur Davis (Davis Systems), Philip Miller, Bill Nichols, Robert Seacord

Presentation given at TSP Symposium on September 21-24, 2009 in New Orleans, Louisiana

August 2009 - Webinar Secure Coding

Topics: Secure Coding

Authors: Robert C. Seacord

In this webinar, Robert Seacord discusses work to develop secure coding standards for commonly used programming languages such as C, C++, and Java.

July 2009 - Technical Note As-if Infinitely Ranged Integer Model

Topics: Secure Coding

Authors: David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

In this report, the authors present the as-if infinitely ranged (AIR) integer model, which eliminates integer overflow and integer truncation in C and C++ code.

March 2009 - Podcast Mainstreaming Secure Coding Practices

Topics: Software Assurance

Authors: Robert C. Seacord, Julia H. Allen

In this podcast, Robert Seacord explains how requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities.

October 2008 - Book CERT C Secure Coding Standard

Topics: Secure Coding

Authors: Robert C. Seacord

In this book, Robert Seacord releases the CERT C Secure Coding Standard, which itemizes coding errors that are the root causes of software vulnerabilities in C.

June 2008 - Technical Report Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools

Topics: Secure Coding

Authors: Stephen Dewhurst, Chad Dougherty, Yurie Ito, David Keaton, Dan Saks, Robert C. Seacord, David Svoboda, Chris Taschner, Kazuya Togashi (JPCERT/CC)

In this report, the authors describe a study to evaluate CERT Secure Coding Standards and source code analysis tools in commercial software projects.

October 2007 - Video Secure Coding Initiative: Project

Topics: Secure Coding

Authors: Robert C. Seacord, Sharon West

In this video, Robert Secord discusses the Secure Coding Initiative Project.

September 2007 - Video Secure Coding in C and C++: Part 3

Topics: Secure Coding

Authors: Robert C. Seacord

In this video, Robert Seacord discusses how the Secure Coding Standards work is being communicated to those who can use these standards to improve their work.

September 2007 - Video Secure Coding in C and C++: Part 2

Topics: Secure Coding

Authors: Robert C. Seacord

In this video, Robert Seacord discusses Secure Coding Standards work done by the Secure Coding Team in the CERT Division of the SEI.

September 2007 - Video Secure Coding in C and C++: Part 1

Topics: Secure Coding

Authors: Robert C. Seacord

In this video, Robert Seacord discusses how the secure coding work at the CERT Division of the SEI builds on the division's previous work in cybersecurity.

September 2007 - Video Secure Coding Initiative: Standards

Topics: Secure Coding

Authors: Robert C. Seacord, Sharon West

In this video, Robert Secord discusses Secure Coding Initiative Standards.

September 2007 - Technical Note Ranged Integers for the C Programming Language

Topics: Secure Coding

Authors: Jeff Gennari, Shaun Hedrick, Fred Long, Justin Pincar, Robert C. Seacord

In this 2007 report, the authors describe an extension to the C programming language to introduce the notion of ranged integers.

August 2007 - Video Training Through CERT's Secure Coding Initiative

Topics: Secure Coding

Authors: Robert C. Seacord, Sharon West

In this video, Robert Secord discusses training related to the CERT Secure Coding Initiative.

March 2007 - Article Secure Coding Standards

Topics: Secure Coding

Authors: James W. Moore (IBM Systems Integration Division), Robert C. Seacord

This CrossTalk article outlines efforts by the ISO/IEC and the CERT Division to develop secure coding practices for the C and C++ programming languages.

September 2006 - Presentation Secure Coding in C++: Strings

Topics: Secure Coding

Authors: Robert C. Seacord

In this SD Best Practices 2006 presentation, Robert Seacord discusses strings and secure coding.

May 2006 - Technical Report Specifications for Managed Strings

Topics: Secure Coding

Authors: Hal Burch, Fred Long, Robert C. Seacord

This report has been superseded by Specifications for Managed Strings, Second Edition (CMU/SEI-2010-TR-018).

