Standardizing More Secure Software
Software vulnerabilities expose the U.S. Department of Defense (DoD), other federal agencies, our nation's critical infrastructure, and businesses to attacks that could compromise their systems' integrity or expose or modify their critical information. Preventing the introduction of software vulnerabilities during software development is a proactive, efficient way to reduce risk before software is deployed.
Since forming its Secure Coding Initiative in 2003, the SEI's CERT Division has analyzed and cataloged thousands of software vulnerabilities and discovered that many share the same common errors. By engaging more than a thousand security researchers, language experts, and software developers, the CERT Division produced secure coding standards for common software development languages such as C and Java. These standards guide programmers to help them avoid coding errors that lead to vulnerabilities and provide them with example solutions.
The U.S. military, other government agencies, and system developers from industry have adopted CERT Division secure coding standards, and Siemens and Computer Associates have licensed the SEI's training courses on secure coding in C and C++. Many others in military, government, and industry organizations have taken SEI courses, including the U.S. Navy, Cisco, Raytheon, Lockheed Martin, and Qualcomm.
In addition, courses based on the CERT Division standards for C and C++ are taught at major software engineering universities and colleges, such as Carnegie Mellon, Purdue, Stevens Institute, the University of Florida, and Santa Clara University.
Finally, through its security contributions to the ISO/IEC C-language specification, the SEI's CERT Division also influences developers of C language compilers, who conform their code to the ISO/IEC C-Standard and thus to countless software products written in the C language.