SEI Blog | Secure Developmenthttps://insights.sei.cmu.edu/feeds/topic/secure-development/atom/?utm_source=blog&utm_medium=rss2023-11-06T00:00:00-05:00Updates on changes and additions to the SEI Blog for posts matching Secure DevelopmentThe SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain2023-11-06T00:00:00-05:002023-11-06T00:00:00-05:00Christopher Alberts, Michael Bandor, Charles Wallen, Carol Woodyhttps://insights.sei.cmu.edu/blog/the-sei-sbom-framework-informing-third-party-software-management-in-your-supply-chain/This post presents a framework to promote the use of SBOMs and establish practices and processes that organizations can leverage as they build their programs.Rust Vulnerability Analysis and Maturity Challenges2023-01-23T00:00:00-05:002023-01-23T00:00:00-05:00Garret Wassermann, David Svobodahttps://insights.sei.cmu.edu/blog/rust-vulnerability-analysis-and-maturity-challenges/This post explores tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole and how that might impact future security responses.Rust Software Security: A Current State Assessment2022-12-12T00:00:00-05:002022-12-12T00:00:00-05:00Joe Sible, David Svobodahttps://insights.sei.cmu.edu/blog/rust-software-security-a-current-state-assessment/This post examines security issues with the Rust programming language.Taking Up the Challenge of Open Source Software Security in the DoD2022-08-15T00:00:00-04:002022-08-15T00:00:00-04:00Scott Hissamhttps://insights.sei.cmu.edu/blog/taking-up-the-challenge-of-open-source-software-security-in-the-dod/This post describes a workshop hosted by the SEI to start a conversation to elevate the trustworthiness of free and open source software, particularly in DoD settings.11 Leading Practices When Implementing a Container Strategy2021-11-08T00:00:00-05:002021-11-08T00:00:00-05:00Andrew Mellinger, William Nichols, Jay Palathttps://insights.sei.cmu.edu/blog/11-leading-practices-when-implementing-a-container-strategy/While containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems2021-10-25T00:00:00-04:002021-10-25T00:00:00-04:00Lori Flynnhttps://insights.sei.cmu.edu/blog/release-of-scaife-system-version-200-provides-support-for-continuous-integration-ci-systems/Key features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE workA Technique for Decompiling Binary Code for Software Assurance and Localized Repair2021-10-11T00:00:00-04:002021-10-11T00:00:00-04:00William Klieberhttps://insights.sei.cmu.edu/blog/a-technique-for-decompiling-binary-code-for-software-assurance-and-localized-repair/The DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.Anti-Tamper for Software Components2021-06-21T00:00:00-04:002021-06-21T00:00:00-04:00Scott Hissamhttps://insights.sei.cmu.edu/blog/anti-tamper-for-software-components/This post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.A Public Repository of Data for Static-Analysis Classification Research2020-11-02T00:00:00-05:002020-11-02T00:00:00-05:00Lori Flynnhttps://insights.sei.cmu.edu/blog/public-repository-data-static-analysis-classification-research/This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code and tool output to monitor and test the performance of their automated classification of meta-alerts.Automated Code Repair to Ensure Memory Safety2020-02-24T00:00:00-05:002020-02-24T00:00:00-05:00William Klieberhttps://insights.sei.cmu.edu/blog/automated-code-repair-to-ensure-memory-safety/Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts2019-07-22T00:00:00-04:002019-07-22T00:00:00-04:00Lori Flynn, Ebonie McNeilhttps://insights.sei.cmu.edu/blog/an-application-programming-interface-for-classifying-and-prioritizing-static-analysis-alerts/In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications2019-04-01T00:00:00-04:002019-04-01T00:00:00-04:00David Svobodahttps://insights.sei.cmu.edu/blog/how-to-use-static-analysis-to-enforce-sei-cert-coding-standards-for-iot-applications/The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT)....Using the SEI CERT Coding Standards to Improve Security of the Internet of Things2019-02-11T00:00:00-05:002019-02-11T00:00:00-05:00David Svobodahttps://insights.sei.cmu.edu/blog/using-the-sei-cert-coding-standards-to-improve-security-of-the-internet-of-things/The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity....SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts2018-12-17T00:00:00-05:002018-12-17T00:00:00-05:00Lori Flynn, Ebonie McNeilhttps://insights.sei.cmu.edu/blog/scale-v-3-automated-classification-and-advanced-prioritization-of-static-analysis-alerts/Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must....IPV6 Adoption: Is your ISP ready to support IPv6?2018-10-22T00:00:00-04:002018-10-22T00:00:00-04:00Joseph Mayeshttps://insights.sei.cmu.edu/blog/ipv6-adoption-is-your-isp-ready-to-support-ipv6/This SEI Blog post examines best practices for transitioning to IPv6 and presents points to help determine if your current ISP can support IPv6 ambitions.SCALe: A Tool for Managing Output from Static Analysis Tools2018-09-24T00:00:00-04:002018-09-24T00:00:00-04:00Lori Flynnhttps://insights.sei.cmu.edu/blog/scale-a-tool-for-managing-output-from-static-analysis-tools/Experience shows that most software contains code flaws that can lead to vulnerabilities. Static analysis tools used to identify potential vulnerabilities in source code produce....Obsidian: A New, More Secure Programming Language for Blockchain2018-09-04T00:00:00-04:002018-09-04T00:00:00-04:00Eliezer Kanalhttps://insights.sei.cmu.edu/blog/obsidian-a-new-more-secure-programming-language-for-blockchain/Billions of dollars in venture capital, industry investments, and government investments are going into the technology known as blockchain....Decision-Making Factors for Selecting Application Security Testing Tools2018-08-20T00:00:00-04:002018-08-20T00:00:00-04:00Tom Scanlonhttps://insights.sei.cmu.edu/blog/decision-making-factors-for-selecting-application-security-testing-tools/In the first post in this series, I presented 10 types of application security testing (AST) tools and discussed when and how to use them....IPv6 Adoption: 4 Questions and Answers2018-08-13T00:00:00-04:002018-08-13T00:00:00-04:00Joseph Mayeshttps://insights.sei.cmu.edu/blog/ipv6-adoption-4-questions-and-answers/IPv6 deployment is on the rise. Google reported that as of July 14 2018, 23.94 percent of users accessed its site via IPv6, up 6.16 percent from that same date in 2017....Test Suites as a Source of Training Data for Static Analysis Alert Classifiers2018-04-30T00:00:00-04:002018-04-30T00:00:00-04:00Lori Flynn, Zachary Kurtzhttps://insights.sei.cmu.edu/blog/test-suites-as-a-source-of-training-data-for-static-analysis-alert-classifiers/Numerous tools exists to help detect flaws in code. Some of these are called flaw-finding static analysis (FFSA) tools because they identify flaws by analyzing code without running it....