search menu icon-carat-right cmu-wordmark

Archive: 2017

Agile Metrics: A New Approach to Oversight

Agile Metrics: A New Approach to Oversight

• SEI Blog
Will Hayes

There's been a widespread movement in recent years from traditional waterfall development to Agile approaches in government software acquisition programs. This transition has created the need for personnel who oversee government software acquisitions to become fluent in metrics used to monitor systems developed with Agile methods. This post, which is a follow-up to my earlier post on Agile metrics, presents updates on our Agile-metrics work based on recent interactions with government programs....

Read More
Technical Detection of Intended Violence: Workplace Violence as an Insider Threat

Technical Detection of Intended Violence: Workplace Violence as an Insider Threat

• SEI Blog
Tracy Cassidy

The threat of insiders causing physical harm to fellow employees or themselves at an organization is real. In 2015 and 2016 alone, there were shootings in the U.S. by current or former employees in various workplaces, including at a television station in Virginia, a mowing equipment manufacturer in Kansas, an Air Force base in Texas, a transportation company in Texas, and a supermarket in Pennsylvania. These incidents resulted in seven fatalities and an additional 17...

Read More
Inference of Memory Bounds: Preventing the Next Heartbleed

Inference of Memory Bounds: Preventing the Next Heartbleed

• SEI Blog
Will Klieber

Invalid memory accesses are one of the most prevalent and serious of software vulnerabilities. Leakage of sensitive information caused by out-of-bounds reads is a relatively new problem that most recently took the form of the Open SSL HeartBleed vulnerability. In this blog post, I will describe research aimed at detecting the intended bounds of memory that given pointers should be able to access....

Read More
Cyber Warfare, Technical Debt, Network Border Protection, and Insider Threat: The Latest Work from the SEI

Cyber Warfare, Technical Debt, Network Border Protection, and Insider Threat: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in cyber warfare, emerging technologies and their risks, domain name system blocking to disrupt malware, best practices in network border protection, robotics, technical debt, and insider threat and workplace violence. These publications highlight the latest work of SEI technologists in these areas. This post includes a...

Read More
Automated Detection of Information Leaks in Mobile Devices

Automated Detection of Information Leaks in Mobile Devices

• SEI Blog
Lori Flynn

This blog post is also authored by William Klieber. Exfiltration of sensitive data on mobile devices is a major concern for the DoD, other organizations, and individuals. Colluding apps in public use have been discovered by security researchers. The Mobile App Collusion attack, which spread across thousands of Android packages, is an example. Colluding apps, or a combination of a malicious app and leaky app, can use intents (messages sent to Android app components) to...

Read More
Five Models of Technology Transition to Bridge the Gap Between Digital Natives and Digital Immigrants

Five Models of Technology Transition to Bridge the Gap Between Digital Natives and Digital Immigrants

• SEI Blog
Suzanne Miller

As the defense workforce attracts younger staff members, this digital native generation is having an effect. "To accommodate millennial IT workers, so-called 'digital natives,'" wrote Phil Goldstein in a May 2016 FedTech article, "the service branches of the Department of Defense need to square cybersecurity with the attitudes and behaviors of younger employees, according to senior defense IT officials." Digital natives approach technology differently than digital immigrants, which includes those born before the widespread use...

Read More
5 Best Practices to Prevent Insider Threat

5 Best Practices to Prevent Insider Threat

• SEI Blog
Randy Trzeciak

Insider threat continues to be a problem with approximately 50 percent of organizations experiencing at least one malicious insider incident per year, according to the 2017 U.S. State of Cybercrime Survey. Although the attack methods vary depending on the industry, the primary types of attacks identified by researchers at the CERT Insider Threat Center--theft of intellectual property, sabotage, fraud, and espionage--continue to hold true. In our work with public and private industry, we continue to...

Read More
Multicore and Virtualization Recommendations

Multicore and Virtualization Recommendations

• SEI Blog
Donald Firesmith

The first post in this series introduced the basic concepts of multicore processing and virtualization, highlighted their benefits, and outlined the challenges these technologies present. The second post addressed multicore processing, whereas the third and fourth posts concentrated on virtualization via virtual machines (VMs) and containers (containerization), respectively. This fifth and final post in the series provides general recommendations for the use of these three technologies--multicore processing, virtualization via VMs, and virtualization via containers--including mitigating...

Read More
8 At-Risk Emerging Technologies

8 At-Risk Emerging Technologies

• SEI Blog
Dan J. Klinedinst

by Dan KlinedinstVulnerability AnalystCERT Division As the world becomes increasingly interconnected through technology, information security vulnerabilities emerge from the deepening complexity. Unexpected interactions between hardware and software components can magnify the impact of a vulnerability. As technology continues its shift away from the PC-centric environment of the past to a cloud-based, perpetually connected world, it exposes sensitive systems and networks in ways that were never before imagined. The information security community must be prepared to...

