U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.


William L. Fithen

Bill is a Senior Member of the Technical Staff at the CERT® Coordination Center—a unit of the Software Engineering Institute—specializing in analysis and modeling of software vulnerability.

Bill has served in various capacities within the CERT/CC since he joined in 1995. Before join CERT, he played various technical and leadership roles the computing and networking infrastructures at the University of Pittsburgh and Louisiana Tech University. He holds a B.S. in physics and an M.S. in computer science from Louisiana Tech University.


Selected Publications

William L. Fithen, Shawn V. Hernan, Paul F. O'Rourke, and David A. Shinberg. "Formal Modeling of Vulnerability." Bell Labs Technical Journal 8(4), 173-186 (2004).

William A. Arbaugh, William L. Fithen, and John McHugh. "Windows of Vulnerability: a Case Study Analysis." IEEE Computer, 2000.


Namesort descending Content Areas
Use Well-Known Cryptography Appropriately and Correctly Knowledge/Coding Practices
Assume that Human Behavior Will Introduce Vulnerabilities into Your System Knowledge/Coding Practices
Be Suspicious about Trusting Unauthenticated External Representation of Internal Data Structures Knowledge/Coding Practices
Carefully Study Other Systems Before Incorporating Them into Your System Knowledge/Coding Practices
Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage Knowledge/Coding Practices
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations Knowledge/Coding Practices
Do Not Perform Arithmetic with Unvalidated Input Knowledge/Coding Practices
Do Not Use the "%n" Format String Specifier Knowledge/Coding Practices
Ensure that Input Is Properly Canonicalized Knowledge/Coding Practices
Ensure that the Bounds of No Memory Region Are Violated Knowledge/Coding Practices
Follow the Rules Regarding Concurrency Management Knowledge/Coding Practices
Guidelines Overview Knowledge/Coding Practices
Handle All Errors Safely Knowledge/Coding Practices
If Emulation of Another System Is Necessary, Ensure that It Is as Correct and Complete as Possible Knowledge/Coding Practices
Never Use Unvalidated Input as Part of a Directive to any Internal Component Knowledge/Coding Practices
Treat the Entire Inherited Process Context as Unvalidated Input Knowledge/Coding Practices
Use Authentication Mechanisms, Where Appropriate, Correctly Knowledge/Coding Practices
Use Authorization Mechanisms Correctly Knowledge/Coding Practices
Back to Top