search menu icon-carat-right cmu-wordmark

Get the Latest Research in Software Engineering and Cybersecurity

Get email notifications of new blog posts from the SEI Blog.

SEI Insigts

Recent Posts

A 5-Step Process for Release Planning

A 5-Step Process for Release Planning

• SEI Blog
Robert Ferguson

Software products are often used for two decades or more. Several researchers have shown the cost of maintenance and sustainment ranges between 40- and 80 percent of the total lifecycle cost with a median estimate near 70 percent. Sometimes executives have asked, Why does software sustainment cost so much? This blog turns the question around to ask, Can we get better value from our continuing software investment? Of course, the answer is affirmative. We can examine changes in mission objectives, technology and environment to see how to position our product for the best use and value just as we do...

Read More
Six Free Tools for Creating a Cyber Simulator

Six Free Tools for Creating a Cyber Simulator

• SEI Blog
Joseph Mayes

It can be hard for developers of cybersecurity training to create realistic simulations and training exercises when trainees are operating in closed (often classified) environments with no ability to connect to the Internet. To address this challenge, the CERT Workforce Development (CWD) Team recently released a suite of open-source and freely available tools for use in creating realistic Internet simulations for cybersecurity training and other purposes. The tools improve the realism, efficiency, and cost effectiveness of cybersecurity training. In this blog post, I will describe these tools and provide information about how to download, learn more about, and use them....

Read More
A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

• Insider Threat Blog
Michael C. Theis

(Or..."How This One Weird Thing Can Take Your Program to the Next Level!") The CERT National Insider Threat Center (NITC) continues to transition its insider threat research to the public through its publications of the Common Sense Guide to Mitigating Insider Threats (CSG), blog posts, and other research papers. We recently released an updated version of the CSG: the Common Sense Guide to Mitigating Insider Threats, Sixth Edition. In this post, I'll highlight the new additions and updates: best-practice mappings to standards and more attention to workplace violence, monitoring, and privacy. I'll also walk you through the new best practice,...

Read More
Establishing the Pre-assessment DevOps Posture of an SDLC in a Highly Regulated Environment: Third in a Series

Establishing the Pre-assessment DevOps Posture of an SDLC in a Highly Regulated Environment: Third in a Series

• DevOps Blog
Jose Morales

This third installment in our blog series on implementing DevOps in highly regulated environments (HREs), which is based upon a recently published paper, discusses the second step in a DevOps assessment: establishing the pre-assessment DevOps posture of an HRE. (Read the first and second post in the series.) The posture is the current DevOps implementation, if any, in an HRE's software development lifecycle (SDLC). Recall that the ultimate goal of the DevOps assessment is to improve an SDLC. In this case, the tool set being used to achieve that goal is DevOps. It is important to understand the maturity level...

Read More
Business Email Compromise: Operation Wire Wire and New Attack Vectors

Business Email Compromise: Operation Wire Wire and New Attack Vectors

• SEI Blog
Anne Connell

In June 2018, Federal authorities announced a significant coordinated effort to disrupt business email compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals. Operation Wire Wire, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, and the U.S. Postal Inspection Service, was conducted over a six-month period and resulted in 74 arrests in the United States and overseas, including 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and...

Read More
How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

• SEI Blog
David Svoboda

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles today have more than 100 million lines of code, and connectivity between cars and the outside world through, for example, infotainment systems and the Global Positioning System (GPS) expose a number of interfaces that can be attacked to communicate with an automobile in unintended and potentially dangerous ways. In Part 1 of this two-part blog post on the use of SEI CERT Coding Standards to improve the security of the...

Read More
Securely Connecting Africa

Securely Connecting Africa

• SEI Blog
Vijay Sarvepalli

While the Internet has enabled modernization in parts of the developing world, it has also introduced new cybersecurity challenges. Many developing countries are unprepared for large-scale cyber attacks and ongoing threats posed by hackers. A July 2017 New York Times article notes that developing countries have become an ideal testing ground for hackers. These attacks caught the attention of the Cote d'Ivoire (Ivory Coast) computer security incident response (CSIRT) team, who reached out to the SEI through the U.S. Department of State Office of the Coordinator for Cyber Issues (S/CCI) to request a collaborative workshop to help Cote d'Ivoire address...

Read More
API Hashing Tool, Imagine That

API Hashing Tool, Imagine That

• CERT/CC Blog
Kyle O'Meara

In the fall of 2018, the CERT Coordination Center (CERT/CC) Reverse Engineering (RE) Team received a tip from a trusted source about a YARA rule that triggered an alert in VirusTotal. This YARA rule was found in the Department of Homeland Security (DHS) Alert TA17-293A, which describes nation state threat activity associated with Russian activity. I believed this information warranted further analysis....

Read More
Are You Providing Cybersecurity Awareness, Training, or Education?

Are You Providing Cybersecurity Awareness, Training, or Education?

• Insider Threat Blog
Mike Petock

When I attend trainings, conferences, or briefings, I usually end up listening to someone reading slides about a problem. Rarely am I provided with any solutions or actions to remediate the problem. As a cybersecurity trainer with 17+ years of experience and a degree in education, I understand that developing a good presentation is a challenge in any domain. Fortunately for cybersecurity professionals, the National Institute of Standards and Technology (NIST) can help you choose which kind of presentation to give. This blog post will review the three types of presentations defined by NIST: awareness, training, and education....

