As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recent publications from the SEI in the areas of application programming interfaces (APIs), software bills of materials (SBOMs), secure development, Architecture Analysis and Design Language (AADL), and static analysis.

These publications highlight the latest work from SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Application Programming Interface (API) Vulnerabilities and Risks
by McKinley Sconiers-Hasan

Web-accessible application programming interfaces (APIs) are increasingly common, and they are often designed and implemented in a way that creates security risks. Building on a taxonomy from OWASP, this report describes 11 common vulnerabilities and 3 risks related to APIs, providing suggestions about how to fix or reduce their impact. Recommendations include using a standard API documentation process, using automated testing, and ensuring the security of the identity and access management system.
Read the SEI Special Report.

Software Bill of Materials (SBOM) Considerations for Operational Test & Evaluation Activities
by Michael Bandor

This white paper looks at potential roles for SBOM within various Operational Test & Evaluation (OT&E) activities. It looks at the history and background of SBOMs, recent developments (as of the creation of the white paper), general challenges and questions to ask, and five specific use cases. It concludes with conclusions and recommendations.

SBOMs are currently in early and varying stages of adoption across industry and within the DoD. There are still issues with the quality (e.g., completeness, accuracy, currency, etc.) of the SBOMs being produced, as well as adherence to the minimum essential elements identified by the U.S. Department of Commerce. Legacy systems as well as cloud-based systems present challenges for producing SBOMs. The DoD is currently developing proposed guidance for addressing the SBOM requirement by programs.

Given this early phase of adoption, it is recommended that SBOMs be used to augment but not replace the current methods used by Operational Test (OT) personnel in performance of the testing functions and not to rely solely on the SBOM information. The limitations are not intrinsic, and we can expect that SBOMs will prove to be increasingly significant and useful for OT activities.
Read the SEI white paper.

Secure Systems Don’t Happen by Accident
by Timothy A. Chick

Most cybersecurity breaches are due to defects in design or code, including both coding and logic errors. The best way to address these challenges is to design and build more secure solutions. In this webcast, Tim Chick discusses how security can be an integral aspect of the entire software lifecycle. The key to success is to follow deliberate engineering practices focused on reducing security risks through the use of software assurance techniques.

What attendees will learn:

• the importance of cybersecurity, including examples of security failures
• qualities to look at when evaluating third-party software
• the relationship between quality and security
• engineering techniques used throughout the development lifecycle to reduce cyber risks

View the webcast.

Reachability of System Operation Modes in AADL
by Lutz Wrage

Components in an AADL (Architecture Analysis and Design Language) model can have modes that determine which subcomponents and connections are active. Transitions between modes are triggered by events originating from the modeled system’s environment or from other components in the model. Modes and transitions can occur on any level of the component hierarchy. The combinations of component modes (called system operation modes or SOMs) define the system’s configurations. It is important to know which SOMs can actually occur in the system, especially in the area of system safety, because a system may contain components that should not be active simultaneously, for example, a car’s brake and accelerator. This report presents an algorithm that constructs the set of reachable SOMs for a given AADL model and the transitions between them.
Read the SEI Technical Report.

Automated Repair of Static Analysis Alerts
by David Svoboda

Developers know that static analysis helps make code more secure. However, heuristic static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast, David Svoboda, a software security engineer in the SEI’s CERT Division, discusses Redemption, a new open-source tool from the SEI that automatically repairs common errors in C/C++ code generated from static analysis alerts, making code safer and static analysis less overwhelming.
Listen to/view the podcast.

Navigating Capability-Based Planning: The Benefits, Challenges, and Implementation Essentials
By Anandi Hira and William Nichols

Capability-based planning (CBP) defines a framework for acquisition and design that encompasses a comprehensive view of existing abilities and future needs for the purpose of supporting strategic decisions regarding what is needed and how to effectively achieve it. Both business and government acquisition domains use CBP for financial success or to design well-balanced defense systems. Unsurprisingly, the definitions vary across these domains. This paper endeavors to reconcile these definitions to provide a overarching view of CBP, its potential, and practical implementation of its principles.
Read the white paper.

My Story in Computing, with Sam Procter
by Sam Procter

Sam Procter, an SEI senior architecture researcher, started out studying computer science at the University of Nebraska, but he didn’t love it. It wasn’t until he took his first software engineering course that he knew he’d found his career path. In this SEI podcast, Procter discusses early influences that shaped his career, the importance of embracing different types of diversity in his research and work, and the value of work-life balance.
Listen to/view the podcast.

Additional Resources

View the latest SEI research in the SEI Digital Library.
View the latest podcasts in the SEI Podcast Series.
View the latest installments in the SEI Webcast Series.