CERT Fortifies Code Analysis

Carnegie Mellon University’s Computer Emergency Response Team (CERT) is all about making information technology more secure. Yet beyond just identifying security problems, CERT is also concerned with helping developers eliminate security problems before they occur — by encouraging them to code more securely.

In a new joint effort with source code analysis vendor Fortify, CERT is working to produce automated compliance checking for the CERT C and C++ Secure Coding Standards. A third party, Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC, a separate organization from CERT), will measure the effectiveness of the rules.

By helping to automate security compliance, the result could be dramatically improved coding security.

“It’s hard to quantify security; it’s hard to say we improved things and we did it by this much, but it’s the right thing to do,” Brian Chess, Fortify’s founder and chief scientist, told InternetNews.com. “The measurement step is a bit scary to me, but also really important to me. We are going to measurably improve the code we’re looking at.”

Chess explained that the first step of the process involves CERT authoring its security practices rules in a format that will then be imported into Fortify’s secure code analysis product, dubbed Fortify SCA. The second phase will have JPCERT taking Fortify and the CERT rules and measuring the effectiveness of the rules.

Finally, by the spring of 2008, the plan is to have a set of rules, as well as a report that demonstrates that the rules are effective in helping to create more secure code.

Fortify was founded back in 2004 with a focus on static code analysis. Despite its commercial product, Fortify SCA, playing an integral role in the plan, the company’s collaboration with CERT is designed to lead to an open piece of intellectual property or open code.

“The output of this project will be rules, something in a format that the Fortify source code analysis tool can read,” Chess explained. “It’s fair to call it open source because other people could take it and make it work in their own tools, too.”

So what’s in it for Fortify? According to Chess, the CERT rules for checking secure source code will be in addition to those that SCA already includes, thereby expanding the product’s usefulness.

“This will now be an alternative, so if you want to do things the way CERT says, you should do them,” he said. “Just plug the rule pack in and you can enforce CERT’s rules instead of Fortify’s. So now, an organization that wants to follow the CERT methodology has got CERT’s stamp of approval to use Fortify to do that.”

It is not clear yet whether Carnegie Mellon’s CERT methodology will in some way be enforced or recommended by its big brother, the Department of Homeland Security’s US-CERT, though Chess is hopeful.

“It’s a goal of ours to see adoption of more than just a source code analysis tool, but a methodology of creating code that is then enforced by a source code tool,” Chess said.

News Around the Web