Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Collection - Related Assets

Four Secure Coding Publications

  • Presents research and recommended practices for secure coding, preventing common exploits, and prioritizing security alerts.
  • Secure Coding
  • Publisher: Software Engineering Institute
  • Establishing Coding Requirements for Non-Safety-Critical C++ Systems

    C++ is used extensively throughout the DoD, including major weapons systems such as the Joint Strike Fighter. Existing C++ coding standards fail to address security, subset the language (e.g., MISRA C++: 2008) or are outdated and unprofessional (e.g., C++ Coding Standard referenced in DISA’s Application Security and Development STIG).

    Prioritizing Alerts from Static Analysis with Classification Models

    The project created alert classification models using features derived from multiple static analysis tools, code base metrics, and archived audit determinations. The results are accurate predictors of alert validity, intended for use in automatic prioritization of alerts from static analysis tools that minimizes the number of alerts needing human assessment.

    Automated Code Repair

    This project focused on integer overflow in calculations of how much memory to allocate and calculations related to array bounds. Through this work, we will reduce a typical number of unhandled violations to a number small enough for a development team to mitigate all of them.

    Common Exploits and How to Prevent Them

    This talk was given at the Secure Coding Symposium in Arlington, Virginia in September 2016. At this event, software development and assurance professionals discussed current challenges in the areas of secure coding practice adoption and software assurance.