The Source Code Analysis Laboratory (SCALe) is a proof-of-concept demonstration that software systems can be tested for conformance to secure coding standards, such as The CERT® Oracle Secure Coding Standard for Java. This secure coding standard provides secure coding rules for the Java SE 6 Platform including the Java programming language and libraries, and also addresses new features of the Java SE 7 Platform. The SCALe team at the CERT Program, part of Carnegie Mellon University's Software Engineering Institute, analyzes a developer's source code and provides a detailed report of findings to guide the code's repair. After the developer has addressed these findings and the SCALe team determines that the product version conforms to the standard, the CERT Program issues the developer a certificate and lists the system in a registry of conforming systems. This presentation will describe SCALe and The CERT Oracle Secure Coding Standard for Java, and present a selection of real exploits that have compromised Java programs in the wild.
Robert C. Seacord is a computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.
Robert manages the Secure Coding Initiative at CERT, located in Carnegie Mellon's Software Engineering Institute in Pittsburgh, Pennsylvania. CERT, among other security-related activities, regularly analyzes software vulnerability reports and assesses the risk to the Internet and other critical infrastructure. Robert is an adjunct professor in the Carnegie Mellon University School of Computer Science and in the Information Networking Institute.
Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. Robert has a bachelor's degree in computer science from Rensselaer Polytechnic Institute.
By having your software tested for conformance to CERT secure coding standards, you gain a rigorous assessment of the software’s security and quality. If your software conforms, it will get a certificate, seal, and entry into a registry of conforming systems. You’ll also be encouraging industry to invest in developing conforming systems: vendors can market software quality and security, and consumers can identify conforming products that bear the CERT Conformance Tested seal.
Please tell us what you
think with this short
(< 5 minute) survey.