search menu icon-carat-right cmu-wordmark
Our Research

Secure Development

Secure development refers to the set of tools, practices, and approaches that the SEI has created to identify and prevent security flaws during early development of software systems, when it is most cost effective to do so.

To create today’s software systems, developers produce billions of lines of code each year. At that volume, there’s a high opportunity for error, and it becomes harder and harder to catch those errors as the amount of code continues to increase. Even with automated testing tools, errors still manage to get into commercially available products.

Those errors come with significant costs and risks. Many research studies have shown that the cost to remove defects, including security flaws, can be hundreds of times higher after deployment. And many of those errors can also pose security risks that criminals or state agents might exploit.

Better Software Through Secure Coding Practices

The SEI’s research in secure coding focuses on ensuring that the software we use every day—such as the software that powers the systems used by the Internet of Things—remains secure and safe. The aim of our research is to reduce vulnerabilities through the elimination of coding errors by investigating how errors occur and how to prevent them. Our solutions identify and prevent security flaws during development, when the cost of prevention is much lower than during the testing phase or in post-deployment.

We are active in the programming community, and we’ve gained unique experience and knowledge from auditing millions of lines of source code and performing audits on static analysis tools. We have combined that experience with research on the standards that define programming languages and how those languages are interpreted and compiled for runtime platforms. That work has allowed us to codify best practices and coding standards that improve the security of programming languages.

In addition, we have applied our research and experience with static analysis tools to improve their effectiveness through the development of rule checkers for several tools like Clang and Rosecheckers. We have also advanced and developed other secure development tools, as well as the Source Code Analysis Laboratory (SCALe), which audits code to identify security flaws.

We contribute our knowledge to the programming community—both nationally and internationally—through publications, webinars, blogs, conferences, and more. We also offer training—through live, instructor-led courses as well as online—to help developers, auditors, and testers learn the secure development skills and best practices we identify and develop.

What We Offer

The Latest from the SEI Blog

Christopher Alberts

The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain

November 06, 2023 • Blog Post
Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody

This post presents a framework to promote the use of SBOMs and establish practices and processes that organizations can leverage as they build their...

read
Garret Wassermann

Rust Vulnerability Analysis and Maturity Challenges

January 23, 2023 • Blog Post
Garret Wassermann, David Svoboda

This post explores tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole and how that might impact future security...

read

Our Vision for the Future of Secure Development

Our current and future research is aimed toward improving the efficiency of identifying and removing vulnerabilities through the advancement of tool automation, using machine learning to improve the accuracy of static analysis tools, and developing tools that identify certain classes of flaws and automatically correct them.

You can also find more information about our work in secure coding by subscribing to our newsletter.

Learn More