search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering and Cybersecurity

Latest Posts

Is Java More Secure than C?

Is Java More Secure than C?

• SEI Blog
David Svoboda

By David Svoboda Senior Member of the Technical Staff CERT Division Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more...

Read More
Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division What differentiates cybersecurity from other domains in information technology (IT)? Cybersecurity must account for an adversary. It is the intentions, capabilities, prevailing attack patterns of these adversaries that form the basis of risk management and the development of requirements for cybersecurity programs. In this blog post, the first in a series, I present strategies for enabling resilience practitioners to organize and articulate their intelligence needs, as well...

Read More
A Taxonomy of Testing: What-Based and When-Based Testing Types

A Taxonomy of Testing: What-Based and When-Based Testing Types

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division There are more than 200 different types of testing, and many stakeholders in testing--including the testers themselves and test managers--are often largely unaware of them or do not know how to perform them. Similarly, test planning frequently overlooks important types of testing. The primary goal of this series of blog posts is to raise awareness of the large number of test types, to verify adequate completeness of...

Read More
Managing Software Complexity in Models

Managing Software Complexity in Models

• SEI Blog
Julien Delange

By Julien Delange Member of the Technical Staff Software Solutions Division For decades, safety-critical systems have become more software intensive in every domain--in avionics, aerospace, automobiles, and medicine. Software acquisition is now one of the biggest production costs for safety-critical systems. These systems are made up of several software and hardware components, executed on different components, and interconnected using various buses and protocols. For instance, cars are now equipped with more than 70 electronic control...

Read More
Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

By Douglas C. Schmidt Principal Researcher As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, technical notes, and white papers. These reports highlight the latest work of SEI technologists in Agile software development and Agile-at-scale, software architecture fault analysis, computer network design, confidence in system properties, and system-of-systems development as well as commentary from two CERT...

Read More
A Taxonomy of Testing

A Taxonomy of Testing

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division While evaluating the test programs of numerous defense contractors, we have often observed that they are quite incomplete. For example, they typically fail to address all the relevant types of testing that should be used to (1) uncover defects (2) provide evidence concerning the quality and maturity of the system or software under test, and (3) demonstrate the readiness of the system or software for acceptance and...

Read More
The SEI Technical Strategic Plan

The SEI Technical Strategic Plan

• SEI Blog
Kevin Fall

By Kevin FallDeputy Director, Research, and CTO This is the second installment in a series on the SEI's technical strategic plan. Department of Defense (DoD) systems are becoming increasingly software reliant, at a time when concerns about cybersecurity are at an all-time high. Consequently, the DoD, and the government more broadly, is expending significantly more time, effort, and money in creating, securing, and maintaining software-reliant systems and networks. Our first post in this series provided...

Read More
The Pharos Framework: Binary Static Analysis of Object Oriented Code

The Pharos Framework: Binary Static Analysis of Object Oriented Code

• SEI Blog
Jeffrey Gennari

Object-oriented programs present considerable challenges to reverse engineers. For example, C++ classes are high-level structures that lead to complex arrangements of assembly instructions when compiled. These complexities are exacerbated for malware analysts because malware rarely has source code available; thus, analysts must grapple with sophisticated data structures exclusively at the machine code level. As more and more object-oriented malware is written in C++, analysts are increasingly faced with the challenges of reverse engineering C++ data...

Read More