VOOZH about

URL: https://www.sei.cmu.edu/secure-development/

⇱ Secure Development | CMU Software Engineering Institute

Our Research

Secure Development

Secure development refers to the set of tools, practices, and approaches that the SEI has created to identify and prevent security flaws during early development of software systems, when it is most cost effective to do so.

To create today’s software systems, developers produce billions of lines of code each year. At that volume, there’s a high opportunity for error, and it becomes harder and harder to catch those errors as the amount of code continues to increase. Even with automated testing tools, errors still manage to get into commercially available products.

Those errors come with significant costs and risks. Many research studies have shown that the cost to remove defects, including security flaws, can be hundreds of times higher after deployment. And many of those errors can also pose security risks that criminals or state agents might exploit.

Better Software Through Secure Coding Practices

The SEI’s research in secure coding focuses on ensuring that the software we use every day—such as the software that powers the systems used by the Internet of Things—remains secure and safe. The aim of our research is to reduce vulnerabilities through the elimination of coding errors by investigating how errors occur and how to prevent them. Our solutions identify and prevent security flaws during development, when the cost of prevention is much lower than during the testing phase or in post-deployment.

We are active in the programming community, and we’ve gained unique experience and knowledge from auditing millions of lines of source code and performing audits on static analysis tools. We have combined that experience with research on the standards that define programming languages and how those languages are interpreted and compiled for runtime platforms. That work has allowed us to codify best practices and coding standards that improve the security of programming languages.

In addition, we have applied our research and experience with static analysis tools to improve their effectiveness through the development of rule checkers for several tools like Clang and Rosecheckers. We have also advanced and developed other secure development tools, as well as the Source Code Analysis Laboratory (SCALe), which audits code to identify security flaws.

We contribute our knowledge to the programming community—both nationally and internationally—through publications, webinars, blogs, conferences, and more. We also offer training—through live, instructor-led courses as well as online—to help developers, auditors, and testers learn the secure development skills and best practices we identify and develop.

What We Offer

Course

CERT Secure Coding in C and C++ Professional Certificate

The CERT Secure Coding in C and C++ Professional Certificate provides software developers with practical instruction based on the CERT Secure Coding Standards.
Register

Course

CERT Secure Coding in Java Professional Certificate

This certificate provides software developers with the essentials of designing and developing secure software in Java.
Register

Course

Secure Coding in Java

This four-day course provides a detailed explanation of common programming errors in Java and describes how these errors can lead to code that is vulnerable to exploitation.
Register

service

Evaluation of Your Software Using SCALe

The SEI can help you evaluate your software to identify errors and defects so you can mitigate them early.
Learn More

service

SCALe Collection

The CERT Division's Source Code Analysis Laboratory (SCALe) offers conformance testing of C and Java language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java.
Read More

tool

Rosecheckers

Rosecheckers is a tool that performs static analysis on C/C++ source files to enforce the rules in the CERT C Coding Standard.
Download

tool

SEI CERT C and C++ Coding Standards

Our standards explain the root causes of common software vulnerabilities, how they can be exploited, the potential consequences, and secure alternatives.
Learn More

webcast

From Secure Coding to Secure Software

Watch this webinar to learn how you can improve your organization's secure coding capabilities.
Watch

Additional Resources

The Latest from the SEI Blog

Implementing Zero Trust in Operational Technology: A Practical Case Study

Blog Post
Rhonda Brown

Zero trust frameworks tailored to the unique requirements of OT systems are just beginning to emerge. The SEI is pioneering research into the application of zero trust principles within weapon system environments with embedded OT.

READ

The Five Pillars of Software Assurance in System Acquisition

Blog Post
Dr. Carol Woody , Christopher J. Alberts , Michael S. Bandor , and Timothy A. Chick

This post presents five foundational capabilities to support the acquisition of a system with effective software assurance.

READ

The Latest from the Digital Library

LLMs to Adjudicate Static Analysis Alerts (LASAA) Assets

Collection
Software Engineering Institute

This collection contains assets related to the LLMs to Adjudicate Static Analysis Alerts (LASAA) project.

Learn More

INCH Working Group Materials

Collection
Software Engineering Institute

The Extended Incident Handling (INCH) Working Group was part of the Security Area of the Internet Engineering Task Force (IETF). The purpose of INCH was to define a data format for exchanging security incident information used by a CSIRT.

Learn More

Explore Our Secure Development Projects

AI-Powered Memory Safety for C Applications

The Pointer Ownership Model (POM) project automates enforcement of temporal memory safety for C programs using a Large Language Model and a SAT Solver.
Learn More

Detecting Malicious Code Using Information Flow Analysis

Detection of Malicious Code (DMC) is a tool for detecting potentially malicious behavior in C/C++ codebases using static information flow analysis.
Learn More

Automated Repair of Static Analysis Alerts (Redemption of False Positives)

The SEI Redemption tool extensibly repairs code associated with static analysis alerts. Currently, it repairs uninitialized memory, null pointer, and other C/C++ weaknesses.
Learn More

Community Guidance to Prevent Common Coding Errors

The SEI leads a community initiative to establish secure coding practices that prevent coding errors and that are reliable, usable, and effective.
Learn More

Using Automation to Prioritize Alerts from Static Analysis Tools

The new CERT method for validating and repairing defects found by static analysis tools helps auditors and coders address more alerts with less effort.
Learn More

Automated Code Repair

Finding security flaws in source code is daunting; fixing them is an even greater challenge. Our researchers are creating automated tools that can repair bugs automatically or by prompting developers for more information to make effective repairs.
Learn More
1/2

Our Vision for the Future of Secure Development

Our current and future research is aimed toward improving the efficiency of identifying and removing vulnerabilities through the advancement of tool automation, using machine learning to improve the accuracy of static analysis tools, and developing tools that identify certain classes of flaws and automatically correct them.

You can also find more information about our work in secure coding by subscribing to our newsletter.

subscribe

Our Vision for the Future of Secure Development

Our current and future research is aimed toward improving the efficiency of identifying and removing vulnerabilities through the advancement of tool automation, using machine learning to improve the accuracy of static analysis tools, and developing tools that identify certain classes of flaws and automatically correct them.

You can also find more information about our work in secure coding by subscribing to our newsletter.

subscribe
👁 Secure Development Topic Page | Looking Ahead