Robert C. Seacord
No Affiliation
Publications by Robert C. Seacord
-
Empirical Evaluation of API Usability and Security
May 20, 2015 • Presentation
Samuel M. WeberBrad MyersForrest Shull
In this presentation, the authors describe their work to develop and test API design principles.
read -
TWC: Small: Empirical Evaluation of the Usability and Security Implications of Application Programming Interface Design
May 20, 2015 • Poster
Brad MyersSamuel M. WeberRobert C. Seacord
In this poster, the authors analyze the usability of application programming interface design.
read -
A Course-Based Usability Analysis of Cilk Plus and OpenMP
May 20, 2015 • Conference Paper
Michael Coblenz (Carnegie Mellon School of Computer Science)Robert C. SeacordBrad Myers
In this paper, the authors compare Cilk Plus and OpenMP to evaluate the design tradeoffs in the usability and security of these two approaches.
read -
Performance of Compiler-Assisted Memory Safety Checking
July 31, 2014 • Technical Note
David KeatonRobert C. Seacord
This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely available.
read -
Improving the Automated Detection and Analysis of Secure Coding Violations
June 27, 2014 • Technical Note
Daniel PlakoshRobert C. SeacordRobert W. Stoddard
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
read -
Heartbleed: Analysis, Thoughts, and Actions
May 13, 2014 • Webinar
Will DormannRobert FloodeenBrent Kennedy
Panelists discussed the impact of Heartbleed, methods to mitigate the vulnerability, and ways to prevent crises like this in the future.
watch -
Secure Coding in C and C++: Strings and Buffer Overflows
April 24, 2014 • Article
Robert C. Seacord
In this sample chapter, Robert Seacord discusses mitigation strategies that can be used to help eliminate vulnerabilities resulting from buffer overflows.
read -
Accessing Shared Atomic Objects from within a Signal Handler in C
April 24, 2014 • Article
Robert C. Seacord
In this article, Robert Seacord describes how to safely access shared objects from a signal handler.
read -
The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, 2nd Edition
April 18, 2014 • Book
Robert C. Seacord
In this book, Robert Seacord provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99.
read -
Secure Coding in C and C++: An Interview with Robert Seacord
April 18, 2014 • Article
Robert C. SeacordDanny Kalev (No Affiliation)
In this article, Danny Kalev talks to Robert Seacord about the new edition of his book, dangerous features in C11, and advice for making your code more secure.
read -
Why Can’t Johnny Program Securely?
April 09, 2014 • Presentation
Robert C. Seacord
In this presentation, given at InfoSec World 2014 in April 2014, Robert Seacord discusses the challenges of coding software securely and how standards can help.
read -
Preface to The CERT C Coding Standard, second edition
March 26, 2014 • Article
Robert C. Seacord
In this preface, Robert Seacord introduces his book The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems.
read -
Raising the Bar - Mainstreaming CERT C Secure Coding Rules
January 07, 2014 • Podcast
Robert C. SeacordJulia H. Allen
In this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.
learn more -
Java Coding Guidelines for Reliability
September 27, 2013 • Article
Fred Long (Aberystwyth University)Dhruv MohindraRobert C. Seacord
In this sample chapter, the authors describe how to avoid obscure techniques and code that is difficult to understand and maintain when programming in Java.
read -
Don’t Be Pwned: A Short Course on Secure Programming in Java
September 24, 2013 • Video
Robert C. SeacordDean F. Sutherland
In this JavaOne 2013 video, developers of the CERT Oracle Secure Coding Standard for Java describe exploits that compromised Java programs in the field.
watch -
Don’t Be Pwned: A Short Course on Secure Programming in Java
September 24, 2013 • Presentation
Dean F. SutherlandRobert C. SeacordDavid Svoboda
In this presentation, the developers of the CERT Oracle Secure Coding Standard for Java present real exploits that have compromised Java programs in the field.
read -
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
August 05, 2013 • Book
Fred LongDhruv MohindraRobert C. Seacord
In this book, Robert Seacord brings together expert guidelines, recommendations, and code examples to help you use Java code to perform mission-critical tasks.
read -
C Secure Coding Rules: Past, Present, and Future
June 26, 2013 • Article
Robert C. Seacord
In this article, Robert Seacord offers a history of secure coding work and provides details about the ISO/IEC TS 17961 C Secure Coding Rules.
read -
Silent Elimination of Bounds Checks
June 12, 2013 • Article
Robert C. Seacord
In this article, Robert Seacord shows how compiler optimizations can eliminate causality in software and increase software faults, defects, and vulnerabilities.
read -
Strengths in Security Solutions
May 31, 2013 • White Paper
Arjuna Shunn (Microsoft)Carol WoodyRobert C. Seacord
In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.
read -
A Discussion with CERT Experts: Constructing a Secure Cyber Future
April 30, 2013 • Video
Robert C. Seacord
In this video, Robert Seacord discusses what the CERT Division is doing to improve secure development practices.
watch -
Secure Coding in C and C++, 2nd Edition
April 02, 2013 • Book
Robert C. Seacord
In this book, Robert Seacord describes how to write secure C and C++ code and avoid the software defects most likely to cause exploitable vulnerabilities.
read -
Source Code Analysis Laboratory (SCALe)
November 01, 2012 • Webinar
Robert C. Seacord
In this webinar, Robert Seacord discusses SCALe, a demonstration that software systems can be tested for conformance to secure coding standards.
watch -
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
October 01, 2012 • Video
Robert C. Seacord
In this video training, Robert Seacord provides an in-depth explanation of how to use common C language features to produce robust, secure, and reliable code.
watch -
Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions
July 01, 2012 • Technical Note
Timothy MorrowRobert C. SeacordJohn K. Bergey
In this report, the authors provide guidance for helping DoD acquisition programs address software security in acquisitions.
read -
Source Code Analysis Laboratory (SCALe)
April 01, 2012 • Technical Note
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.
read -
The CERT Oracle Secure Coding Standard for Java: Input Validation and Data Sanitization
October 24, 2011 • Article
Fred Long (Aberystwyth University)David SvobodaDhruv Mohindra
In this sample chapter, the authors provide rules, assesses their risk, and provide noncompliant and compliant code and solutions to validate and sanitize the data.
read -
Secure Coding in C++: Integers
September 11, 2011 • Presentation
Robert C. Seacord
In this SD Best Practices 2006 presentation, Robert Seacord explains how to secure integers, a growing source of vulnerabilities in C and C++ programs.
read -
The CERT Oracle Secure Coding Standard for Java
September 08, 2011 • Book
Fred LongDhruv MohindraRobert C. Seacord
In this book, the authors provide the first comprehensive compilation of code-level requirements for building secure systems in Java.
read -
An Online Learning Approach to Information Systems Security Education
June 13, 2011 • White Paper
Norman Bier (Carnegie Mellon University)Marsha Lovett (Carnegie Mellon University)Robert C. Seacord
In this paper, the authors describe the development of a secure coding module that shows how to capture content, ensure learning, and scale to meet demand.
read -
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
December 01, 2010 • Technical Report
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.
read -
As-If Infinitely Ranged Integer Model
November 01, 2010 • Presentation
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Thomas Plum (Plum Hall, Inc.)Will Dormann
This ISSRE 2010 paper describes the AIR Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping.
read -
Java Concurrency Guidelines
May 01, 2010 • Technical Report
Fred LongDhruv MohindraRobert C. Seacord
In this report, the authors describe the CERT Oracle Secure Coding Standard for Java, which provides guidelines for secure coding in Java.
read -
Specifications for Managed Strings, Second Edition
May 01, 2010 • Technical Report
Hal BurchFred LongRaunak Rungta
In this report, the authors describe a managed string library for the C programming language.
read -
As-If Infinitely Ranged Integer Model, Second Edition
April 01, 2010 • Technical Note
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.
read -
MITRE, CWE, and CERT Secure Coding Standards
February 08, 2010 • White Paper
Robert C. SeacordRobert A. Martin
In this paper, the authors summarize the Common Weakness Enumeration (CWE) and CERT Secure Coding Standards and the relationship between the two.
read -
Instrumented Fuzz Testing Using AIR Integers (Whitepaper)
February 01, 2010 • White Paper
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this paper, the authors present the as-if infinitely ranged (AIR) integer model, which provides a mechanism for eliminating integral exceptional conditions.
read -
Instrumented Fuzz Testing Using AIR Integers (Presentation)
February 01, 2010 • Presentation
Will DormannRobert C. Seacord
In this February 2010 presentation, Will Dormann and Robert Seacord describe how to conduct instrumented fuzz testing using as-if infinitely ranged integers.
read -
Secure Coding Initiative
January 01, 2010 • Presentation
Robert C. Seacord
In this 2010 presentation, Robert Seacord provides an overview of the Secure Coding Initiative of the CERT Division, Software Engineering Institute.
read -
Secure Design Patterns
October 01, 2009 • Technical Report
Chad DoughertyKirk SayreRobert C. Seacord
In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.
read -
TSP and Secure Coding
September 23, 2009 • Presentation
Noopur Davis (Davis Systems)Philip MillerBill Nichols
Presentation given at TSP Symposium on September 21-24, 2009 in New Orleans, Louisiana
read -
As-if Infinitely Ranged Integer Model
July 01, 2009 • Technical Note
David KeatonThomas Plum (Plum Hall, Inc.)Robert C. Seacord
In this report, the authors present the as-if infinitely ranged (AIR) integer model, which eliminates integer overflow and integer truncation in C and C++ code.
read -
Mainstreaming Secure Coding Practices
March 17, 2009 • Podcast
Robert C. SeacordJulia H. Allen
In this podcast, Robert Seacord explains how requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities.
learn more -
CERT C Secure Coding Standard
October 14, 2008 • Book
Robert C. Seacord
In this book, Robert Seacord releases the CERT C Secure Coding Standard, which itemizes coding errors that are the root causes of software vulnerabilities in C.
read -
Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
June 01, 2008 • Technical Report
Stephen DewhurstChad DoughertyYurie Ito
In this report, the authors describe a study to evaluate CERT Secure Coding Standards and source code analysis tools in commercial software projects.
read -
Ranged Integers for the C Programming Language
September 01, 2007 • Technical Note
Jeff GennariShaun HedrickFred Long
In this 2007 report, the authors describe an extension to the C programming language to introduce the notion of ranged integers.
read -
Secure Coding Standards
March 01, 2007 • Article
James W. Moore (IBM Systems Integration Division)Robert C. Seacord
This CrossTalk article outlines efforts by the ISO/IEC and the CERT Division to develop secure coding practices for the C and C++ programming languages.
read -
Secure Coding in C++: Strings
September 11, 2006 • Presentation
Robert C. Seacord
In this SD Best Practices 2006 presentation, Robert Seacord discusses strings and secure coding.
read -
Specifications for Managed Strings
May 01, 2006 • Technical Report
Hal BurchFred LongRobert C. Seacord
This report has been superseded by Specifications for Managed Strings, Second Edition (CMU/SEI-2010-TR-018).
read -
Best Practices for Secure Coding
November 14, 2005 • Presentation
Robert C. Seacord
In this CoBaSSA 2005 presentation, Robert Seacord discusses strings, common string manipulation errors, and mitigation strategies.
read -
Secure Coding in C and C++: A Look at Common Vulnerabilities
November 14, 2005 • Presentation
Robert C. SeacordJason Rafail
In this November 2005 presentation, Robert C. Seacord and Jason Rafail describe how the SEI-developed tool, MOSAIC, can be used to assure mission success.
read -
Variadic Functions: How They Contribute to Security Vulnerabilities and How to Fix Them
November 01, 2005 • Article
Robert C. Seacord
In this LinuxWorld article, Robert Seacord discusses C/C++ language variadic functions and their use.
read -
Secure Coding in C and C++
September 09, 2005 • Book
Robert C. Seacord
In this book, Robert Seacord identifies root causes for exploited software vulnerabilities and encourages programmers to adopt security best practices.
read -
Information Technology: Programming Languages, Their Environments and System Software Interfaces: Specification for Managed Strings
August 19, 2005 • White Paper
Fred LongRobert C. Seacord
In this paper, the authors present a standard specification for managed strings.
read -
Sample Chapter from Secure Coding in C and C++: Integer Security
June 07, 2005 • Book Chapter
Robert C. Seacord
In this sample chapter from the book Secure Coding in C and C++, Robert Seacord discusses integer operations, vulnerabilities, mitigation strategies, and more.
read -
Sample Chapter from Secure Coding in C and C++: Index
June 01, 2005 • Book Chapter
Robert C. Seacord
In this index, you can see the topics covered in the book Secure Coding in C and C++.
read -
Sample Chapter from Secure Coding in C and C++: Foreword
June 01, 2005 • Book Chapter
Robert C. Seacord
In this forward from the book Secure Coding in C and C++, Richard Pethia describes the critical importance of software vulnerabilities and secure coding in particular.
read -
A Structured Approach to Classifying Security Vulnerabilities
January 01, 2005 • Technical Note
Robert C. SeacordAllen D. Householder
In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.
read -
SEI Independent Research and Development Projects (FY 2003)
September 01, 2003 • Technical Report
Felix BachmannSven DietrichPeter H. Feiler
This report describes the IR&D projects that were conducted during fiscal year 2003 (October 2002 through September 2003).
read -
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
February 13, 2003 • Book
Grace LewisDaniel PlakoshRobert C. Seacord
This book shows how to implement a successful modernization strategy that incrementally encompass changes in software technologies, engineering processes, and business practices.
