search menu icon-carat-right cmu-wordmark

Posts by David Svoboda

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

• Blog
David Svoboda

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles today have more than 100 million lines of code, and connectivity between cars and the outside world through, for example, infotainment systems and the Global Positioning System (GPS) expose a number of interfaces that can be attacked to communicate with an automobile in unintended...

Read More
Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

• Blog
David Svoboda

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from the systems to which they were connected, and even a thermometer in a casino's fish tank was used to gain access to the casino's infrastructure and extract data about customers, gamblers, etc. In this blog...

Read More
CERT C++ Secure Coding Guidelines

CERT C++ Secure Coding Guidelines

• Blog
David Svoboda

Software vulnerabilities typically cost organizations an average of $300,000 per security incident. Efforts aimed at eliminating software vulnerabilities must focus on secure coding, preventing the vulnerabilities from being deployed into production code. "Between 2010 and 2015, buffer overflows accounted for between 10-16% of publicly reported security vulnerabilities in the U.S. National Vulnerability Database each year," Microsoft researcher David Tarditi wrote in a recent report. In March, the Secure Coding Team in the SEI's CERT Division...

Read More
Is Java More Secure than C?

Is Java More Secure than C?

• Blog
David Svoboda

By David Svoboda Senior Member of the Technical Staff CERT Division Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more...

Read More
Java Zero Day Vulnerabilities

Java Zero Day Vulnerabilities

• Blog
David Svoboda

A zero-day vulnerability refers to a software security vulnerability that has been exploited before any patch is published. In the past, vulnerabilities were widely exploited even when a patch was available, which means they were not zero-day. Today, zero-day vulnerabilities are common. Notorious examples include the recent Stuxnet and Operation Aurora exploits. Vulnerabilities may arise from a variety of sources, but most vulnerabilities are the result of simple coding errors. Consequently, developers need to understand...

Read More
Using the Pointer Ownership Model to Secure Memory Management in C and C++

Using the Pointer Ownership Model to Secure Memory Management in C and C++

• Blog
David Svoboda

This blog post describes a research initiative aimed at eliminating vulnerabilities resulting from memory management problems in C and C++. Memory problems in C and C++ can lead to serious software vulnerabilities including difficulty fixing bugs, performance impediments, program crashes (including null pointer deference and out-of-memory errors), and remote code execution....

Read More
The CERT Perl Secure Coding Standard

The CERT Perl Secure Coding Standard

• Blog
David Svoboda

As security specialists, we are often asked to audit software and provide expertise on secure coding practices. Our research and efforts have produced several coding standards specifically dealing with security in popular programming languages, such as C, Java, and C++. This posting describes our work on the CERT Perl Secure Coding Standard, which provides a core of well-documented and enforceable coding rules and recommendations for Perl, which is a popular scripting language....

Read More

Contact the Author

David Svoboda

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by David Svoboda

View publications