© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord.

Slides:

Advertisements

Similar presentations

FIS Enterprise Solutions EPK/EPM Implementation

Advertisements

1 Nia Sutton Becta Total Cost of Ownership of ICT in schools.

Elements of an Effective Safety and Health Program

Significance of ISO to the Food Industry

© 2005 by Prentice Hall Chapter 13 Finalizing Design Specifications Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F. George.

Managing Compliance Related to Human Subjects Research Review Joseph Sherwin, Ph.D. Office of Regulatory Affairs University of Pennsylvania Fourth Annual.

Software Re-engineering

Major Activities in JPNIC Since APNIC17 Izumi Okutani Japan Network Information Center NIR 18, Fiji 31 August – 3 September, 2004.

Setting up repositories: Technical Requirements, Repository Software, Metadata & Workflow. Repository services Iryna Kuchma, eIFL Open Access program manager,

IGF Hyderabad 2008 Dimensions of Cyber Security & Cyber Crime Michael Lewis, Carnegie Mellon University & Deputy Director, Q-CERT.

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.

Blue Pilot Consulting, Inc. 1 A new type of Working Group used for a new SC22 Working Group OWG: Vulnerability John Benito JTC 1/SC 22 WG14.

For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.

1 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore,

Quality Improvement in the ONS Cynthia Z F Clark Frank Nolan Office for National Statistics United Kingdom.

1 Simplification & Harmonization: CPAP & AWP S and H Roll Out Countries Nairobi 25 – 27 June 2003.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Welcome Safety Regulatory Function Handbook April 2006.

OLAC Process and OLAC Protocol: A Guided Tour Gary F. Simons SIL International ___________________________ OLAC Workshop 10 Dec 2002, Philadelphia.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 1 NASA Earth Science Data Systems (ESDS) Software Reuse Working Group CEOS WIGSS-22 Annapolis, MD September.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

1 National Center for the Training of Bank Personnel of Ukraine.

What is valorisation ? Growth €

EIONET European Environment Information and Observation Network Version * * * Quality assurance of Eurowaternet.

System Overview Chapter 1. System Overview 1-2 Objectives Understand Overall Schematic Be aware of technical recommendations for new system Learn how.

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Making the System Operational

Juniata College Retirement Plan Update Spring 2011 Presented By: Jeffrey Savino.

1 THE SCHOOL SITE COUNCIL. 2 WHAT IS A SCHOOL SITE COUNCIL, AND WHO ARE MEMBERS? The School Site Council (SSC) is an elected or selected group representative.

Standards Certification Education & Training Publishing Conferences & Exhibits ISA Certified Automation Professional ® (CAP ® ) Rev. 10/2006.

Insert image here © SPEC-Soft SAVINGS AND EXPERTISE FOR YOUR PLANT PFS-Suite Life-cycle Tools For Process Automation PFS-Suite TM.

UWF Computing Hardware Standards ITS Annual Recommendations for

Configuration management

Software change management

EMS Checklist (ISO model)

A brief for top management Prepared by the Institute of Quality Assurance Integrated Management Special Interest Group Future management is integrated.

Project Scope Management

ITT NETWORK SOLUTIONS. Quick Network Facts Constant 100 Mbps operation for users Infrastructure ready for 1000 Mbps operation to the user Cisco routing.

Adding services to PA and Plesk infrastructure with APS Ilya Baimetov Director of Program Management, Automation.

Mafijul Islam, PhD Software Systems, Electrical and Embedded Systems Advanced Technology & Research Research Issues in Computing Systems: An Automotive.

Khammar Mrabit Director Office of Nuclear Security

Checking & Corrective Action

Environmental Management Systems Refresher

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software processes 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management.

Chapter 11 Software Evolution

21 Jan 05 1 Presentation at Bridges for Recognition Leuven January 2005 Mette Beyer Paulsen, Project Manager Cedefop/Thessaloniki EUROPASS - a single.

Presentation by Rachel Su’a

1 e-Governance in Bulgaria – one year after the EU accession Youri Alkalay, Jr. Director e-Government Ministry of State Administration.

Addition 1’s to 20.

©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapters 1,3 Slide 1 Software Engineering Software Engineering.

Systems Development Project Management Chapter Extension 15.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Discussion on choices for software solution Alberto Pace.

