We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byRebecca Garrett
Modified over 2 years ago
© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord
© 2006 Carnegie Mellon University 2 Total vulnerabilities reported (1995-2Q,2005): 19,600 5,000 4,000 3,000 2, , ,090 2,437 4,129 3,784 3,780 5,990 6,000 Problem Statement Reacting to vulnerabilities in existing systems is not working
© 2006 Carnegie Mellon University 3 Recent Trends Are No Different FY 2004 Q3 FY 2004 Q3 FY 2004 Q4 FY 2005 Q1 FY 2005 Q2 FY 2005 Q3 FY 2005 Q4 FY 2006 Q1 FY 2006 Q2 FY 2006 Q3TD
© 2006 Carnegie Mellon University 4 Secure Coding Initiative Work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Reduce the number of vulnerabilities to a level where they can be handled by computer security incident response teams (CSIRTs) Decrease remediation costs by eliminating vulnerabilities before software is deployed
© 2006 Carnegie Mellon University 5 Overall Thrusts Advance the state of the practice in secure coding Identify common programming errors that lead to software vulnerabilities Establish standard secure coding practices Educate software developers
© 2006 Carnegie Mellon University 6 CERT Secure Coding Standards Identify coding practices that can be used to improve the security of software systems under development Coding practices are classified as either rules or recommendations Rules need to be followed to claim compliance. Recommendations are guidelines or suggestions. Development of Secure Coding Standards is a community effort
© 2006 Carnegie Mellon University 7 Rules Coding practices are defined as rules when Violation of the coding practice will result in a security flaw that may result in an exploitable vulnerability. There is an enumerable set of exceptional conditions (or no such conditions) where violating the coding practice is necessary to ensure the correct behavior for the program. Conformance to the coding practice can be verified.
© 2006 Carnegie Mellon University 8 Recommendations Coding practices are defined as recommendations when Application of the coding practice is likely to improve system security. One or more of the requirements necessary for a coding practice to be considered a rule cannot be met.
© 2006 Carnegie Mellon University 9 Community Development Process Published as candidate rules and recommendations on the CERT Wiki accessible from: Rules are solicited from the community Threaded discussions used for public vetting Candidate coding practices are moved into a secure coding standard when consensus is reached
© 2006 Carnegie Mellon University 10 Scope The secure coding standards proposed by CERT are based on documented standard language versions as defined by official or de facto standards organizations. Secure coding standards are under development for: C programming language (ISO/IEC 9899:1999) C++ programming language (ISO/IEC ) Applicable technical corrigenda and documented language extensions such as the ISO/IEC TR extensions to the C library are also included.
© 2006 Carnegie Mellon University 11 Potential Applications Establish secure coding practices within an organization may be extended with organization-specific rules cannot replace or remove existing rules Train software professionals Certify programmers in secure coding Establish base-line requirements for software analysis tools Certify software systems
© 2006 Carnegie Mellon University 12 System Qualities Security is one of many system qualities that must be considered in the selection and application of a coding standard. System qualities with significant overlap Safety Reliability Availability System qualities that influence security Maintainability Understandability System qualities that make security harder Portability System qualities that may conflict with security Performance Usability
© 2006 Carnegie Mellon University 13 Implementation & Demo Externally accessible system hosted on the CERT web site Software Atlassian's confluence wiki with unlimited named users Hardware One Dell PowerEdge 2850 Two Intel Xeon Processors at 3.0GHz/2MB Cache, 800MHz FSB Memory 2GB DDR2 400MHz (2X1GB Primary Controller Embedded RAID (ROMB) Three 73GB 10K RPM Ultra 320 SCSI Hard Drives
© 2006 Carnegie Mellon University 14 Demo
© 2006 Carnegie Mellon University 15 Future Directions Provide similar products for other languages C++/CLI C# Java Ada Etc. Produce language independent guidance cross-referenced with specific examples from target languages
© 2006 Carnegie Mellon University 16 Questions
© 2006 Carnegie Mellon University 17 For More Information Visit the CERT ® web site Contact Presenter Robert C. Seacord Contact CERT Coordination Center Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA Hotline: CERT/CC personnel answer 8:00 a.m.–5:00 p.m. and are on call for emergencies during other hours. Fax:
1 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore,
1 Report of Progress of ISO/IEC 24772, Programming Language Vulnerabilities, in ISO/IEC JTC 1/SC 22 John Benito, Convener Jim Moore, Secretary ISO/IEC.
For OWGV Meeting #1, 2006 June, Washington, DC, USA 1D Terms of Reference: ISO/IEC Project , Guidance to Avoiding Vulnerabilities in Programming.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Quality Management IS301 – Software.
1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore, Secretary.
1 OWG: Vulnerability ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use. ISO/IEC JTC 1/SC 22/ OWGV N0139.
Presented to By. 2Normative references ISO 9000:2005, Quality management systems Fundamentals and vocabulary ISO 19011:2002, Guidelines for quality and/or.
Computing Higher - SD Process – Topic 2 St Andrew’s High School Unit 2 Software Development Process.
For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.
For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.
1 Welcome Safety Regulatory Function Handbook April 2006.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 24Slide 1 Chapter 24 Quality Management.
Chapter 20 Quality Assurance Through Software Engineering Systems Analysis and Design Kendall and Kendall Fifth Edition.
IGF Hyderabad 2008 Dimensions of Cyber Security & Cyber Crime Michael Lewis, Carnegie Mellon University & Deputy Director, Q-CERT.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 29Slide 1 Chapter 29 Configuration Management.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Configuration Management IS301.
H-2 n Program Updates n Chemical list changes n Reporting form changes n TRI-ME Reporting Software n Form R submissions/revisions n Guidance (Key Information.
ISO/DIS 9001:2008 versus ISO 9001:2000 August 2008 CER Business Line - Peter Bonnaerens.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Process Improvement IS301 – Software.
AEE Accreditation Program. Provide an overview of AEEs Accreditation Program process program policy standards.
EHR-S Conformance Considerations Lynne S. Rosenthal National Institute of Standards and Technology August 2004.
OLAC Process and OLAC Protocol: A Guided Tour Gary F. Simons SIL International ___________________________ OLAC Workshop 10 Dec 2002, Philadelphia.
Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,
Next Generation – The Future for Emergency Communications.
Software Quality Management CIS 376 Bruce R. Maxim UM-Dearborn.
Blue Pilot Consulting, Inc. 1 A new type of Working Group used for a new SC22 Working Group OWG: Vulnerability John Benito JTC 1/SC 22 WG14.
Slide 3.1 © The McGraw-Hill Companies, 2007 Object-Oriented and Classical Software Engineering Seventh Edition, WCB/McGraw-Hill, 2007 Stephen R. Schach.
©2005 CSMSlide 1 Certification for Systems Engineering Professionals Overview CSEP Preparation Program.
1 15 Making the System Operational Lecture Activities of the Implementation and Support Phases Figure 15-1.
© 2017 SlidePlayer.com Inc. All rights reserved.