As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in secure coding, CERT Resilience Management Model, malicious-code reverse engineering, systems engineering, and incident management. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

Improving the Automated Detection and Analysis of Secure Coding Violations
By Daniel Plakosh, Robert C. Seacord, Robert W. Stoddard, David Svoboda, and David Zubrow

Coding errors cause the majority of software vulnerabilities. For example, 64% of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors. The CERT Division's Source Code Analysis Laboratory (SCALe) offers conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java, using various analysis tools available from commercial software vendors. Unfortunately, the current SCALe analysis process and tools do not collect any statistics about the accuracy of the code analysis tools or about the coding violations they flag, such as frequency of occurrence. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.
Download the PDF

CERT Resilience Management Model (CERT-RMM) V1.1: NIST Special Publication Crosswalk Version 2
By Kevin G. Partridge, Mary Popeck, and Lisa R. Young

The CERT Resilience Management Model (CERT-RMM) allows organizations to determine how their current practices support their desired levels of process maturity and improvement. This technical note maps CERT-RMM process areas to certain National Institute of Standards and Technology (NIST) special publications in the 800 series. It aligns the tactical practices suggested in the NIST publications to the process areas that describe management of operational resilience at a process level. This technical note is an extension of the CERT-RMM Code of Practice Crosswalk, Commercial Version (CMU/SEI-2011-TN-012) and an update to the CERT Resilience Management Model (CERT-RMM) V1.1: NIST Special Publication Crosswalk Version 1 (CMU/SEI-2011-TN-028).
Download the PDF

Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
By Jennifer Cowley

Recently, government and news media publications have noted that a large-scale military cyberattack against the United States will be crippling primarily because of the existing personnel shortages and expertise gaps in the cybersecurity workforce. One critical job role within cyber defense teams is the malicious-code reverse engineer who deconstructs malicious code to understand, at the binary level, how the malware behaves on a network. Given the severe staffing shortages of these engineers, efforts to identify individual traits and characteristics that predict the development of expertise is important. Currently, job analysis research on teams of malicious-code reverse engineers is lacking. Therefore, a job analysis was conducted to identify individual factors (e.g., cognitive abilities, knowledge, and skills) and team factors (e.g., team leadership, decision making) that enable, encumber, or halt the development of malicious-code reverse engineering expertise. A 10-member malicious-code reverse engineering team was interviewed using a contextual inquiry/semi-structured interview hybrid technique to collect job analysis information. Performance factors were inferred based on the raw interview data.

The results indicate that expert performance requires other non-domain-specific knowledge and skills (e.g., performance monitoring, oral and written communication skills, teamwork skills) that enable successful performance. Expert performance may be enabled by personality factors (i.e., conscientiousness) and cognitive abilities (i.e., working memory capacity). Attributes of successful novices were also collected. Subsequent research will empirically validate that these factors predict the development of expertise. Training and operations implications for this research are also detailed.
Download the PDF

The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects
By Joseph P. Elm and Dennis Goldensen

This report summarizes analysis of data collected from the 2011 Systems Engineering (SE) Effectiveness Survey performed by the National Defense Industrial Association Systems Engineering Division, the Institute of Electrical and Electronics Engineers Aerospace and Electronic Systems Society, and the SEI. This analysis examined the differences in the deployment and impact of SE activities between defense-domain projects and non-defense projects. The analysis found significant differences in both the deployment of SE in the two domains and the effectiveness of the SE. The report identifies specific process areas where effectiveness in one domain is noticeably higher than in the other. Further research to understand these differences will benefit both domains by enabling them to share best practices.
Download the PDF

An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
By Christopher J. Alberts, Audrey J. Dorofee, Robin Ruefle, and Mark Zajicek

An incident management (IM) function is responsible for performing the broad range of activities associated with managing computer security events and incidents. For many years, the SEI's CERT Division has developed practices for building and sustaining IM functions in government and industry organizations worldwide. Based on their field experiences over the years, CERT researchers identified a community need for a time-efficient means of assessing an IM function. The Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC) is designed to address this need. The MRD-IMC is a risk-based approach for assessing the extent to which an IM function is in position to achieve its mission and objectives. Analysts applying the MRD-IMC evaluate a set of systemic risk factors (called drivers) to aggregate decision-making data and provide decision makers with a benchmark of an IM function's current state. The resulting gap between the current and desired states points to specific areas where additional investment is warranted. The MRD-IMC can be viewed as a first-pass screening (i.e., a "health check") or high-level diagnosis of conditions that enable and impede the successful completion of the IM function's mission and objectives. This technical note provides an overview of the MRD-IMC method.
Download the PDF

Additional Resources

For the latest SEI technical reports and notes, please visit
http://resources.sei.cmu.edu/library/.