Read More
Enabling Shift-Left Testing from Small Teams to Large Systems

Enabling Shift-Left Testing from Small Teams to Large Systems

• SEI Blog
Nanette Brown

Shift left is a familiar exhortation to teams and organizations engaged in Agile and Lean software development. It most commonly refers to incorporating test practices and an overall test sensibility early in the software development process (although it may also be applied in a DevOps context to the need to pull forward operations practices). Shift left sounds reasonably straightforward: just take the tasks that are on the right-hand side of your timeline and pull them forward (i.e., shift them to the left). As this post describes, however, there are some subtleties and qualifications you should consider in order to realize...

Read More
Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Mark Dandrea

This post was co-authored by Carrie Gardner. The Entertainment Industry is the next spotlight blog in the Industry Sector series. Movie and television producers have long entertained the public with insider threat dramas such as Jurassic Park, Office Space, or the more recent Mr. Robot. These dramas showcase the magnitude of damage that can occur from incidents involving our assumed good, trusted employees. Yet as we discuss in this post, movie producers and the entertainment industry are not immune from experiencing such incidents....

Read More
Towards a New Model of Acquisition: Product-Line Architectures for the DoD

Towards a New Model of Acquisition: Product-Line Architectures for the DoD

• SEI Blog
Nickolas Guertin

It is widely recognized that the Department of Defense (DoD) needs to have a nimble response to nimble adversaries. However, the inflexibility of many DoD development and acquisition practices begets inflexible architectures that often slow progress and increase risk to operational forces. This rejection of modern development methods actually increases program risk and extends development timelines, effectively reducing the value of the DoD's acquisition portfolio. As a result, the current lack of capacity for breadth and pace of change impedes our ability to evolve capability quickly and robustly enough to meet new requirements in emerging technical and warfighting environments. The...

Read More
Operation Cloud Hopper Case Study

Operation Cloud Hopper Case Study

• SEI Blog
Nathaniel Richmond

In December, a grand jury indicted members of the APT10 group for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop from one target to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance, and biotech...

Read More
The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

• SEI Blog
Paul Nielsen

Software-enabled capabilities are essential for our nation's defense systems. I recently served on a Defense Science Board (DSB) Task Force whose purpose was to determine whether iterative development practices such as Agile are applicable to the development and sustainment of software for the Department of Defense (DoD). The resulting report, Design and Acquisition of Software for Defense Systems, made seven recommendations on how to improve software acquisition in defense systems: A key evaluation criterion in the source selection process should be the efficacy of the offeror's software factory. The DoD and its defense-industrial-base partners should adopt continuous iterative development best...

Read More
Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Josh Vasko

This post was co-authored by Carrie Gardner. Next in the Insider Threats Across Industry Sectors series is Healthcare. As Healthcare-related information security conversations are predominantly driven by security and privacy concerns related to patient care and data, it's important to recognize the magnitude of security lapses in this sector. Patients can face severe, permanent consequences from medical record misuse, alteration, or destruction. And medical record fraud vis-a-vis identify theft, otherwise known simply as Fraud in our incident corpus, is one of the primary types of security instances observed in this sector....

Read More
An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

• SEI Blog
Sarah Sheard

Systems engineers working today face many challenges, both in building the complex systems of systems of the future and in building the complex systems of which they are composed. Systems engineers need to be able to design around stable requirements when there are long-lead manufactured items required, and they also need to evolve the design along with changing requirements for larger systems. Software plays an integral role in helping systems engineers accomplish these goals. The importance of software engineering to systems engineering, and vice-versa, cannot be overstated. As I stated in an earlier blog post Systems engineers are responsible for...

Read More
Top 5 Incident Management Issues

Top 5 Incident Management Issues

• Insider Threat Blog
Mike Fritz

The CERT Division of the SEI has a history of helping organizations develop, improve, and assess their incident management functions. Frequently we discover that an organization's primary focus is on security incident response, rather than the broader effort of security incident management. Incident response is just one step in the incident management lifecycle. In this blog post, we look at five recurring issues we regularly encounter in organizations' Incident Management programs, along with recommended solutions. By discovering and resolving these issues, organizations can attain a better cybersecurity posture....

Read More
Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

• SEI Blog
David Svoboda

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from the systems to which they were connected, and even a thermometer in a casino's fish tank was used to gain access to the casino's infrastructure and extract data about customers, gamblers, etc. In this blog post, I describe how the SEI CERT Coding Standards work and how they can reduce risk in Internet-connected systems. This is the first installment in...

Read More
Expectations for Implementing DevOps in a Highly Regulated Environment: Second in a Series

Expectations for Implementing DevOps in a Highly Regulated Environment: Second in a Series

• DevOps Blog
Jose Morales

This second installment in the blog post series on implementing DevOps in highly regulated environments (HREs), which is excerpted from a recently published paper, discusses the first step in a DevOps assessment: setting expectations with the organization. This step is a critical task in an assessment because it sets the boundaries of what will be performed and delivered....

Read More
Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Michaela Webster

This blog post was co-authored by Carrie Gardner. As Carrie Gardner wrote in the second blog post in this series, which introduced the Industry Sector Taxonomy, information technology (IT) organizations fall in the NAICS Code category professional, scientific, and technology. IT organizations develop products and perform services advancing the state of the art in technology applications. In many cases, these services directly impact the supply chain since many organizations rely on products and services from other organizations to perform and carry out their own business goals. This post covers insider incidents in the IT sector and focuses mainly on malicious,...