Read More
Machine Learning and Insider Threat

Machine Learning and Insider Threat

• SEI Blog
Daniel Costa

As organizations' critical assets have become digitized and access to information has increased, the nature and severity of threats has changed. Organizations' own personnel--insiders--now have greater ability than ever before to misuse their access to critical organizational assets. Insiders know where critical assets are, what is important, and what is valuable. Their organizations have given them authorized access to these assets and the means to compromise the confidentiality, availability, or integrity of data. As organizations...

Read More
Pursuing an Imagined End-State in Software-based Capability

Pursuing an Imagined End-State in Software-based Capability

• SEI Blog
Jeff Boleng

Could software save lives after a natural disaster? Meteorologists use sophisticated software-reliant systems to predict a number of pathways for severe and extreme weather events, such as hurricanes, tornados, and cyclones. Their forecasts can trigger evacuations that remove people from danger. In this blog post, I explore key technology enablers that might pave the path toward achieving an envisioned end-state capability for software that would improve decision-making and response for disaster managers and warfighters in...

Read More
Improving Data Extraction from Cybersecurity Incident Reports

Improving Data Extraction from Cybersecurity Incident Reports

• SEI Blog
Samuel J. Perl

This post is also authored by Matt Sisk, the lead author of each of the tools detailed in this post (bulk query, autogeneration, and all regex). The number of cyber incidents affecting federal agencies has continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015, according to a September 2016 GAO report. For example, in 2015, agencies reported more than 77,000 incidents to US-CERT, up from 67,000 in 2014 and...

Read More
Virtualization via Containers

Virtualization via Containers

• SEI Blog
Donald Firesmith

The first blog entry in this series introduced the basic concepts of multicore processing and virtualization, highlighted their benefits, and outlined the challenges these technologies present. The second post addressed multicore processing, whereas the third post concentrated on virtualization via virtual machines. In this fourth post in the series, I define virtualization via containers, list its current trends, and examine its pros and cons, including its safety and security ramifications....

Read More
Virtualization via Virtual Machines

Virtualization via Virtual Machines

• SEI Blog
Donald Firesmith

This posting is the third in a series that focuses on multicore processing and virtualization, which are becoming ubiquitous in software development. The first blog entry in this series introduced the basic concepts of multicore processing and virtualization, highlighted their benefits, and outlined the challenges these technologies present. The second post addressed multicore processing. This third post concentrates on virtualization via virtual machines (VMs). Below I define the relevant concepts underlying virtualization via VMs, list...

Read More
Simultaneous Analysis of Safety and Security of a Critical System

Simultaneous Analysis of Safety and Security of a Critical System

• SEI Blog
Sam Procter

As computers become more powerful and ubiquitous, software and software-based systems are increasingly relied on for business, governmental, and even personal tasks. While many of these devices and apps simply increase the convenience of our lives, some--known as critical systems--perform business- or life-preserving functionality. As they become more prevalent, securing critical systems from accidental and malicious threats has become both more important and more difficult. In addition to classic safety problems, such as ensuring hardware...

Read More
Coordinated Vulnerability Disclosure, Ransomware, Scaling Agile, and Android App Analysis: The Latest Work from the SEI

Coordinated Vulnerability Disclosure, Ransomware, Scaling Agile, and Android App Analysis: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts and webinars highlighting our work in coordinated vulnerability disclosure, scaling Agile methods, automated testing in Agile environments, ransomware, and Android app analysis. These publications highlight the latest work of SEI technologists in these areas. One SEI Special Report presents data related to DoD software projects and translated it into information that...

Read More
Pharos Binary Static Analysis Tools Released on GitHub

Pharos Binary Static Analysis Tools Released on GitHub

• SEI Blog
Jeffrey Gennari

In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering of binaries with a focus on malicious code analysis. Recall that Pharos is a CERT-created framework that builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. Pharos uses these features to automate common reverse engineering tasks. I'm pleased to announce that we've updated our framework on...

Read More
Multicore Processing

Multicore Processing

• SEI Blog
Donald Firesmith

The first blog entry in this series introduced the basic concepts of multicore processing and virtualization, highlighted their benefits, and outlined the challenges these technologies present. This second post will concentrate on multicore processing, where I will define its various types, list its current trends, examine its pros and cons, and briefly address its safety and security ramifications....

