Secure Development
Blog Posts
Taking Up the Challenge of Open Source Software Security in the DoD

This post describes a workshop hosted by the SEI to start a conversation to elevate the trustworthiness of free and open source software, particularly in DoD settings.
• By Scott Hissam
In Secure Development

11 Leading Practices When Implementing a Container Strategy
While containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.
• By Andrew Mellinger, William Nichols, Jay Palat
In Secure Development


Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems
Key features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE work
• By Lori Flynn
In Secure Development

A Technique for Decompiling Binary Code for Software Assurance and Localized Repair
The DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.
• By Will Klieber
In Secure Development

Anti-Tamper for Software Components
This post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.
• By Scott Hissam
In Secure Development

A Public Repository of Data for Static-Analysis Classification Research
This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code …
• By Lori Flynn
In Secure Development

Automated Code Repair to Ensure Memory Safety
Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....
• By Will Klieber
In Secure Development

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts
In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.
• By Lori Flynn, Ebonie McNeil
In Secure Development

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications
The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT)....
• By David Svoboda
In Secure Development

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things
The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity....
• By David Svoboda
In Secure Development