Read More
SATURN Blog Merging with SEI Blog

SATURN Blog Merging with SEI Blog

• Insider Threat Blog
Tamara Marshall-Keim

Changes are coming in how we communicate with the SEI Architecture User Network (SATURN) beginning February 18. Technical content of interest to software architecture practitioners will be folded into the SEI Blog. No further announcements will be posted to this page. But this doesn't mean the SATURN Conference is changing. The SATURN Conference will continue to be held annually and will celebrate its 15th year in Pittsburgh from May 6 to 9. Registration is open. For updates on SATURN 2019 and future SATURN Conferences, follow @SATURN_News on Twitter and join SATURN - A Software Architecture Community on LinkedIn. You can...

Read More
Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for choosing and evaluating a threat-modeling method (TMM) for a CPSoS....

Read More
Challenges to Implementing DevOps in Highly Regulated Environments: First in a Series

Challenges to Implementing DevOps in Highly Regulated Environments: First in a Series

• DevOps Blog
Jose Morales

In academia, government, and industry, DevOps has become a standard, straightforward option for streamlining efforts and increasing comprehensive participation by all stakeholders in the software development lifecycle (SDLC). In highly regulated environments (HREs) within these three sectors, however, applying DevOps can prove challenging. HREs are mandated by policies for various reasons, the most often being general security and protection of intellectual property thus making the sharing and open access principles of DevOps that much harder to apply. In this blog post series DevOps and HREs, which is based on a published paper, we will discuss the process, challenges, approaches, and...

Read More
Deep Learning and Satellite Imagery: DIUx Xview Challenge

Deep Learning and Satellite Imagery: DIUx Xview Challenge

• SEI Blog
Ritwik Gupta

In 2017 and 2018, the United States witnessed a milestone year of climate and weather-related disasters from droughts and wildfires to cyclones and hurricanes. Increasingly, satellites are playing an important role in helping emergency responders assess the damage of a weather event and find victims in its aftermath. Most recently satellites have tracked the devastation wrought by the California wildfires from space. The United States military, which is often the first on the scene of a natural disaster, is increasingly interested in the use of deep learning to automate the identification of victims and structures in satellite imagery to assist...

Read More
Improving Assessments for Cybersecurity Training

Improving Assessments for Cybersecurity Training

• SEI Blog
April Galyardt

The CERT Cyber Workforce Development Directorate conducts training in cyber operations for the DoD and other government customers as part of its commitment to strengthen the nation's cybersecurity workforce. A part of this work is to develop capabilities that better enable DoD cyber forces to "to train as you fight" such as setting up high-fidelity simulation environments for cyber forces to practice skills including network defense, incident response, digital forensics, etc. However, cybersecurity is a challenging domain in which to train, because it is a dynamic discipline that changes rapidly and requires those working in the field to regularly learn...

Read More
Governance of a Software Product Line: Complexities and Goals

Governance of a Software Product Line: Complexities and Goals

• SEI Blog
Robert Ferguson

My prior blog post on product lines in DoD sustainment described the complexity of contractual relationships in a DoD software product line. Recall that a software product line is a collection of related products with shared software artifacts and engineering services that has been developed by a single organization in support of multiple programs serving multiple missions and different customers. A product line can reduce cost of development and support. In exchange, it can be a cause of conflicting priorities between customers, much like the similar problem in joint program management. This blog post describes a set of guidelines and...

Read More
Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

• SEI Blog
Douglas C. Schmidt

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's top 10, which features posts published between January 1, 2018, and December 31, 2018, brought an ever-increasing number of visitors to the blog. 10. Why You Should Apply Agile-DevOps Earlier in the Lifecycle9. Best Practices and Considerations in Egress Filtering8. Deep Learning: Going Deeper toward Meaningful Patterns in Complex Data7. Why Does Software Cost So Much?6. Revealing True Emotions through Micro-Expressions: A Machine Learning Approach5. Translating Between Statistics and Machine Learning4. Best Practices for Cloud Security3. Security Begins at the Home Router...

Read More
Call for Papers: International Conference on Technical Debt (TechDebt 2019)

Call for Papers: International Conference on Technical Debt (TechDebt 2019)

• SEI Blog
Tamara Marshall-Keim

The Second International Conference on Technical Debt will be held in Montréal, QC, Canada, on May 26-27, 2019, collocated with ICSE 2019. The conference brings together leading software researchers, practitioners, and tool vendors to explore theoretical and practical approaches that manage technical debt. Technical debt describes a universal software development phenomenon: design or implementation constructs that are expedient in the short term, but set up a technical context that can make future change more costly or impossible. Developers and managers use the concept to communicate key tradeoffs related to release and quality issues. As the interest in technical debt from...

Read More
SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

• SEI Blog
Lori Flynn

This post was co-authored by Ebonie McNeil. Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in Lori's first blog post on this topic, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool since 2010 as part of our research on new ways to help analysts be more efficient and effective at auditing static analysis alerts....

Read More
Deploying the CERT Microcosm DevSecOps Pipeline using Docker-Compose and Kubernetes

Deploying the CERT Microcosm DevSecOps Pipeline using Docker-Compose and Kubernetes

• DevOps Blog
Shane Ficorilli

According to DevSecOps: Early, Everywhere, at Scale, a survey published by Sonatype, "Mature DevOps organizations are able to perform automated security analysis on each phase (design, develop, test) more often than non-DevOps organizations." Since DevOps enables strong collaboration and automation of the process and enforces traceability, mature DevOps organizations are more likely to perform automated security analysis than non DevOps organizations. My previous blog post, Microcosm: A Secure DevOps Pipeline as Code, helped address the problem that most organizations do not have a complete deployment pipeline in place (and are therefore not considered to be DevOps mature) by automating penetration...

