The crop of Top 10 SEI Blog posts in the first half of 2017 (judged by the number of visits by our readers) represents the best of what we do here at the SEI: transitioning our knowledge to those who need it. Several of our Top 10 posts this year are from a series of posts on best practices for network security that we launched in November 2016 in the wake of the Dyn attack. In this post, we will list the Top 10 posts with an excerpt from each post as well as links to where readers can go for more information about the topics covered in the SEI blog.

10. Automated Code Repair in the C Programming Language by Will Klieber

Finding violations of secure coding guidelines in source code is daunting, but fixing them is an even greater challenge. We are creating automated tools for source code transformation. Experience in examining software bugs reveals that many security-relevant bugs follow common patterns (which can be automatically detected) and that there are corresponding patterns for repair (which can be performed by automatic program transformation). For example, integer overflow in calculations related to array bounds or indices is almost always a bug. While static analysis tools can help, they typically produce an enormous number of warnings. Once an issue has been identified, teams are only able to eliminate a small percentage of the vulnerabilities identified. As a result, code bases often contain an unknown number of security bug vulnerabilities. This blog post describes our research in automated code repair, which can eliminate security vulnerabilities much faster than the existing manual process and at a much lower cost. While this research focuses to the C programming language, it applies to other languages as well.
Read the post.

Additional Resources

• This blog post is based on the paper "Automated Code Repair Based on Inferred Specifications" presented by Will Klieber and Will Snavely at IEEE SecDev Conference 2016 (November 2016).
• Listen to the podcast Is Java More Secure Than C? with David Svoboda.
• Read the blog post Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws by Lori Flynn.
• Read the SEI technical note Improving the Automated Detection and Analysis of Secure Coding Violations.

9. EMFTA: an Open Source Tool for Fault Tree Analysis
by Julien Delange

Safety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761mandate several analyses, such as Functional Hazard Assessment (FHA) and Failure Mode and Effect Analysis (FMEA). One popular type of safety analysis is Fault Tree Analysis (FTA), which provides a graphical representation of all contributors to a failure (e.g., error events and propagations). In this blog post, I present the concepts of the FTA and introduce a new tool to design and analyze fault trees.
Read the post.

Additional Resources

• EMFTA github repository: https://github.com/cmu-sei/emfta
• OSATE download: https://osate.org/

8. Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
by Mark Langston

Much of the malware that we analyze includes some type of remote access capability. Malware analysts broadly refer to this type of malware as a remote access tool (RAT). RAT-like capabilities are possessed by many well-known malware families, such as DarkComet. As described in this series of posts, CERT researchers are exploring ways to automate common malware analysis activities. In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering object-oriented code. In this post, I will explain how to statically characterize program behavior using application programming interface (API) calls and then discuss how we automated this reasoning with a malware analysis tool that we call ApiAnalyzer.
Read the post.

Additional Resources

• NIST also makes recommendations for DNS best practices about how to properly deploy and maintain a DNS infrastructure. For more on DNS deployment best practices, including the use of DNSSEC and TSIG, see NIST SP 800-81-2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf
• Read the SEI Blog post by Rachel Kartch Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response.

7. Agile Metrics: Seven Categories
by Will Hayes

More and more, suppliers of software-reliant Department of Defense (DoD) systems are moving away from traditional waterfall development practices in favor of Agile methods. As described in previous posts on this blog, Agile methods are effective for shortening delivery cycles and managing costs. If the benefits of Agile are to be realized effectively for the DoD, however, personnel responsible for overseeing software acquisitions must be fluent in metrics used to monitor these programs. This blog post highlights the results of an effort by researchers at the Carnegie Mellon University Software Engineering Institute to create a reference for personnel who oversee software development acquisition for major systems built by developers applying Agile methods. This post also presents seven categories for tracking Agile metrics.
Read the post.

Additional Resources

Acquisition researchers in the SEI's Software Solutions Division have published several technical notes that address different topics of interest to acquisition professionals that are contemplating or are currently using Agile methods as part of their acquisition:

• Agile Metrics: Progress Monitoring of Agile Contractors
  https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=77747
• Considerations for Using Agile in DoD Acquisition
  https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9273
• Agile Methods: Selected DoD Management and Acquisition Concerns
  https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9769
• A Closer Look at 804: A Summary of Considerations for DoD Program Managers
  https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9751
• DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers
  https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34083
• Parallel Worlds: Agile and Waterfall Differences and Similarities
  https://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=62901

6. Structuring the Chief Information Security Officer Organization
by Nader Mehravari and Julia Allen

Most organizations, no matter the size or operational environment (government or industry), employ a senior leader responsible for information security and cybersecurity. In many organizations, this role is known as chief information security officer (CISO) or director of information security. CISOs and others in this position increasingly find that traditional information security strategies and functions are no longer adequate when dealing with today's expanding and dynamic cyber-risk environment. Publications abound with opinions and research expressing a wide range of functions that a CISO organization should govern, manage, and perform. Making sense of all this and deciding on an approach that is appropriate for your specific organization's business, mission, and objectives can prove challenging. In this blog post, we present recent research on this topic, including a CISO framework for a large, diverse, U.S. national organization. This framework is the product of interviews with CISOs and an examination of policies, frameworks, maturity models, standards, codes of practice, and lessons learned from cybersecurity incidents.
Read the entire post.

