Software Assurance, Social Networking Tools, Insider Threat, and Risk Analysis--The Latest Research from the SEI
As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in software assurance, social networking tools, insider threat, and the Security Engineering Risk Analysis Framework (SERA). This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.
Predicting Software Assurance Using Quality and Reliability Measures
By Carol Woody, Robert J. Ellison, William Nichols
Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. This report includes security analysis based on data the SEI has collected over many years for 100 software development projects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumeration of development errors after they have occurred and do not relate directly to operational security vulnerabilities, except when the cause is quality related. This report discusses how a combination of software development and quality techniques can improve software security.
Regional Use of Social Networking Tools
By Kate Meeuf
Social networking services (SNSs) empower users to communicate, connect, and engage with others across the Internet. These tools have exploded in use worldwide. This paper explores the regional use of these tools to determine if participation with a subset of SNSs can be applied to identify a user's country of origin. A better understanding of regional SNS behavior provides a more comprehensive profile of country-specific users, supporting computer network defense (CND) efforts and computer network attacks (CNA) attribution. The conclusions are as follows:
- Existing open source reporting yields an understanding of the market penetration of social networking tools for various regions and countries.
- Preferences for social networking tools have become somewhat universal. Irrespective of location, users are gravitating towards the same tools.
- The native social networking services of countries in Northern Asia and Eastern Europe have remained relevant. These tools can be leveraged as discriminators to resolve a user's location.
- Reporting provided evidence to suggest that mobile devices influence SNS selection and promote social networking adoption.
- Cultural factors provide insights into the regional usage of social networking tools, but additional research and quantitative analysis are required to add fidelity to the employment of cultural indicators in deriving a user's country of origin.
- Which social networking tools are used is only part of the equation when resolving a user's location. Other variables should be incorporated to create an informed assessment of the social media output's geographic origin.
Pattern-Based Design of Insider Threat Programs
By Andrew P. Moore, Matthew L. Collins, Dave Mundie, Robin Ruefle, and David McIntire
Despite the high impact of insider attacks, organizations struggle to implement effective insider threat programs. In addition to the mandate for all Department of Defense (DoD) and U.S. Government agencies to build such programs, approval of updates to the National Industrial Security Program Operating Manual regarding insider threat defense require thousands of contractors to have insider threat programs as part of their security defense. Unfortunately, according to the Insider Threat Task Force of the Intelligence and National Security Alliance (INSA) Cyber Council, many such organizations have no insider threat program in place, and most of the organizations that do have serious deficiencies. This report describes a pattern-based approach to designing insider threat programs that could, if further developed, provide a more systematic, targeted way of improving insider threat defense.
Introduction to the Security Engineering Risk Analysis (SERA) Framework
By Christopher J. Alberts, Carol Woody, Audrey J. Dorofee
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. It is more cost effective to address software security risks as early in the lifecycle as possible. As a result, researchers from the CERT Division of the Software Engineering Institute (SEI) have started investigating early lifecycle security risk analysis (i.e., during requirements, architecture, and design). This report introduces the Security Engineering Risk Analysis (SERA) Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle. The framework integrates system and software engineering with operational security by requiring engineers to analyze operational security risks as software-reliant systems are acquired and developed. Initial research activities have focused on specifying security requirements for these systems. This report describes the SERA Framework and provides examples of pilot results.
For the latest SEI technical reports and notes, please visit