Read More
Multicore and Virtualization: An Introduction

Multicore and Virtualization: An Introduction

• SEI Blog
Donald Firesmith

Multicore processing and virtualization are rapidly becoming ubiquitous in software development. They are widely used in the commercial world, especially in large data centers supporting cloud-based computing, to (1) isolate application software from hardware and operating systems, (2) decrease hardware costs by enabling different applications to share underutilized computers or processors, (3) improve reliability and robustness by limiting fault and failure propagation and support failover and recovery, and (4) enhance scalability and responsiveness through the...

Read More
Real-Time Extraction of Biometric Data from Video

Real-Time Extraction of Biometric Data from Video

• SEI Blog
Satya Venneti

The Department of Defense is increasingly relying on biometric data, such as iris scans, gait recognition, and heart-rate monitoring to protect against both cyber and physical attacks. "Military planners, like their civilian infrastructure and homeland security counterparts, use video-linked 'behavioral recognition analytics,' leveraging base protection and counter-IED operations," according to an article in Defense Systems. Current state-of-the-art approaches do not make it possible to gather biometric data in real-world settings, such as border and airport...

Read More
Using Augmented Reality to Visualize Cyber-Warfare Opportunities

Using Augmented Reality to Visualize Cyber-Warfare Opportunities

• SEI Blog
Jeffrey Mattson

This blog post is also authored by Josh Hammerstein. There are many opportunities for front-line soldiers to use cyber tactics to help them achieve their missions. For example, a soldier on a reconnaissance mission who enters a potentially hostile or dangerous space, such as a storefront in enemy territory, might be able to gain access to an open wireless access point in the area or exploit vulnerabilities in the building's alarm-communication system. These exploits would...

Read More
What Is Bitcoin? What Is Blockchain?

What Is Bitcoin? What Is Blockchain?

• SEI Blog
Eliezer Kanal

Blockchain technology was conceived a little over ten years ago. In that short time, it went from being the foundation for a relatively unknown alternative currency to being the "next big thing" in computing, with industries from banking to insurance to defense to government investing billions of dollars in blockchain research and development. This blog post, the first of two posts about the SEI's exploration of DoD applications for blockchain, provides an introduction to this...

Read More
How to Think Like an Analyst

How to Think Like an Analyst

• SEI Blog
Angela Horneman

When I was pursuing my master's degree in information security, two of the required classes were in cognitive psychology and human factors: one class about how we think and learn and one about how we interact with our world. Students were often less interested in these courses and preferred to focus their studies on more technical topics. I personally found them to be two of the most beneficial. In the years since I took those...

Read More
Top 10 SEI Blog Posts of 2017

Top 10 SEI Blog Posts of 2017

• SEI Blog
Douglas C. Schmidt

The crop of Top 10 SEI Blog posts in the first half of 2017 (judged by the number of visits by our readers) represents the best of what we do here at the SEI: transitioning our knowledge to those who need it. Several of our Top 10 posts this year are from a series of posts on best practices for network security that we launched in November 2016 in the wake of the Dyn attack....

Read More
Supply Chain Risk Management, Network Situational Awareness, Software Architecture, and Network Time Protocol: The Latest Work from the SEI

Supply Chain Risk Management, Network Situational Awareness, Software Architecture, and Network Time Protocol: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI technical reports, white papers, podcasts and webinars on supply chain risk management, process improvement, network situational awareness, software architecture, network time protocol as well as a podcast interview with SEI Fellow Peter Feiler. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication,...

Read More
DNS Blocking: A Viable Strategy in Malware Defense

DNS Blocking: A Viable Strategy in Malware Defense

• SEI Blog
Vijay Sarvepalli

Electronic Countermeasures During the wars in Iraq and Afghanistan, insurgents' use of improvised explosive devices (IEDs) proliferated. The United States ramped up its development of counter-IED equipment to improve standoff detection of explosives and explosive precursor components and to defeat IEDs themselves as part of a broader defense capability. One effective strategy was jamming or interrupting radio frequency (RF) communications to counter radio-controlled IEDs (RCIEDs). This approach disrupts critical parts of RF communications, making the...

Read More
Six Things You Need to Know About Data Governance

Six Things You Need to Know About Data Governance

• SEI Blog
John Klein

Many organizations want to share data sets across the enterprise, but taking the first steps can be challenging. These challenges range from purely technical issues, such as data formats and APIs, to organizational cultures in which managers resist sharing data they feel they own. Data Governance is a set of practices that enable data to create value within an enterprise. When launching a data governance initiative, many organizations choose to apply best practices, such as...