Read More
Path Finding in Malicious Binaries: First in a Series

Path Finding in Malicious Binaries: First in a Series

• SEI Blog
Jeffrey Gennari

In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering of binaries with a focus on malicious code analysis. Recall that Pharos is a framework created by our CERT team that builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory. ROSE provides a number of facilities for binary analysis including disassembly, control flow analysis, instruction semantics, and more. Pharos uses these features to automate common reverse engineering tasks. Since our last post, we have developed new techniques and tools in the Pharos framework to solve a problem that may be...

Read More
DGA Domains with SSL Certificates?  Why?

DGA Domains with SSL Certificates? Why?

• CERT/CC Blog
Leigh Metcalf

CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena....

Read More
Towards Improving CVSS

Towards Improving CVSS

• CERT/CC Blog
Deana Shick

If you are a software vendor, IT administrator, or CSIRT team, you are probably using the Common Vulnerability Scoring System (CVSS) in one way or another. The CERT/CC recently published a white paper entitled Towards Improving CVSS that outlines what we consider to be major challenges with the standard and discusses some ways forward. This post is a summary of that paper; if you are interested, please review the full paper for an elaboration of the concerns outlined below....

Read More
Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Sarah Miller

This post was co-authored by Jonathan Trotman. In the previous post of our series analyzing and summarizing insider incidents across multiple sectors, we discussed some of the mandates and requirements associated with federal government insider threat programs as well as documented insider threat incidents. In this post, we will discuss information security regulations and insider threat metrics based on Finance and Insurance incidents from our CERT National Insider Threat Center (NITC) Incident Corpus....

Read More
Submit Proposals for SATURN 2019!

Submit Proposals for SATURN 2019!

• Insider Threat Blog
Michele Falce

The deadline for submitting presentation proposals for SATURN 2019 is approaching quickly! As you probably know already, SATURN is a great opportunity to share and discover new advances around software architecture in industry. If you are new to the conference, it provides a great opportunity to get exposure for your work. If you are a repeat attendee, it is an excellent opportunity to give updates and receive feedback on work that was presented previously or to present new contributions. This year, we have three primary tracks: Data Analytics, Machine Learning, Big Data, and Artificial Intelligence (AI) Microservice, Event-Driven, and Serverless...

Read More
Threat Modeling: 12 Available Methods

Threat Modeling: 12 Available Methods

• SEI Blog
Nataliya Shevchenko

Almost all software systems today face a variety of threats, and the number of threats grows as technology changes. Malware that exploits software vulnerabilities grew 151 percent in the second quarter of 2018, and cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. Threats can come from outside or within organizations, and they can have devastating consequences. Attacks can disable systems entirely or lead to the leaking of sensitive information, which would diminish consumer trust in the system provider. To prevent threats from taking advantage of system flaws, administrators can use threat-modeling methods to inform defensive measures....

Read More
Scoping IT & OT Together When Assessing an Organization's Resilience

Scoping IT & OT Together When Assessing an Organization's Resilience

• Insider Threat Blog
Alexander Petrilli

The SEI engages with many organizations of various sizes and industries about their resilience. Those responsible for their organization's cybersecurity often tell us that their information technology (IT) and operational technology (OT) are too different to be assessed together. However, not accounting for both technologies could have serious implications to an organization's resilience. In this post I'll say why, and I'll describe the technology-agnostic tools the SEI uses to scope both IT and OT in resilience assessments....

Read More
Rapid Software Composition by Assessing Untrusted Components

Rapid Software Composition by Assessing Untrusted Components

• SEI Blog
Rick Kazman

Today, organizations build applications on top of existing platforms, frameworks, components, and tools; no one constructs software from scratch. Hence today's software development paradigm challenges developers to build trusted systems that include increasing numbers of largely untrusted components. Bad decisions are easy to make and have significant long-term consequences. For example, decisions based on outdated knowledge or documentation, or skewed to one criterion (such as performance) may lead to substantial quality problems, security risks, and technical debt over the life of the project. But there is typically a tradeoff between decision-making speed and confidence. Confidence increases with more experience, testing,...

Read More
Performing Text Analytics for Insider Threat Programs: Part 3 of 3

Performing Text Analytics for Insider Threat Programs: Part 3 of 3

• Insider Threat Blog
Carrie Gardner

This blog series reviews topics in performing text analytics to support insider threat mitigation. This post presents a procedural framework for operationalizing this capability. It walks through the process of considering text analytics capability through putting it into practice. The blog also enumerates thought questions about whether to acquire a commercial textual analysis solution, repurpose an existing tool, or develop an in-house capability....

Read More
Translating Between Statistics and Machine Learning

Translating Between Statistics and Machine Learning

• SEI Blog
Zachary Kurtz

Statistics and machine learning often use different terminology for similar concepts. I recently confronted this when I began reading about maximum causal entropy as part of a project on inverse reinforcement learning. Many of the terms were unfamiliar to me, but as I read closer, I realized that the concepts had close relationships with statistics concepts. This blog post presents a table of connections between terms that are standard in statistics and their related counterparts in machine learning....

Read More
An Analyst-Focused Approach to Network Traffic Analysis

An Analyst-Focused Approach to Network Traffic Analysis

• SEI Blog
Geoff Sanders

Earlier this year, a team of researchers from the SEI CERT Division's Network Situational Awareness Team (CERT NetSA) released an update (3.17.0) to the System for Internet-Level Knowledge (SiLK) traffic analysis suite, which supports the efficient collection, storage, and analysis of network flow data, enabling network security analysts to query large historical traffic data sets rapidly and scalably. As this post describes, our team also recently updated the Network Traffic Analysis with SiLK handbook to make it more analyst-focused and teach not only the toolset but also the tradecraft around using it....