Additional Resources

• Read the technical note Structuring the Chief Information Security Officer Organization.
• Listen to the CERT podcast Structuring the Chief Information Security Officer Organization, featuring Julia Allen and Nader Mehravari.
• View the SEI Webinar and slides: Structuring the Chief Information Security Officer Organization, December 2015.

5. Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response
by Rachel Kartch

Late last month (October 2016), Internet users across the eastern seaboard of the United States had trouble accessing popular websites, such as Reddit, Netflix, and the New York Times. As reported in Wired Magazine, the disruption was the result of multiple distributed denial of service (DDoS) attacks against a single organization: Dyn, a New Hampshire-based Internet infrastructure company.

DDoS attacks can be extremely disruptive, and they are on the rise. The Verisign Distributed Denial of Service Trends Report states that DDoS attack activity increased 85 percent in each of the last two years with 32 percent of those attacks in the fourth quarter of 2015 targeting IT services, cloud computing, and software-as-a-service companies. In this blog post, I provide an overview of DDoS attacks and best practices for mitigating and responding to them based on cumulative experience in this field.
Read the post.

Additional Resources

• View this DDoS Security Guide from US-CERT.
• Learn more about CERT's incident handling courses for computer security incident response team (CSIRT) technical personnel.
• View CERT's CSIRT handbook.

4. Four Types of Shift-Left Testing

by Donald Firesmith

One of the most important and widely discussed trends within the software testing community is shift left testing, which simply means beginning testing as early as practical in the lifecycle. What is less widely known, both inside and outside the testing community, is that testers can employ four fundamentally different approaches to shift testing to the left. Unfortunately, different people commonly use the generic term shift left to mean different approaches, which can lead to serious misunderstandings. This blog post explains the importance of shift left testing and defines each of these four approaches using variants of the classic V model to illustrate them.
Read the post.

Additional Resources

• To read Don Firesmith's blog post, Using V Models for Testing, please visit
  /blog/using-v-models-for-testing/.
• To read more about the Testing at the End anti-pattern, please see his most recent book, Common System and Software Testing Pitfalls: How to Prevent and Mitigate Them: Descriptions, Symptoms, Consequences, Causes, and Recommendations, which was published as part of the SEI Series in Software Engineering.

3. Common Testing Problems: Pitfalls to Prevent and Mitigate
by Donald Firesmith

A widely cited study for the National Institute of Standards & Technology (NIST) reports that inadequate testing methods and tools annually cost the U.S. economy between $22.2 and $59.5 billion, with roughly half of these costs borne by software developers in the form of extra testing and half by software users in the form of failure avoidance and mitigation efforts. The same study notes that between 25 and 90 percent of software development budgets are often spent on testing. This posting, the first in a two-part series, highlights results of an analysis that documents problems that commonly occur during testing. Specifically, this series of posts identifies and describes 77 testing problems organized into 14 categories, lists potential symptoms by which each can be recognized, potential negative consequences, potential causes, and makes recommendations for preventing them or mitigating their effects.
Read the entire post.

Additional Resources

A presentation on this work, Common Testing Problems: Pitfalls to Prevent and Mitigate, and the associated Checklist including Symptoms and Recommendations, was presented at the FAA Verification and Validation Summit 8 (2012) in Atlantic City, New Jersey on 10 October 2012.

2. Using V Models for Testing

by Donald Firesmith

The verification and validation of requirements are a critical part of systems and software engineering. The importance of verification and validation (especially testing) is a major reason that the traditional waterfall development cycle underwent a minor modification to create the V model that links early development activities to their corresponding later testing activities. This blog post introduces three variants on the V model of system or software development that make it more useful to testers, quality engineers, and other stakeholders interested in the use of testing as a verification and validation method.

Read the entire post.

Additional Resources

Read the SEI technical report, Reliability Validation and Improvement Framework by Peter Feiler, John Goodenough, Arie Gurfinkel, Charles Weinstock, and Lutz Wrage.

1. Ransomware: Best Practices for Prevention and Response
by Alexander Volynkin, Jose Morales, and Angela Horneman

On May 12, 2017, in the course of a day, the WannaCry ransomware attack infected nearly a quarter million computers. WannaCry is the latest in a growing number of ransomware attacks where, instead of stealing data, cyber criminals hold data hostage and demand a ransom payment. WannaCry was perhaps the largest ransomware attack to date, taking over a wide swath of global computers from FedEx in the United States to the systems that power Britain's healthcare system to systems across Asia, according to the New York Times. In this post, we spell out several best practices for prevention and response to a ransomware attack.
Read the post.

Additional Resources

View the SEI Cyber Minute on mitigating ransomware.

Wrapping Up and Looking Ahead

In the coming months, look forward to posts highlighting our work in blockchain and Bitcoin, machine learning, and distributed artificial intelligence in extreme space environments.

Additional Resources

Download the latest publications from SEI researchers at our digital library
https://resources.sei.cmu.edu/library/.