read -
Replaceable Components and the Service Provider Interface
July 01, 2002 • Technical Note
Robert C. SeacordLutz Wrage
This 2002 report considers the motivation for using replaceable components and defines the requirements of replaceable component models.
read -
An Enterprise Information System Data Architecture Guide
October 01, 2001 • Technical Report
Grace LewisSantiago Comella-DordaPatrick R. Place
This report describes a sample data architecture in terms of a collection of generic architectural patterns that define and constrain how data is managed in a system that uses the J2EE platform and the OAGIS.
read -
Maintaining Transactional Context: A Model Problem
August 01, 2001 • Technical Report
Daniel PlakoshSantiago Comella-DordaPatrick R. Place
This 2001 report outlines a model problem constructed to verify the feasibility of building a mechanism to modernize a legacy system.
read -
Building Systems from Commercial Components
July 25, 2001 • Book
Scott HissamRobert C. SeacordKurt C. Wallnau
This book describes specific engineering practices needed to integrate preexisting components with preexisting specifications successfully, illustrating the techniques described with case studies and examples.
read -
Incremental Modernization for Legacy Systems
July 01, 2001 • Technical Note
Santiago Comella-DordaGrace LewisPatrick R. Place
This 2001 report shows an objective technique for developing an incremental code-migration strategy for large legacy Common Business-Oriented Language (COBOL) systems.
read -
Legacy System Modernization Strategies
July 01, 2001 • Technical Report
Robert C. SeacordSantiago Comella-DordaGrace Lewis
This 2001 report discusses alternative development approaches for incrementally modernizing legacy systems.
read -
K-BACEE: A Knowledge-Based Automated Component Ensemble Evaluation Tool
February 01, 2001 • Technical Note
Robert C. SeacordDave MundieSomjai Boonsiri
This 2001 report describes an automated approach to evaluating ensembles of componentswithin the context of a system requirements specification.
read -
Volume II: Technical Concepts of Component-Based Software Engineering, 2nd Edition
May 01, 2000 • Technical Report
Felix BachmannLen BassCharles Buhman
The objective of this study is to determine whether CBSE has the potential to advance the state of software engineering practice and, if so, whether the SEI can contribute to this advancement.
read -
Volume I: Market Assessment of Component-Based Software Engineering Assessments
May 01, 2000 • Technical Note
Len BassCharles BuhmanSantiago Comella-Dorda
This 2001 report examines software component technology from a business perspective.
read -
A Survey of Legacy System Modernization Approaches
April 01, 2000 • Technical Note
Santiago Comella-DordaKurt C. WallnauRobert C. Seacord
This report, published in 2000, provides a survey of modernization techniques including screen scraping, database gateway, XML integration, database replication, CGI integration, object-oriented wrapping, and "componentization" of legacy systems.
read -
Securing Internet Sessions with Sorbet
July 01, 1999 • Technical Note
Fred LongScott HissamRobert C. Seacord
To secure communications media connections, mechanisms must be built on top of the underlying facilities. This 1999 report discusses one such security mechanism and describes an implementation using CORBA-based interceptors.
read -
Custom vs. Off-the-Shelf Architecture
July 01, 1999 • Technical Note
Robert C. SeacordKurt C. WallnauJohn E. Robert
This report compares GEE-based solutions and off-the-shelf solutions based on the EJB specification.
read -
Theory and Practice of Enterprise JavaBean Portability
June 01, 1999 • Technical Note
Santiago Comella-DordaJohn E. RobertRobert C. Seacord
This paper presents sources of portability problems in EJB and illustrates them with some real examples.
read -
Browsers for Distributed Systems: Universal Paradigm or Siren's Song?
August 01, 1998 • Technical Report
Robert C. SeacordScott Hissam
This report examines the technical issues relevant to incorporating web browsers as a component of a commercial off-the-shelf (COTS) -based solution.
read -
Agora: A Search Engine for Software Components
August 01, 1998 • Technical Report
Robert C. SeacordScott HissamKurt C. Wallnau
This 1998 report documents Agora, a software prototype that was developed by the SEI to create an automatically generated and indexed database of software products classified by component model.
read -
Serpent Runtime Architecture and Dialogue Model
May 01, 1988 • Technical Report
Len BassErik HardyKurt Hoyt
This 1988 report describes the runtime architecture and dialogue model of the Serpent User Interface Management System (UIMS).
read -
Introduction to the Serpent User Interface Management System
March 01, 1988 • Technical Report
Len BassErik HardyKurt Hoyt
This 1988 report provides an overview of Serpent, its components and the editor used to construct the user interface.
read