Updating Risk Assessment in the CERT Secure Coding Standard

Bringing a codebase into compliance with the SEI CERT Coding Standards requires a cost of time and effort, namely in the form of a static analysis tool. But those who are familiar with static analysis tools know that the alerts are not always reliable and produce false positives that must be detected and disregarded. This year, we plan on making some exciting updates to the SEI CERT C Coding Standard to better harmonize with the current state of the art for static analysis tools, as well as simplify the process of source code security auditing. This may help users of automated program repair tools prioritize security mitigations in code more effectively when using the CERT Secure Coding Standard. In this podcast from the Carnegie Mellon University Software Engineering Institute, David Svoboda and Joseph Sible, both engineers in CERT’s Applied Systems Group and primary developers and maintainers of the standard, sit down with Robert Schiela, deputy technical director of the Cybersecurity Foundations team in CERT, to discuss the proposed changes, specifically in the area of risk assessment.