Four Secure Coding Publications
Presents research and recommended practices for secure coding, preventing common exploits, and prioritizing security alerts.
Software Engineering Institute
Establishing Coding Requirements for Non-Safety-Critical C++ Systems
C++ is used extensively throughout the DoD, including major weapons systems such as the Joint Strike Fighter. Existing C++ coding standards fail to address security, subset the language (e.g., MISRA C++: 2008) or are outdated and unprofessional (e.g., C++ Coding Standard referenced in DISA’s Application Security and Development STIG).
Prioritizing Alerts from Static Analysis with Classification Models
The project created alert classification models using features derived from multiple static analysis tools, code base metrics, and archived audit determinations. The results are accurate predictors of alert validity, intended for use in automatic prioritization of alerts from static analysis tools that minimizes the number of alerts needing human assessment.
Automated Code Repair
This project focused on integer overflow in calculations of how much memory to allocate and calculations related to array bounds. Through this work, we will reduce a typical number of unhandled violations to a number small enough for a development team to mitigate all of them.
Common Exploits and How to Prevent Them
This talk was given at the Secure Coding Symposium in Arlington, Virginia in September 2016. At this event, software development and assurance professionals discussed current challenges in the areas of secure coding practice adoption and software assurance.
Developed checkers, rules, and rule organization for secure C++ code
In this presentation, Lori Flynn describes work toward an automated and accurate statistical classifier, intended to efficiently use analyst effort and to remove code flaws.
This presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.