SEI Insights

Recent Posts

By Douglas Gray
Information Security Engineer
CERT Division

In leveraging threat intelligence, the operational resilience practitioner need not create a competing process independent of other frameworks the organization is leveraging. In fact, the use of intelligence products in managing operational resilience is not only compatible with many existing frameworks but is, in many cases, inherent. While it is beyond the scope of this blog to provide an in-depth discussion of some of the more widely used operational resilience measurement and decision-making best practices--including the CERT® Resilience Management Model (CERT-RMM), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro methodology, the NIST Risk Management Framework (RMF), Agile, and the Project Management Body of Knowledge (PMBOK)-- this blog post, the second in a series, provides a discussion of how to operationalize intelligence products to build operational resilience of organizational assets and services.

Developing with Otto: A First Look

By on in

By Aaron Volkmann
Senior Research Engineer
CERT Division

You will be hard pressed to find a DevOps software development shop that doesn't employ Vagrant to provision their local software development environments during their development phase. In this blog post, I introduce a tool called Otto, by Hashicorp, the makers of Vagrant.

CVSS and the Internet of Things

By on in

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT devices. At the CERT/CC, we coordinate information about and discover vulnerabilities in various devices, and the number of vulnerabilities keeps growing.

One thing that I've personally been researching is finding vulnerabilities in vehicles. In recent weeks, even non-technical friends and family have asked me about the Jeep vulnerability, the Mobile Devices C4, Rolljam, Tesla, and other recent car-related vulnerabilities. These attacks are novel not because of the technical details, but because of the attack vectors and impact, which differ dramatically from those in traditional IT resources.

Handling Threats from Disgruntled Employees

By on in

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing.

Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will discuss the top three outcomes of an attack conducted by a disgruntled insider to provide you with better insight into situations that could lead to an attack. By looking at these situations and outcomes, you and your organization will be able to better handle the possible threats of a disgruntled employee.

New This Year at SATURN: DEV@SATURN Talks

By on in

A DEV(Design, Engineering, Vision)@SATURN talk is similar to a TED talk and concisely shares a single breakthrough technique, lesson, or experience in a passionate and inspiring way. We have a few slots available for these presentations at SATURN 2016.

DEV@SATURN talks will be particularly story based with lots of colorful images, simple charts, videos, and other visual props. They will be short: you have a maximum of 15 minutes, which will force you to focus on only what matters. Speaker delivery is critical; audiences will react equally to the message and the messenger. It will help to watch a couple of TED talks to get a sense of the style. Remember, there will be a select few of these sessions in the technical program, so submit a proposal for this session type only if you believe you have the right topic and delivery style to delight your SATURN community.

Your DEV@SATURN talk will really ignite your audience when you focus on using stories and pictures. The 4D outline is a great tool to help you think about your purpose for each point and how you want to convey that point. With this tool, you can create an exciting presentation that drives home what you want your audience to remember.

We look forward to seeing your proposals!

The 12th SEI Architecture Technology User Network (SATURN) Conference 2016 will be held at the Sheraton San Diego Hotel & Marina in San Diego, California, May 2-5, 2016.

The SATURN 2016 Call for Submissions is now open.



Timely insights about vulnerabilities, network situational awareness, and research in the security field offered by CERT Division researchers.


Technical Guidelines and practical advice for DevOps. Posts cover issues relating to understanding and achieving successful DevOps including cultural shifts, barriers to collaboration, continuous integration, continuous deployment, and automation.

Insider Threat

Advice and best practices for organizations wanting to help better deter, detect, and respond to evolving insider threats.


The SEI Architecture Technology User Network’s blog covers topics relating to software architecture and connects the professional network of software, systems, and enterprise architects from around the world, representing industry, academia, and government.

SEI Blog

Ongoing and exploratory research on topics that include secure coding, malware analysis, testing, organizational planning, agile software development, big data, quality assurance, cloud computing, and software sustainment across the lifecycle.