Software Engineering Institute

Establishing Coding Requirements for Non-Safety-Critical C++ Systems

C++ is used extensively throughout the DoD, including major weapons systems such as the Joint Strike Fighter. Existing C++ coding standards fail to address security, subset the language (e.g., MISRA C++: 2008) or are outdated and unprofessional (e.g., C++ Coding Standard referenced in DISA’s Application Security and Development STIG).

Prioritizing Alerts from Static Analysis with Classification Models

The project created alert classification models using features derived from multiple static analysis tools, code base metrics, and archived audit determinations. The results are accurate predictors of alert validity, intended for use in automatic prioritization of alerts from static analysis tools that minimizes the number of alerts needing human assessment.

Automated Code Repair

This project focused on integer overflow in calculations of how much memory to allocate and calculations related to array bounds. Through this work, we will reduce a typical number of unhandled violations to a number small enough for a development team to mitigate all of them.

Common Exploits and How to Prevent Them

This talk was given at the Secure Coding Symposium in Arlington, Virginia in September 2016. At this event, software development and assurance professionals discussed current challenges in the areas of secure coding practice adoption and software assurance.