November 2005 - Presentation Best Practices for Secure Coding

Topics: Secure Coding

Authors: Robert C. Seacord

In this CoBaSSA 2005 presentation, Robert Seacord discusses strings, common string manipulation errors, and mitigation strategies.

November 2005 - Presentation Secure Coding in C and C++: A Look at Common Vulnerabilities

Topics: Secure Coding

Authors: Robert C. Seacord, Jason Rafail

In this November 2005 presentation, Robert C. Seacord and Jason Rafail describe how the SEI-developed tool, MOSAIC, can be used to assure mission success.

November 2005 - Brochure Variadic Functions: How They Contribute to Security Vulnerabilities and How to Fix Them

Topics: Secure Coding

Authors: Robert C. Seacord

In this LinuxWorld article, Robert Seacord discusses C/C++ language variadic functions and their use.

August 2005 - White Paper Information Technology: Programming Languages, Their Environments and System Software Interfaces: Specification for Managed Strings

Topics: Secure Coding

Authors: Fred Long, Robert C. Seacord

In this paper, the authors present a standard specification for managed strings.

June 2005 - Book Chapter Sample Chapter from Secure Coding in C and C++: Integer Security

Topics: Secure Coding

Authors: Robert C. Seacord

In this sample chapter from the book Secure Coding in C and C++, Robert Seacord discusses integer operations, vulnerabilities, mitigation strategies, and more.

June 2005 - Book Chapter Sample Chapter from Secure Coding in C and C++: Index

Topics: Secure Coding

Authors: Robert C. Seacord

In this index, you can see the topics covered in the book Secure Coding in C and C++.

June 2005 - Book Chapter Sample Chapter from Secure Coding in C and C++: Foreword

Topics: Secure Coding

Authors: Robert C. Seacord

In this forward from the book Secure Coding in C and C++, Richard Pethia describes the critical importance of software vulnerabilities and secure coding in particular.

January 2005 - Technical Note A Structured Approach to Classifying Security Vulnerabilities

Topics: Secure Coding, Vulnerability Analysis

Authors: Robert C. Seacord, Allen D. Householder

In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.

September 2003 - Technical Report SEI Independent Research and Development Projects (FY 2003)

Authors: Felix Bachmann, Sven Dietrich, Peter H. Feiler, Suzanne Garcia-Miller, Mark H. Klein, Edwin J. Morris, Patrick R. Place, Daniel Plakosh, Robert C. Seacord, Anthony J. Lattanze, B. Craig Meyers, John McHugh, Len Bass, David J. Carney

This report describes the IR&D projects that were conducted during fiscal year 2003 (October 2002 through September 2003).

February 2003 - Book Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices

Topics: Software Architecture, System of Systems, Secure Coding

Authors: Grace Lewis, Daniel Plakosh, Robert C. Seacord

This book shows how to implement a successful modernization strategy that incrementally encompass changes in software technologies, engineering processes, and business practices.

July 2002 - Technical Note Replaceable Components and the Service Provider Interface

Authors: Robert C. Seacord, Lutz Wrage

This 2002 report considers the motivation for using replaceable components and defines the requirements of replaceable component models.

October 2001 - Technical Report An Enterprise Information System Data Architecture Guide

Authors: Grace Lewis, Santiago Comella-Dorda, Patrick R. Place, Daniel Plakosh, Robert C. Seacord

This report describes a sample data architecture in terms of a collection of generic architectural patterns that define and constrain how data is managed in a system that uses the J2EE platform and the OAGIS.

August 2001 - Technical Report Maintaining Transactional Context: A Model Problem

Authors: Daniel Plakosh, Santiago Comella-Dorda, Patrick R. Place, Robert C. Seacord, Grace Lewis

This 2001 report outlines a model problem constructed to verify the feasibility of building a mechanism to modernize a legacy system.

July 2001 - Book Building Systems from Commercial Components

Topics: Predictability by Construction, Secure Coding

Authors: Scott Hissam, Robert C. Seacord, Kurt C. Wallnau

This book describes specific engineering practices needed to integrate preexisting components with preexisting specifications successfully, illustrating the techniques described with case studies and examples.

July 2001 - Technical Note Incremental Modernization for Legacy Systems

Authors: Santiago Comella-Dorda, Grace Lewis, Patrick R. Place, Daniel Plakosh, Robert C. Seacord

This 2001 report shows an objective technique for developing an incremental code-migration strategy for large legacy Common Business-Oriented Language (COBOL) systems.

July 2001 - Technical Report Legacy System Modernization Strategies

Topics: System of Systems

Authors: Robert C. Seacord, Santiago Comella-Dorda, Grace Lewis, Patrick R. Place, Daniel Plakosh

This 2001 report discusses alternative development approaches for incrementally modernizing legacy systems.

February 2001 - Technical Note K-BACEE: A Knowledge-Based Automated Component Ensemble Evaluation Tool

Authors: Robert C. Seacord, Dave Mundie, Somjai Boonsiri

This 2001 report describes an automated approach to evaluating ensembles of componentswithin the context of a system requirements specification.

May 2000 - Technical Report Volume II: Technical Concepts of Component-Based Software Engineering, 2nd Edition

Authors: Felix Bachmann, Len Bass, Charles Buhman, Santiago Comella-Dorda, Fred Long, John E. Robert, Robert C. Seacord, Kurt C. Wallnau

The objective of this study is to determine whether CBSE has the potential to advance the state of software engineering practice and, if so, whether the SEI can contribute to this advancement.

May 2000 - Technical Note Volume I: Market Assessment of Component-Based Software Engineering Assessments

Authors: Len Bass, Charles Buhman, Santiago Comella-Dorda, Fred Long, John E. Robert, Robert C. Seacord, Kurt C. Wallnau

This 2001 report examines software component technology from a business perspective.

April 2000 - Technical Note A Survey of Legacy System Modernization Approaches

Authors: Santiago Comella-Dorda, Kurt C. Wallnau, Robert C. Seacord, John E. Robert

This report, published in 2000, provides a survey of modernization techniques including screen scraping, database gateway, XML integration, database replication, CGI integration, object-oriented wrapping, and "componentization" of legacy systems.

July 1999 - Technical Note Securing Internet Sessions with Sorbet

Authors: Fred Long, Scott Hissam, Robert C. Seacord, John E. Robert, John E. Robert

To secure communications media connections, mechanisms must be built on top of the underlying facilities. This 1999 report discusses one such security mechanism and describes an implementation using CORBA-based interceptors.

July 1999 - Technical Note Custom vs. Off-the-Shelf Architecture

Topics: System of Systems

Authors: Robert C. Seacord, Kurt C. Wallnau, John E. Robert, Santiago Comella-Dorda, Scott Hissam

This report compares GEE-based solutions and off-the-shelf solutions based on the EJB specification.

June 1999 - Technical Note Theory and Practice of Enterprise JavaBean Portability

Topics: System of Systems

Authors: Santiago Comella-Dorda, John E. Robert, Robert C. Seacord

This paper presents sources of portability problems in EJB and illustrates them with some real examples.

August 1998 - Technical Report Browsers for Distributed Systems: Universal Paradigm or Siren's Song?

Authors: Robert C. Seacord, Scott Hissam

This report examines the technical issues relevant to incorporating web browsers as a component of a commercial off-the-shelf (COTS) -based solution.

August 1998 - Technical Report Agora: A Search Engine for Software Components

Authors: Robert C. Seacord, Scott Hissam, Kurt C. Wallnau

This 1998 report documents Agora, a software prototype that was developed by the SEI to create an automatically generated and indexed database of software products classified by component model.

May 1988 - Technical Report Serpent Runtime Architecture and Dialogue Model

Authors: Len Bass, Erik Hardy, Kurt Hoyt, Reed Little, Robert C. Seacord

This 1988 report describes the runtime architecture and dialogue model of the Serpent User Interface Management System (UIMS).

March 1988 - Technical Report Introduction to the Serpent User Interface Management System

Authors: Len Bass, Erik Hardy, Kurt Hoyt, Reed Little, Robert C. Seacord

This 1988 report provides an overview of Serpent, its components and the editor used to construct the user interface.