Read More
Insider Threats in the Federal Government (Part 3 of 9: Insider Threats Across Industry Sectors)

Insider Threats in the Federal Government (Part 3 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Sarah Miller

The CERT National Insider Threat Center (NITC) Insider Threat Incident Corpus contains over 2,000 incidents, which, as Director Randy Trzeciak writes, acts as the "foundation for our empirical research and analysis." This vast data set shows us that insider incidents impact both the public and private sector, with federal government organizations being no exception. As Carrie Gardner introduced in the previous blog post in this series, federal government organizations fall under the NAICS Codes for the public administration category. Public administration, in this context, refers to a collection of organizations working primarily for the public benefit, including within national security....

Read More
Cost-Effective Software Security Assurance Workflows

Cost-Effective Software Security Assurance Workflows

• SEI Blog
Bill Nichols

Software developers are increasingly pressured to rapidly deliver cutting-edge software at an affordable cost. An increasingly important software attribute is security, meaning that the software must be resistant to malicious attacks. Software becomes vulnerable when one or more weaknesses can be exploited by an attacker to cause to modify or access data, interrupt proper execution, or perform incorrect actions....

Read More
Data-Driven Management of Technical Debt

Data-Driven Management of Technical Debt

• SEI Blog
Ipek Ozkaya

This post was co-authored by Robert Nord. Technical debt communicates the tradeoff between the short-term benefits of rapid delivery and the long-term value of developing a software system that is easy to evolve, modify, repair, and sustain. Like financial debt, technical debt can be a burden or an investment. It can be a burden when it is taken on unintentionally without a solid plan to manage it; it can also be part of an intentional investment strategy that speeds up development, as long as there is a plan to pay back the debt before the interest swamps the principal....

Read More
Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy (Part 2 of 9: Insider Threats Across Industry Sectors)

Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy (Part 2 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Carrie Gardner

As Randy Trzeciak mentioned in the first blog in this series, we are often asked about the commonalities of insider incidents for a particular sector. These questions invariably begin conversations about which sector-specific best practices and controls are best suited to address the common incident patterns faced by these organizations. To better address this question, we decided to update our model for coding industry sectors1, or what classification system we use to organize the organizations in our insider threat database....

Read More
IPV6 Adoption:  Is your ISP ready to support IPv6?

IPV6 Adoption: Is your ISP ready to support IPv6?

• SEI Blog
Joseph Mayes

If you're considering migrating to IPv6, you may be asking, Am I ready? That's a good question to ask, but you also have to ask, Is my ISP ready? If your Internet service provider (ISP) isn't ready for an IPv6 migration, you may have external web sites that won't load, problems receiving email, and many other issues. This post is the latest in a series examining issues, challenges, and best practices when transitioning from IPv4 to IPv6, whether at the enterprise level, the organizational level, or the home-user level. In this post, I present some points to help you know...

Read More
Is Compliance Compromising Your Information Security Culture?

Is Compliance Compromising Your Information Security Culture?

• Insider Threat Blog
Jenny Moniz

Individual organizations spend millions per year complying with information security mandates, which tend to be either too general or too specific. However, organizations focusing solely on compliance miss the opportunity to strengthen their information security culture. This blog post will explain the benefits of information security culture and demonstrate how compliance with information security mandates may prevent organizations from achieving their full information security culture potential....

Read More
Emerging Opportunities in Modularity and Open Systems Architectures

Emerging Opportunities in Modularity and Open Systems Architectures

• SEI Blog
Nickolas Guertin

This post is also co-authored by Douglas C. Schmidt and William Scherlis. In its effort to increase the capability of the warfighter, the Department of Defense (DoD) has made incremental changes in its acquisition practices for building and deploying military capacity. This capacity can be viewed as "platforms" (tanks, ships, aircraft, etc.) and the mission system "payloads" (sensors, command and control, weapons, etc.) that are populated onto those platforms to deliver the desired capability. This blog post, the first in a series excerpted from a recently published paper, explores opportunities in modularity and open systems architectures with the aim of...

Read More
Insider Threat Incident Analysis by Sector (Part 1 of 9)

Insider Threat Incident Analysis by Sector (Part 1 of 9)

• Insider Threat Blog
Randy Trzeciak

Hello, I am Randy Trzeciak, Director of the CERT National Insider Threat Center (NITC). I would like to welcome you to the NITC blog series on insider threat incidents within various sectors. In this first post, I (1) describe the purpose of the series and highlight what you can expect to see during the series, and (2) review the NITC insider threat corpus, which is the foundation for our empirical research and analysis. Join us over this nine-part series as we explore in-depth specific issues pertaining to insider threat. We hope you will follow along, and we encourage you to...

Read More
Best Practices in Network Traffic Analysis: Three Perspectives

Best Practices in Network Traffic Analysis: Three Perspectives

• SEI Blog
Angela Horneman

This post is also authored by Tim Shimeall and Timur Snoke. In July of this year, a major overseas shipping company had its U.S. operations disrupted by a ransomware attack, one of the latest attacks to disrupt the daily operation of a major, multi-national organization. Computer networks are complex, often tightly coupled systems; operators of such systems need to maintain awareness of the system status or disruptions will occur. In today's operational climate, threats and attacks against network infrastructures have become far too common. At the SEI's CERT Division Situational Awareness team, we work with organizations and large enterprises, many...

