search menu icon-carat-right cmu-wordmark

Four Secure Coding Publications

Presents research and recommended practices for secure coding, preventing common exploits, and prioritizing security alerts.

Publisher:

Software Engineering Institute

Establishing Coding Requirements for Non-Safety-Critical C++ Systems

C++ is used extensively throughout the DoD, including major weapons systems such as the Joint Strike Fighter. Existing C++ coding standards fail to address security, subset the language (e.g., MISRA C++: 2008) or are outdated and unprofessional (e.g., C++ Coding Standard referenced in DISA’s Application Security and Development STIG).

Prioritizing Alerts from Static Analysis with Classification Models

The project created alert classification models using features derived from multiple static analysis tools, code base metrics, and archived audit determinations. The results are accurate predictors of alert validity, intended for use in automatic prioritization of alerts from static analysis tools that minimizes the number of alerts needing human assessment.

Automated Code Repair

This project focused on integer overflow in calculations of how much memory to allocate and calculations related to array bounds. Through this work, we will reduce a typical number of unhandled violations to a number small enough for a development team to mitigate all of them.

Common Exploits and How to Prevent Them

This talk was given at the Secure Coding Symposium in Arlington, Virginia in September 2016. At this event, software development and assurance professionals discussed current challenges in the areas of secure coding practice adoption and software assurance.

Establishing Coding Requirements for Non-Safety-Critical C++ Systems

November 2016

Developed checkers, rules, and rule organization for secure C++ code

Prioritizing Alerts from Static Analysis with Classification Models

November 2016

In this presentation, Lori Flynn describes work toward an automated and accurate statistical classifier, intended to efficiently use analyst effort and to remove code flaws.

Common Exploits and How to Prevent Them

September 2016

This presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.

Automated Code Repair

November 2016

Work aims to develop technique to eliminate security vulnerabilities at a lower cost than manual repair