SEI Insights

Recent Posts

Is Java More Secure than C?

By on in

By David Svoboda
Senior Member of the Technical Staff
CERT Division

Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more secure language would need fewer rules than a less secure one. However, Java has 168 coding rules compared to just 116 for C. Why? Was our (admittedly simplistic) assumption completely spurious? Or, are there problems with our C or Java rules? Or, are Java programs, on average, just as susceptible to vulnerabilities as C programs? In this post, I attempt to analyze our CERT rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

Developing with Otto: A First Look

By on in

By Aaron Volkmann
Senior Research Engineer
CERT Division

You will be hard pressed to find a DevOps software development shop that doesn't employ Vagrant to provision their local software development environments during their development phase. In this blog post, I introduce a tool called Otto, by Hashicorp, the makers of Vagrant.

CVSS and the Internet of Things

By on in

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT devices. At the CERT/CC, we coordinate information about and discover vulnerabilities in various devices, and the number of vulnerabilities keeps growing.

One thing that I've personally been researching is finding vulnerabilities in vehicles. In recent weeks, even non-technical friends and family have asked me about the Jeep vulnerability, the Mobile Devices C4, Rolljam, Tesla, and other recent car-related vulnerabilities. These attacks are novel not because of the technical details, but because of the attack vectors and impact, which differ dramatically from those in traditional IT resources.

Handling Threats from Disgruntled Employees

By on in

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing.

Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will discuss the top three outcomes of an attack conducted by a disgruntled insider to provide you with better insight into situations that could lead to an attack. By looking at these situations and outcomes, you and your organization will be able to better handle the possible threats of a disgruntled employee.

New This Year at SATURN: DEV@SATURN Talks

By on in

A DEV(Design, Engineering, Vision)@SATURN talk is similar to a TED talk and concisely shares a single breakthrough technique, lesson, or experience in a passionate and inspiring way. We have a few slots available for these presentations at SATURN 2016.

DEV@SATURN talks will be particularly story based with lots of colorful images, simple charts, videos, and other visual props. They will be short: you have a maximum of 15 minutes, which will force you to focus on only what matters. Speaker delivery is critical; audiences will react equally to the message and the messenger. It will help to watch a couple of TED talks to get a sense of the style. Remember, there will be a select few of these sessions in the technical program, so submit a proposal for this session type only if you believe you have the right topic and delivery style to delight your SATURN community.

Your DEV@SATURN talk will really ignite your audience when you focus on using stories and pictures. The 4D outline is a great tool to help you think about your purpose for each point and how you want to convey that point. With this tool, you can create an exciting presentation that drives home what you want your audience to remember.

We look forward to seeing your proposals!

The 12th SEI Architecture Technology User Network (SATURN) Conference 2016 will be held at the Sheraton San Diego Hotel & Marina in San Diego, California, May 2-5, 2016.

The SATURN 2016 Call for Submissions is now open.



Timely insights about vulnerabilities, network situational awareness, and research in the security field offered by CERT Division researchers.


Technical Guidelines and practical advice for DevOps. Posts cover issues relating to understanding and achieving successful DevOps including cultural shifts, barriers to collaboration, continuous integration, continuous deployment, and automation.

Insider Threat

Advice and best practices for organizations wanting to help better deter, detect, and respond to evolving insider threats.


The SEI Architecture Technology User Network’s blog covers topics relating to software architecture and connects the professional network of software, systems, and enterprise architects from around the world, representing industry, academia, and government.

SEI Blog

Ongoing and exploratory research on topics that include secure coding, malware analysis, testing, organizational planning, agile software development, big data, quality assurance, cloud computing, and software sustainment across the lifecycle.