search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering and Cybersecurity

Latest Posts

Heartbleed: Q&A

Heartbleed: Q&A

• SEI Blog
Will Dormann

The Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security(SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: Would the vulnerability have been detected by static analysis tools? If the vulnerability has been in the wild for two years, why did it take so long to...

Read More
Secure Coding to Prevent Vulnerabilities

Secure Coding to Prevent Vulnerabilities

• SEI Blog
Robert Seacord

Software developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address code style issues (i.e., style guides), CERT secure coding standards focus on identifying unsafe, unreliable, and insecure coding practices, such as those that resulted in the Heartbleed vulnerability. For more than 10 years, the CERT...

Read More
Two Secure Coding Tools for Analyzing Android Apps

Two Secure Coding Tools for Analyzing Android Apps

• SEI Blog
Will Klieber

This blog post is co-authored by Lori Flynn. Although the Android Operating System continues to dominate the mobile device market (82 percent of worldwide market share in the third quarter of 2013), applications developed for Android have faced some challenging security issues. For example, applications developed for the Android platform continue to struggle with vulnerabilities, such as activity hijacking, which occurs when a malicious app receives a message (in particular, an intent) that was intended...

Read More
A New Approach to Prioritizing Malware Analysis

A New Approach to Prioritizing Malware Analysis

• SEI Blog
Jose Morales

Every day, analysts at major anti-virus companies and research organizations are inundated with new malware samples. From Flame to lesser-known strains, figures indicate that the number of malware samples released each day continues to rise. In 2011, malware authors unleashed approximately 70,000 new strains per day, according to figures reported by Eugene Kaspersky. The following year, McAfee reported that 100,000 new strains of malware were unleashed each day. An article published in the October 2013...

Read More
Identifying Security Gaps in International Postal and Transportation Infrastructure

Identifying Security Gaps in International Postal and Transportation Infrastructure

• SEI Blog
Nader Mehravari

In October 2010, two packages from Yemen containing explosives were discovered on U.S.-bound cargo planes of two of the largest worldwide shipping companies, UPS and FedEx, according to reports by CNN and the Wall Street Journal. The discovery highlighted a long-standing problem--securing international cargo--and ushered in a new area of concern for such entities as the United States Postal Inspection Service (USPIS) and the Universal Postal Union (UPU), a specialized agency of the United Nations...

Read More
Specifying Behavior with AADL

Specifying Behavior with AADL

• SEI Blog
Julien Delange

The Architecture Analysis and Design Language (AADL) is a modeling language that, at its core, allows designers to specify the structure of a system (components and connections) and analyze its architecture. From a security point of view, for example, we can use AADL to verify that a high-security component does not communicate with a low-security component and, thus, ensure that one type of security leak is prevented by the architecture. The ability to capture the...

Read More
Unintentional Insider Threat and Social Engineering

Unintentional Insider Threat and Social Engineering

• SEI Blog
David Mundie

Social engineering involves the manipulation of individuals to get them to unwittingly perform actions that cause harm or increase the probability of causing future harm, which we call "unintentional insider threat." This blog post highlights recent research that aims to add to the body of knowledge about the factors that lead to unintentional insider threat (UIT) and about how organizations in industry and government can protect themselves....

Read More
A New Approach for Critical Information Systems Protection

A New Approach for Critical Information Systems Protection

• SEI Blog
Anne Connell

The source of a recent Target security breach that allowed intruders to gain access to more than 40 million credit and debit cards of customers between Nov. 27 and Dec. 14, 2013, has been traced to a heating, ventilation, and air conditioning (HVAC) service sub-contractor in Sharpsburg, Pa., just outside of Pittsburgh, according to a Feb. 5 post on a Wall Street Journal blog....

Read More