Software Engineering Radio - the podcast for professional software developers avatar

Dexa/Software Engineering Radio - the podcast for professional software developers

Learn more
Published Jan 12, 2022

Episode 494: Robert Seacord on Avoiding Defects in C Programming

Robert Seacord delves into the complexities of C programming, focusing on static and dynamic analysis to identify vulnerabilities, the evolution of C standards, and strategies for tackling memory-related security challenges, providing invaluable insights for writing secure and efficient code.
Episode Highlights
Software Engineering Radio - the podcast for professional software developers logo

Topics covered

Popular Clips

Episode Highlights

  • Analysis Tools

    Static and dynamic analysis are crucial tools in identifying and fixing vulnerabilities in C programming. explains that static analysis resembles a compiler, building an abstract syntax tree to detect structural defects in code 1. However, it struggles with data flow and control flow issues, which is where dynamic analysis excels. Dynamic analysis tools like address sanitizer and thread sanitizer instrument executables to catch violations during testing 2.

    Dynamic analysis is more effective at discovering things like dynamic memory issues and concurrency issues.

    ---

    These tools are essential for uncovering memory management and concurrency problems that static analysis might miss.

       

    Secure Coding

    Secure coding in C requires a deep understanding of the language and its nuances. emphasizes the importance of predicting the assembly code generated from C source code to ensure secure coding practices 3. Experimentation and proving assumptions through testing are vital for mastering C programming.

    The best time to avoid a defect is when you're coding.

    ---

    He advises against relying solely on trial and error, advocating for a comprehensive understanding of input validation and type conversions to handle unexpected data 4.

Related Episodes