search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering and Cybersecurity

Latest Posts

Best Practices and Considerations in Egress Filtering

Best Practices and Considerations in Egress Filtering

• SEI Blog
Rachel Kartch

When considering best practices in egress filtering, it is important to remember that egress filtering is not focused on protecting your network, but rather on protecting other organizations' networks. For example, the May 2017 Wannacry Ransomware attack is believed to have exploited an exposed vulnerability in the server message block (SMB) protocol and was rapidly spread via communications over port 445. Egress and ingress filtering of port 445 would have helped limit the spread of...

Read More
Coordinated Vulnerability Disclosure for DoD Websites

Coordinated Vulnerability Disclosure for DoD Websites

• SEI Blog
Art Manion

Almost 30 years ago, the SEI's CERT Coordination Center established a program that enabled security researchers in the field to report vulnerabilities they found in an organization's software or systems. But this capability did not always include vulnerabilities found on Department of Defense (DoD) sites. In 2017, the SEI helped expand vulnerability reporting to the DoD by establishing the DoD Vulnerability Disclosure program. This blog post, which was adapted from an article in the recently...

Read More
Implications and Mitigation Strategies for the Loss of End-Entity Private Keys

Implications and Mitigation Strategies for the Loss of End-Entity Private Keys

• SEI Blog
Aaron Reffett

This post is co-authored by Thomas Scanlon. When a private key in a public-key infrastructure (PKI) environment is lost or stolen, compromised end-entity certificates can be used to impersonate a principal (a singular and identifiable logical or physical entity, person, machine, server, or device) that is associated with it. An end-entity certificate is one that does not have certification authority to authorize other certificates. Consequently, the scope of a compromise or loss of an end-entity...

Read More
Best Practices for Cloud Security

Best Practices for Cloud Security

• SEI Blog
Donald Faatz

As detailed in last week's post, SEI researchers recently identified a collection of vulnerabilities and risks faced by organizations moving data and applications to the cloud. In this blog post, we outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud services. These practices are geared toward small and medium-sized organizations; however, all organizations, independent of size, can use these practices to improve the security...

Read More
12 Risks, Threats, & Vulnerabilities in Moving to the Cloud

12 Risks, Threats, & Vulnerabilities in Moving to the Cloud

• SEI Blog
Timothy Morrow

Organizations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud-adoption a central tenet of its IT modernization strategy. An organization that adopts cloud technologies and/or chooses cloud service providers (CSP)s and services or applications without becoming fully informed of the risks involved exposes itself to a myriad of commercial, financial, technical, legal, and compliance risks. In this blog post, we outline 12 risks, threats, and...

Read More
Agile/DevOps, Best Practices in Insider Threat, and Dynamic Design Analysis: The Latest Work from the SEI

Agile/DevOps, Best Practices in Insider Threat, and Dynamic Design Analysis: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in cyber risk and resilience management, Agile/DevOps and risk management, best practices in insider threat, and dynamic design analysis. This post also includes a link to our recently published 2017 SEI Year in Review. These publications highlight the latest work of SEI technologists in these areas....

Read More
Automated Assurance of Security-Policy Enforcement In Critical Systems

Automated Assurance of Security-Policy Enforcement In Critical Systems

• SEI Blog
Peter Feiler

As U.S. Department of Defense (DoD) mission-critical and safety-critical systems become increasingly connected, exposure from security infractions is likewise increasing. In the past, system developers had worked on the assumption that, because their systems were not connected and did not interact with other systems, they did not have to worry about security. "Closed" system assumptions, however, are no longer valid, and security threats affect the safe operation of systems. To address exponential growth in the...

Read More