Blog Posts
The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain
This post presents a framework to promote the use of SBOMs and establish practices and processes that organizations can leverage as they build their programs.
• By Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody
In Secure Development
Rust Vulnerability Analysis and Maturity Challenges
This post explores tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole and how that might impact …
• By Garret Wassermann, David Svoboda
In Secure Development
Rust Software Security: A Current State Assessment
This post examines security issues with the Rust programming language.
• By Joe Sible, David Svoboda
In Secure Development
Taking Up the Challenge of Open Source Software Security in the DoD
This post describes a workshop hosted by the SEI to start a conversation to elevate the trustworthiness of free and open source software, particularly in DoD settings.
• By Scott Hissam
In Secure Development
11 Leading Practices When Implementing a Container Strategy
While containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.
• By Andrew O. Mellinger, William Nichols, Jay Palat
In Secure Development
Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems
Key features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE work
• By Lori Flynn
In Secure Development
A Technique for Decompiling Binary Code for Software Assurance and Localized Repair
The DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.
• By William Klieber
In Secure Development
Anti-Tamper for Software Components
This post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.
• By Scott Hissam
In Secure Development
A Public Repository of Data for Static-Analysis Classification Research
This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code …
• By Lori Flynn
In Secure Development
Automated Code Repair to Ensure Memory Safety
Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....
• By William Klieber
In Secure Development