11 Leading Practices When Implementing a Container Strategy

While containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.

Read More

November 8, 2021 • By Andrew Mellinger, William Nichols, Jay Palat

In Secure Development

Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems

Key features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE work

Read More

October 25, 2021 • By Lori Flynn

In Secure Development

A Technique for Decompiling Binary Code for Software Assurance and Localized Repair

The DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.

Read More

October 11, 2021 • By Will Klieber

In Secure Development

Anti-Tamper for Software Components

This post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.

Read More

June 21, 2021 • By Scott Hissam

In Secure Development

A Public Repository of Data for Static-Analysis Classification Research

This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code …

Read More

November 2, 2020 • By Lori Flynn

In Secure Development

Automated Code Repair to Ensure Memory Safety

Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....

Read More

February 24, 2020 • By Will Klieber

In Secure Development

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.

Read More

July 21, 2019 • By Lori Flynn, Ebonie McNeil

In Secure Development

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT)....

Read More

March 31, 2019 • By David Svoboda

In Secure Development

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity....

Read More

February 10, 2019 • By David Svoboda

In Secure Development

SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer …

Read More

December 16, 2018 • By Lori Flynn, Ebonie McNeil

In Secure Development