Read More
How CERT-RMM and NIST Security Controls Help Protect Data Privacy and Enable GDPR Compliance, Part 1: Identifying Personally Identifiable Information

How CERT-RMM and NIST Security Controls Help Protect Data Privacy and Enable GDPR Compliance, Part 1: Identifying Personally Identifiable Information

• Insider Threat Blog
Anne Connell

The costs of the steady stream of data breaches and attacks on sensitive and confidential data continue to rise. Organizations are responding by making data protection a critical component of their leadership and governance strategies. The European Union's recent General Data Protection Regulation (GDPR) adds layers of complexity to protecting the data of individuals in the EU and European Economic Area. Organizations are struggling to understand GDPR's requirements, much less become compliant. In this series of blog posts, I'll describe how to use the CERT Resilience Management Model (CERT-RMM) to approach GDPR compliance and, more fundamentally, data privacy....

Read More
Decisions for Sustaining a Software Product Line

Decisions for Sustaining a Software Product Line

• SEI Blog
Robert Ferguson

A software product line is a collection of related products with shared software artifacts and engineering services that has been developed by a single organization intended to serve different missions and different customers. In industry, product lines provide both customer benefits (such as functionality, quality, and cost) and development organization benefits (such as time to market and price-margin). Moreover, these benefits last through multiple generations of products. This blog is the first in a series of three posts on sustaining product lines in terms of required decisions and potential benefits of proposed approaches. In this post, I identify the potential...

Read More
New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

• CERT/CC Blog
Matthew Sisk

This post is co-authored with Sam Perl. The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University recently released the Cyobstract Python library as an open source tool. You can use it to quickly and efficiently extract artifacts from free text in a single report, from a collection of incident reports, from threat assessment summaries, or any other textual source....

Read More
SCALe: A Tool for Managing Output from Static Analysis Tools

SCALe: A Tool for Managing Output from Static Analysis Tools

• SEI Blog
Lori Flynn

Experience shows that most software contains code flaws that can lead to vulnerabilities. Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in this blog post, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool, as we have researched and prototyped methods to help analysts be more efficient and effective at auditing static analysis alerts. In August 2018 we released a version of SCALe to the public (open-source via Github)....

Read More
Challenges Facing Insider Threat Programs and Hub Analysts: Part 2 of 2

Challenges Facing Insider Threat Programs and Hub Analysts: Part 2 of 2

• Insider Threat Blog
Jason W. Clark

In the first post in this two-part series, we covered five unique challenges that impact insider threat programs and hub analysts. The challenges included lack of adequate training, competing interests, acquiring data, analyzing data, and handling false positives. As you read the new challenges introduced in this post, ask yourself the same questions: 1) How many of these challenges are ones you are facing today? 2) Are there challenges in this list that lead to an "aha" moment? 3) Are there challenges you are facing that did not make the list? 4) Do you need assistance with combating any of...

Read More
Scope vs. Frequency in Defining a Minimum Viable Capability Roadmap: Part 2 of 3

Scope vs. Frequency in Defining a Minimum Viable Capability Roadmap: Part 2 of 3

• SEI Blog
Bob Binder

As Soon as Possible In the first post in this series, I introduced the concept of the Minimum Viable Capability (MVC). While the intent of the Minimum Viable Product (MVP) strategy is to focus on rapidly developing and validating only essential product features, MVC adapts this strategy to systems that are too large, too complex, or too critical for MVP. MVC is a scalable approach to validating a system of capabilities, each at the earliest possible time. Capability scope is limited (minimum) so that it may be produced as soon as possible. For MVP, as soon as possible is often...

Read More
Engaging the CSIRT Community: Cyber Capacity Building on a Global Scale

Engaging the CSIRT Community: Cyber Capacity Building on a Global Scale

• SEI Blog
Angel Luis Hueca

At the 2018 World Economic Forum, global leaders voiced concerns about the growing trend of cyberattacks targeting critical infrastructure and strategic industrial sectors, citing fears of a worst-case scenario that could lead to a breakdown of the systems that keep societies functioning. A painful example was the May 2017 WannaCry ransomware attack in which a worm rapidly spread through a number of computer networks, affecting more than 150 countries and more than 400,000 endpoints. One of the largest victims of the WannaCry attack was the National Health Service in England and Scotland, where up to 70,000 computers, MRI scanners, and...

Read More
Cybersecurity Architecture, Part 2: System Boundary and Boundary Protection

Cybersecurity Architecture, Part 2: System Boundary and Boundary Protection

• Insider Threat Blog
Jason Fricke

This post was also authored by Andrew Hoover. In Cybersecurity Architecture, Part 1: Cyber Resilience and Critical Service, we talked about the importance of identifying and prioritizing critical or high-value services and the assets and data that support them. In this post, we'll introduce our approach for reviewing the security of the architecture of information systems that deliver or support these services. We'll also describe our review's first areas of focus: System Boundary and Boundary Protection....

Read More
Obsidian: A New, More Secure Programming Language for Blockchain

Obsidian: A New, More Secure Programming Language for Blockchain

• SEI Blog
Eliezer Kanal

Billions of dollars in venture capital, industry investments, and government investments are going into the technology known as blockchain. It is being investigated in domains as diverse as finance, healthcare, defense, and communications. As blockchain technology has become more popular, programming-language security issues have emerged that pose a risk to the adoption of cryptocurrencies and other blockchain applications. In this post, I describe a new programming language, Obsidian, which we at the SEI are developing in partnership with Carnegie Mellon University (CMU) writing secure smart contracts in blockchain platforms....

