The CERT Secure Coding Initiative
Robert C. Seacord
Software Engineering Institute and Computer Sciences department
Carnegie Mellon University
Tuesday, April 3, 2007
Easily avoided software defects are a primary cause of commonly
exploited software vulnerabilities. The CERT/CC has observed, through
an analysis of thousands of vulnerability reports, that most
vulnerabilities stem from a relatively small number of common
programming errors. By identifying insecure coding practices and
developing secure alternatives, software developers can take practical
steps to reduce or eliminate vulnerabilities before deployment.
The CERT Secure Coding Initiative works with software developers and
software development organizations to reduce vulnerabilities
resulting from coding errors before they are deployed. Our principal
goals are to identify common programming errors that lead to software
vulnerabilities, establish standard secure coding standards, educate
software developers, and to advance the state of the practice in
This presentation provides an overview of the CERT Secure Coding
Initiative with a more detailed look at the CERT Secure Coding standards
for the C and C++ programming languages.
Robert C. Seacord is a senior vulnerability analyst at the
CERT/Coordination Center (CERT/CC) at the Software Engineering Institute
(SEI) located at Carnegie Mellon University in Pittsburgh, PA. Seacord is
the author of Secure Coding in C and C++ (Addison-Wesley, 2005) and coauthor
of Building Systems from Commercial Components (Addison-Wesley, 2002) and
Modernizing Legacy Systems (Addison-Wesley, 2003). Seacord has also
authored more than 40 papers on topics including software security,
component-based software engineering, web-based system design, legacy-system
modernization, component repositories and search engines, and user
interface design and development.
Seacord is an adjunct professor for the CMU School of Computer Science
and a part time faculty member at the University of Pittsburgh.
Seacord started programming professionally for IBM in 1982, where he
specialized in communications and operating system software, processor
development, and software engineering. Seacord has worked at the X
Consortium, where he developed and maintained code for the Common
Desktop Environment and the X Window System. He also is actively
involved in the JTC1/SC22/WG14 international standardization working
group for the C programming language.
Seacord received a B.S. in computer science from Rensselaer Polytechnic
Institute in 1983.
Host: David Spooner (x6890)
Administrative support: Chris Coonrad (x8412)