Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

David Svoboda
September 2017 - Presentation Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules

Topics: Secure Coding

Authors: Lori Flynn, David Svoboda, William Snavely

In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.

December 2016 - Presentation Avoiding Insecure C++

Topics: Secure Coding

Authors: David Svoboda, Aaron Ballman

This presentation introduces the SEI CERT C++

November 2016 - Presentation Beyond errno: Error Handling in C

Topics: Secure Coding

Authors: David Svoboda

In this tutorial, David Svoboda examines the technologies available to the C developer for handling errors.

November 2016 - Conference Paper Static Analysis Alert Audits: Lexicon & Rules

Topics: Secure Coding

Authors: David Svoboda, Lori Flynn, William Snavely

In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.

September 2016 - Presentation Exploiting Java Serialization for Fun and Profit

Topics: Secure Coding

Authors: David Svoboda

In this presentation, David Svoboda explains how exploits can occur using Java serialization.

September 2016 - Presentation The Java Security Architecture: How? and Why?

Topics: Secure Coding

Authors: David Svoboda

In this tutorial, David Svoboda describes the design of Java's security architecture and its pros and cons.

September 2016 - Presentation Inside the CERT Oracle Secure Coding Standard for Java

Topics: Secure Coding

Authors: David Svoboda

In this session, the authors of the CERT Oracle Secure Coding Standard for Java describe how it can be used to secure your Java projects.

September 2016 - Presentation Common Exploits and How to Prevent Them

Topics: Secure Coding

Authors: David Svoboda

This presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.

February 2016 - Podcast Is Java More Secure Than C?

Topics: Secure Coding

Authors: David Svoboda

In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

June 2015 - Video Anatomy of Another Java Zero-Day Exploit

Topics: Secure Coding

Authors: David Svoboda

In this video, David Svoboda demonstrates a public expoit that attacked an unpatched Java Virtual Machine.

April 2015 - White Paper SCALe Analysis of JasPer Codebase

Topics: Secure Coding

Authors: David Svoboda

In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.

June 2014 - Technical Note Improving the Automated Detection and Analysis of Secure Coding Violations

Topics: Secure Coding

Authors: Daniel Plakosh, Robert C. Seacord, Robert W. Stoddard, David Svoboda, David Zubrow

This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.

January 2014 - Conference Paper Pointer Ownership Model

Topics: Secure Coding

Authors: David Svoboda, Lutz Wrage

In this paper, the authors describe how the Pointer Ownership Model improves static analysis of C programs for errors involving dynamic memory management.

December 2013 - Video Anatomy of a Java Zero-Day Exploit

Topics: Secure Coding

Authors: David Svoboda

In this JavaOne 2013 video, David Svoboda demonstrates a public exploit that is written in pure Java using several obscure components of the Java library.

September 2013 - Article Java Coding Guidelines for Reliability

Topics: Secure Coding

Authors: Fred Long (Aberystwyth University), Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

In this sample chapter, the authors describe how to avoid obscure techniques and code that is difficult to understand and maintain when programming in Java.

September 2013 - Presentation Don’t Be Pwned: A Short Course on Secure Programming in Java

Topics: Secure Coding

Authors: Dean F. Sutherland, Robert C. Seacord, David Svoboda

In this presentation, the developers of the CERT Oracle Secure Coding Standard for Java present real exploits that have compromised Java programs in the field.

September 2013 - Presentation Java Security Architecture

Topics: Secure Coding

Authors: David Svoboda

In this presentation, given at JavaOne 2013, David Svoboda explains Java's security architecture in detail, including how it was designed to secure Web applets.

June 2013 - White Paper Pointer Ownership Model

Topics: Secure Coding

Authors: David Svoboda

In this paper, David Svoboda describes the Pointer Ownership Model, which can statically identify classes of errors involving dynamic memory in C/C++ programs.

April 2012 - Technical Note Source Code Analysis Laboratory (SCALe)

Topics: Secure Coding

Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.

October 2011 - Article The CERT Oracle Secure Coding Standard for Java: Input Validation and Data Sanitization

Topics: Secure Coding

Authors: Fred Long (Aberystwyth University), David Svoboda, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland

In this sample chapter, the authors provide rules, assesses their risk, and provide noncompliant and compliant code and solutions to validate and sanitize the data.

September 2011 - Book The CERT Oracle Secure Coding Standard for Java

Topics: Secure Coding

Authors: Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

In this book, the authors provide the first comprehensive compilation of code-level requirements for building secure systems in Java.

December 2010 - Technical Report Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems

Topics: Secure Coding

Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.

November 2010 - Presentation As-If Infinitely Ranged Integer Model

Topics: Secure Coding

Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Thomas Plum (Plum Hall, Inc.), Will Dormann, David Keaton, Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

This ISSRE 2010 paper describes the AIR Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping.

May 2010 - Technical Report Java Concurrency Guidelines

Topics: Secure Coding

Authors: Fred Long, Dhruv Mohindra, Robert C. Seacord, David Svoboda

In this report, the authors describe the CERT Oracle Secure Coding Standard for Java, which provides guidelines for secure coding in Java.

May 2010 - Technical Report Specifications for Managed Strings, Second Edition

Topics: Secure Coding

Authors: Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, David Svoboda

In this report, the authors describe a managed string library for the C programming language.

April 2010 - Technical Note As-If Infinitely Ranged Integer Model, Second Edition

Topics: Secure Coding

Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Will Dormann, David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.

October 2009 - Technical Report Secure Design Patterns

Topics: Secure Coding

Authors: Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, Kazuya Togashi (JPCERT/CC)

In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.

July 2009 - Technical Note As-if Infinitely Ranged Integer Model

Topics: Secure Coding

Authors: David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

In this report, the authors present the as-if infinitely ranged (AIR) integer model, which eliminates integer overflow and integer truncation in C and C++ code.

June 2008 - Technical Report Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools

Topics: Secure Coding

Authors: Stephen Dewhurst, Chad Dougherty, Yurie Ito, David Keaton, Dan Saks, Robert C. Seacord, David Svoboda, Chris Taschner, Kazuya Togashi (JPCERT/CC)

In this report, the authors describe a study to evaluate CERT Secure Coding Standards and source code analysis tools in commercial software projects.