Read More
Challenges Facing Insider Threat Programs and Hub Analysts: Part 1 of 2

Challenges Facing Insider Threat Programs and Hub Analysts: Part 1 of 2

• Insider Threat Blog
Jason W. Clark

The purpose of this two-part blog series is to discuss five challenges that often plague insider threat programs and more specifically the analysts that are working in insider threat hubs. I am in a unique position to discuss this area because I have many years of experience working directly with operational insider threat programs of varying maturity levels. Thus I have a front-row vantage point to understand the challenges that analysts face on a daily basis. In this blog post, I will discuss some of the key challenges and associated recommendations (e.g., quick wins) facing many organizations....

Read More
Life Beyond Microsoft EMET

Life Beyond Microsoft EMET

• CERT/CC Blog
Will Dormann

Approximately eight years ago (September 2010), Microsoft released EMET (Enhanced Mitigation Experience Toolkit) 2.0. In the world of software defenders, there was much rejoicing. EMET allows users to not be at the mercy of their software vendors when it comes to opting in to vulnerability exploit mitigations. As we fast-forward to November 2016, Microsoft released a blog post called Moving Beyond EMET, which announced the end-of-life (EOL) date of EMET and explained why Windows 10 makes EMET unnecessary. I took issue with this blog post, primarily because, at that time, Windows 10 could NOT provide opt-in, application-specific protections like EMET...

Read More
Three Approaches to Adding Flexibility in Software Sustainment Contracting

Three Approaches to Adding Flexibility in Software Sustainment Contracting

• SEI Blog
Julie Cohen

This post was co-authored by Cecilia Albert and Harry Levinson. At the SEI we have been involved in many programs where the intent is to increase the capability of software systems currently in sustainment. We have assisted government agencies who have implemented some innovative contracting and development strategies that provide benefits to those programs. The intent of the blog is to explain three approaches that could help others in the DoD or federal government agencies who are trying to add additional capability to systems that are currently in sustainment. Software sustainment activities can include correcting known flaws, adding new capabilities,...

Read More
Improving Cybersecurity Governance via CSF Activity Clusters

Improving Cybersecurity Governance via CSF Activity Clusters

• Insider Threat Blog
Dan Kambic

The National Institute for Science and Technology (NIST) recently released version 1.1 of its Cybersecurity Framework (CSF). Organizations around the world--including the federal civilian government, by mandate--use the CSF to guide key cybersecurity activities. However, the framework's 108 subcategories can feel daunting. This blog post describes the Software Engineering Institute's recent efforts to group the 108 subcategories into 15 clusters of related activities, making the CSF more approachable for typical organizations. The post also gives example scenarios of how organizations might use the CSF Activity Clusters to facilitate more effective cybersecurity decision making....

Read More
Decision-Making Factors for Selecting Application Security Testing Tools

Decision-Making Factors for Selecting Application Security Testing Tools

• SEI Blog
Thomas Scanlon

In the first post in this series, I presented 10 types of application security testing (AST) tools and discussed when and how to use them. In this post, I will delve into the decision-making factors to consider when selecting an AST tool and present guidance in the form of lists that can easily be referenced as checklists by those responsible for application security testing....

Read More
IPv6 Adoption: 4 Questions and Answers

IPv6 Adoption: 4 Questions and Answers

• SEI Blog
Joseph Mayes

IPv6 deployment is on the rise. Google reported that as of July 14 2018, 23.94 percent of users accessed its site via IPv6, up 6.16 percent from that same date in 2017. Drafted in 1998 and an Internet Standard as of July 2017, Internet Protocol 6 (IPv6) is intended to replace IPv4 in assigning devices on the internet a unique identity. Plans for IPv6 got underway after it was realized that IPv4's cap of 4.3 billion addresses would not be sufficient to cover the number of devices accessing the internet. This blog post is the first in a series aimed...

Read More
Foundational Research Behind Text Analytics for Insider Threat: Part 2 of 3

Foundational Research Behind Text Analytics for Insider Threat: Part 2 of 3

• Insider Threat Blog
Carrie Gardner

In this blog series, I review topics related to deploying a text analytics capability for insider threat mitigation. In this segment, I continue the conversation by disambiguating terminology related to text analysis, summarizing methodological approaches for developing text analytics tools, and justifying how this capability can supplement an existing capability to monitor insider threat risk. In my next post, Acquiring or Deploying a Text Analytics Solution, I will discuss how organizations can think through the process of procuring or developing a custom in-house text analytics solution....

Read More
Introducing the Minimum Viable Capability Strategy

Introducing the Minimum Viable Capability Strategy

• SEI Blog
Bob Binder

It's common for large-scale cyber-physical systems (CPS) projects to burn huge amounts of time and money with little to show for it. As the minimum viable product (MVP) strategy of fast and focused stands in sharp contrast to the inflexible and ponderous product planning that has contributed to those fiascos, MVP has been touted as a useful corrective. The MVP strategy has become fixed in the constellation of Agile jargon and practices. However, trying to work out how to scale MVP for large and critical CPS, I found more gaps than fit. This is the first of three blog posts...

Read More
When

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

• CERT/CC Blog
Will Dormann

As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations. Working in this field, it doesn't take too long to realize that there will never be an end to software vulnerabilities. That is to say, software defects are not going away. For this reason, software exploit mitigations are usually much more valuable than individual software fixes. Being able to mitigate entire classes of software vulnerabilities is a powerful capability. One of the reasons why we strongly promote mitigation tools like EMET or Windows Defender Exploit Guard,...