CIP Cyber Security – Security Management Controls

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Wright Technology Corp. Minh Duong Tina Mendoza Tina Mendoza Mark Rivera.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

CERT Secure Coding OWASP Education Nishi Kumar Computer based training

Secure Coding Initiative

Presentation transcript:

© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord

© 2006 Carnegie Mellon University 2 Total vulnerabilities reported (1995-2Q,2005): 19,600 5,000 4,000 3,000 2, , ,090 2,437 4,129 3,784 3,780 5,990 6,000 Problem Statement Reacting to vulnerabilities in existing systems is not working

© 2006 Carnegie Mellon University 3 Recent Trends Are No Different FY 2004 Q3 FY 2004 Q3 FY 2004 Q4 FY 2005 Q1 FY 2005 Q2 FY 2005 Q3 FY 2005 Q4 FY 2006 Q1 FY 2006 Q2 FY 2006 Q3TD

© 2006 Carnegie Mellon University 4 Secure Coding Initiative Work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Reduce the number of vulnerabilities to a level where they can be handled by computer security incident response teams (CSIRTs) Decrease remediation costs by eliminating vulnerabilities before software is deployed

© 2006 Carnegie Mellon University 5 Overall Thrusts Advance the state of the practice in secure coding Identify common programming errors that lead to software vulnerabilities Establish standard secure coding practices Educate software developers

© 2006 Carnegie Mellon University 6 CERT Secure Coding Standards Identify coding practices that can be used to improve the security of software systems under development Coding practices are classified as either rules or recommendations Rules need to be followed to claim compliance. Recommendations are guidelines or suggestions. Development of Secure Coding Standards is a community effort

© 2006 Carnegie Mellon University 7 Rules Coding practices are defined as rules when Violation of the coding practice will result in a security flaw that may result in an exploitable vulnerability. There is an enumerable set of exceptional conditions (or no such conditions) where violating the coding practice is necessary to ensure the correct behavior for the program. Conformance to the coding practice can be verified.

© 2006 Carnegie Mellon University 8 Recommendations Coding practices are defined as recommendations when Application of the coding practice is likely to improve system security. One or more of the requirements necessary for a coding practice to be considered a rule cannot be met.

© 2006 Carnegie Mellon University 9 Community Development Process Published as candidate rules and recommendations on the CERT Wiki accessible from: Rules are solicited from the community Threaded discussions used for public vetting Candidate coding practices are moved into a secure coding standard when consensus is reached

© 2006 Carnegie Mellon University 10 Scope The secure coding standards proposed by CERT are based on documented standard language versions as defined by official or de facto standards organizations. Secure coding standards are under development for: C programming language (ISO/IEC 9899:1999) C++ programming language (ISO/IEC ) Applicable technical corrigenda and documented language extensions such as the ISO/IEC TR extensions to the C library are also included.

© 2006 Carnegie Mellon University 11 Potential Applications Establish secure coding practices within an organization may be extended with organization-specific rules cannot replace or remove existing rules Train software professionals Certify programmers in secure coding Establish base-line requirements for software analysis tools Certify software systems

© 2006 Carnegie Mellon University 12 System Qualities Security is one of many system qualities that must be considered in the selection and application of a coding standard. System qualities with significant overlap Safety Reliability Availability System qualities that influence security Maintainability Understandability System qualities that make security harder Portability System qualities that may conflict with security Performance Usability

© 2006 Carnegie Mellon University 13 Implementation & Demo Externally accessible system hosted on the CERT web site Software Atlassian's confluence wiki with unlimited named users Hardware One Dell PowerEdge 2850 Two Intel Xeon Processors at 3.0GHz/2MB Cache, 800MHz FSB Memory 2GB DDR2 400MHz (2X1GB Primary Controller Embedded RAID (ROMB) Three 73GB 10K RPM Ultra 320 SCSI Hard Drives

© 2006 Carnegie Mellon University 14 Demo

© 2006 Carnegie Mellon University 15 Future Directions Provide similar products for other languages C++/CLI C# Java Ada Etc. Produce language independent guidance cross-referenced with specific examples from target languages

© 2006 Carnegie Mellon University 16 Questions

© 2006 Carnegie Mellon University 17 For More Information Visit the CERT ® web site Contact Presenter Robert C. Seacord Contact CERT Coordination Center Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA Hotline: CERT/CC personnel answer 8:00 a.m.–5:00 p.m. and are on call for emergencies during other hours. Fax: