Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

Fortify Software and Carnegie Mellon's Software Engineering Institute's CERT Coordination Center (CERT/CC) and JPCERT/CC are teaming up to automate compliance checking for the CERT C and C++ Secure Coding Standard using Fortify Source Code Analysis so that software developers can eliminate vulnerabilities before applications are deployed.

"Although establishing secure coding guidelines is a prerequisite to improving secure coding practices in both government and industry, these guidelines can be lengthy and complex, making it difficult for developers to learn and apply," said Robert Seacord, a senior vulnerability analyst at CERT who is leading its secure coding initiative and author of several Dr. Dobb's articles, including Secure Coding in C++/CLI and Programming Language Format String Vulnerabilities.

"Extending Fortify to validate source code for compliance simplifies the process of adopting the CERT Secure Coding standards and lets developers focus on eliminating software vulnerabilities that cannot be easily detected by automated means," said Seacord.

This multi-organization collaboration effort is designed to ascertain how practical and effective automated rules will be used in real-world developments. It will take place in three stages.

• First, CERT/CC will develop rules for these tools through Fortify SCA that can be used to check for non-compliance with the CERT C and C++ Secure Coding guidelines.
• Then, at the beginning of the new year, Fortify and CERT/CC expect to make a Fortify Rulepack publicly available which will be provided to JPCERT/CC. JPCERT/CC, working in collaboration with Software Research Associates of Japan, will run Fortify SCA with the enhanced rule set on several projects currently under development.
• As the third step in this process, CERT/CC and JPCERT/CC will publish an SEI technical report describing the results of the study in Spring 2008.

"Static analysis tools continue to evolve, have become increasingly more capable, and add huge value to an organization's security in terms of finding and removing exploitable vulnerabilities," said Brian Chess, Fortify's founder and chief scientist. "There's considerable benefit to the software development community in supporting CERT's secure coding guidelines, and we're thrilled that Fortify SCA has the opportunity to be the first solution to be integrated with this initiative."

"Between 1995 and 2006, the data CERT/CC collected and analyzed from numerous sources shows that the number of reported software vulnerabilities increased an average of 52 percent per year," said Art Manion, the Vulnerability Analysis team lead at CERT/CC. "Fixing software vulnerabilities in deployed systems is critical to operational security, however this approach is unlikely to substantially reduce the overall number of software vulnerabilities. Since the major cause of software vulnerabilities is code defects, it makes sense to address the problem close to the source, using secure coding practices."

RELATED ARTICLES ZHMICRO Releases C++ IDE Integrating jQuery Client-Side Data Templates with WCF Encrypting the Internet Three 'Best' Persistent Model Patterns Announced Milepost GCC Now Available		TOP 5 ARTICLES No Top Articles.