Read More
Security Begins at the Home Router

Security Begins at the Home Router

• SEI Blog
Vijay Sarvepalli

In recent days, the VPNFilter malware has attracted attention, much of it in the wake of a May 25 public service announcement from the FBI, as well as a number of announcements from vendors and security companies. In this blog post, I examine the VPNFilter malware attack by analyzing the vulnerabilities at play, how they were exploited, and the impact on the Internet. I also outline recommendations for the next generation of small Internet of Things (IoT) device manufacturers, including home routers, which were the target of VPNFilter malware. Because this post also emphasizes the prioritization of vulnerabilities that have...

Read More
How to Identify Key Causal Factors That Influence Software Costs: A Case Study

How to Identify Key Causal Factors That Influence Software Costs: A Case Study

• SEI Blog
Bill Nichols

DoD programs continue to experience cost overruns; the inadequacies of cost estimation were cited by the Government Accountability Office (GAO) as one of the top problem areas. A recent SEI blog post by my fellow researcher Robert Stoddard, Why Does Software Cost So Much?, explored SEI work that is aimed at improving estimation and management of the costs of software-intensive systems. In this post, I provide an example of how causal learning might be used to identify specific causal factors that are most responsible for escalating costs....

Read More
4 Technical Methods for Improving Phishing Defense

4 Technical Methods for Improving Phishing Defense

• Insider Threat Blog
Brian Chamberlain

According to the Verizon 2018 Data Breach Investigations Report, email was an attack vector in 96% of incidents and breaches that involved social actions (manipulation of people as a method of compromise). The report also says an average of 4% of people will fall for any given phish, and the more phishing emails they have clicked, the more likely they are to click again. The mantra of "more user training" may be helping with the phishing problem, but it isn't solving it. In this blog post, I will cover four technical methods for improving an organization's phishing defense. These methods...

Read More
Certifiable Distributed Runtime Assurance in Cyber-Physical Systems

Certifiable Distributed Runtime Assurance in Cyber-Physical Systems

• SEI Blog
Dionisio de Niz

Runtime assurance (RA) has become a promising technique for ensuring the safe behavior of autonomous systems (such as drones or self-driving vehicles) whose behavior cannot be fully determined at design time. The Department of Defense (DoD) is increasingly focusing on the use of complex, non-deterministic systems to address rising software complexity and the use of machine learning techniques. In this environment, assuring software correctness has become a major challenge, especially in uncertain and contested environments. This post highlights work by a team of SEI researchers to create tools and techniques that will ensure the safety of distributed cyber-physical systems....

Read More
10 Types of Application Security Testing Tools: When and How to Use Them

10 Types of Application Security Testing Tools: When and How to Use Them

• SEI Blog
Thomas Scanlon

Bugs and weaknesses in software are common: 84 percent of software breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing (AST) tools. With a growing number of application security testing tools available, it can be confusing for information technology (IT) leaders, developers, and engineers to know which tools address which issues. This blog post, the first in a series on application security testing tools, will help to navigate the sea of offerings by categorizing the different types of AST tools available and providing guidance on how and when...

Read More
Deep Learning, Cyber Intelligence, Managing Privacy and Security, and Network Traffic Analysis: The Latest Work from the SEI

Deep Learning, Cyber Intelligence, Managing Privacy and Security, and Network Traffic Analysis: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in deep learning, cyber intelligence, interruption costs, digital footprints on social networks, managing privacy and security, and network traffic analysis. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website....

Read More
Agile Strategy: Short-Cycle Strategy Development and Execution

Agile Strategy: Short-Cycle Strategy Development and Execution

• SEI Blog
Linda Parker Gates

When the rate of change inside an institution becomes slower than the rate of change outside, the end is in sight. - Jack Welch In a world of agile everything, agile concepts are being applied in areas well beyond software development. At the NDIA Agile in Government Summit held in Washington, D.C. in June, Dr. George Duchak, the Deputy Assistant Secretary of Defense for Cyber, Command & Control, Communications & Networks, and Business Systems, spoke about the importance of agility to organizational success in a volatile, uncertain, complex, and ambiguous world. Dr. Duchak told the crowd that agile software development...

Read More
OCTAVE® FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom

OCTAVE® FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom

• Insider Threat Blog
Brett Tucker

Editor's note: This blog post first appeared on the FAIR Institute Blog. Organizations with a mix of cutting-edge technologies and legacy systems need adaptable, agile frameworks that provide executives with a real-time view of cyber risks. They also need tools and processes to ensure that everyone from executives to practitioners practice sound, consistent risk management....

Read More
SATURN 2018 Awards Conferred

SATURN 2018 Awards Conferred

• Insider Threat Blog
Tamara Marshall-Keim

The 14th SATURN Conference was held in Plano, Texas, on May 7-10, 2018, with attendees representing 74 organizations and 17 countries. This subset of the SATURN Community shared their ideas, insights, and experiences about effective software architecture practices for developing and maintaining software-intensive systems while also having some fun at the SATURN Celebration reception with armadillo racing and a game of giant cornhole (because everything is bigger in Texas). The conference began with three one-day SEI courses: Cloud Computing: An Architecture-Centric View, by John Klein; Essential Microservice Architecture, by Paulo Merson; and Launching and Sustaining Agile Architecture, by Ipek Ozkaya....

Read More