Read More
Army Robotics in the Military

Army Robotics in the Military

• SEI Blog
Jonathan Chu

The future of autonomy in the military could include unmanned cargo delivery; micro-autonomous air/ground systems to enhance platoon, squad, and soldier situational awareness; and manned and unmanned teaming in both air and ground maneuvers, according to a 2016 presentation by Robert Sadowski, chief roboticist for the U.S. Army Tank Automotive Research Development and Engineering Center (TARDEC), which researches and develops advanced technologies for ground systems. One day, robot medics may even carry wounded soldiers out...

Read More
Machine Learning in Cybersecurity

Machine Learning in Cybersecurity

• SEI Blog
Eliezer Kanal

The year 2016 witnessed advancements in artificial intelligence in self-driving cars, language translation, and big data. That same time period, however, also witnessed the rise of ransomware, botnets, and attack vectors as popular forms of malware attack, with cybercriminals continually expanding their methods of attack (e.g., attached scripts to phishing emails and randomization), according to Malware Byte's State of Malware report. To complement the skills and capacities of human analysts, organizations are turning to machine...

Read More
Ransomware: Best Practices for Prevention and Response

Ransomware: Best Practices for Prevention and Response

• SEI Blog
Alexander Volynkin

This blog post is coauthored by Jose Morales and Angela Horneman. On May 12, 2017, in the course of a day, the WannaCry ransomware attack infected nearly a quarter million computers. WannaCry is the latest in a growing number of ransomware attacks where, instead of stealing data, cyber criminals hold data hostage and demand a ransom payment. WannaCry was perhaps the largest ransomware attack to date, taking over a wide swath of global computers from...

Read More
Reference Architectures for Big Data Systems

Reference Architectures for Big Data Systems

• SEI Blog
John Klein

Have you ever been developing or acquiring a system and said to yourself, I can't be the first architect to design this type of system. How can I tap into the architecture knowledge that already exists in this domain? If so, you might be looking for a reference architecture. A reference architecture describes a family of similar systems and standardizes nomenclature, defines key solution elements and relationships among them, collects relevant solution patterns, and provides...

Read More
Best Practices for Network Border Protection

Best Practices for Network Border Protection

• SEI Blog
Rachel Kartch

When it comes to network traffic, it's important to establish a filtering process that identifies and blocks potential cyberattacks, such as worms spreading ransomware and intruders exploiting vulnerabilities, while permitting the flow of legitimate traffic. In this post, the latest in a series on best practices for network security, I explore best practices for network border protection at the Internet router and firewall....

Read More
Three Pilots of the CERT Software Assurance Framework

Three Pilots of the CERT Software Assurance Framework

• SEI Blog
Christopher Alberts

This post is coauthored by Carol Woody. Software is a growing component of business and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. We recently published a technical note that introduces the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. We envision program managers using this framework to assess an acquisition program's current...

Read More
Automating Design Analysis

Automating Design Analysis

• SEI Blog
Neil Ernst

Software design problems, often the result of optimizing for delivery speed, are a critical part of long-term software costs. Automatically detecting such design problems is a high priority for software practitioners. Software quality tools aim to automatically detect violations of common software quality rules. However, since these tools bundle a number of rules, including rules for code quality, it is hard for users to understand which rules identify design issues in particular. This blog post...

Read More
Seven Recommendations for Testing in a Non-Deterministic World

Seven Recommendations for Testing in a Non-Deterministic World

• SEI Blog
Donald Firesmith

In a previous post, I addressed the testing challenges posed by non-deterministic systems and software such as the fact that the same test can have different results when repeated. While there is no single panacea for eliminating these challenges, this blog posting describes a number of measures that have proved useful when testing non-deterministic systems....

Read More
CERT C++ Secure Coding Guidelines

CERT C++ Secure Coding Guidelines

• SEI Blog
David Svoboda

Software vulnerabilities typically cost organizations an average of $300,000 per security incident. Efforts aimed at eliminating software vulnerabilities must focus on secure coding, preventing the vulnerabilities from being deployed into production code. "Between 2010 and 2015, buffer overflows accounted for between 10-16% of publicly reported security vulnerabilities in the U.S. National Vulnerability Database each year," Microsoft researcher David Tarditi wrote in a recent report. In March, the Secure Coding Team in the SEI's CERT Division...

Read More
Software Assurance, Data Governance, and Malware Analysis: The Latest Work from the SEI

Software Assurance, Data Governance, and Malware Analysis: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI technical reports, white papers, podcasts and webinars on software assurance, data governance, self-adaptive systems, engineering high-assurance software for distributed adaptive real-time (DART) systems, technical debt, and automating malware collection and analysis. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and...

Read More
Best Practices for NTP Services

Best Practices for NTP Services

• SEI Blog
Timur Snoke

The network time protocol (NTP) synchronizes the time of a computer client or server to another server or within a few milliseconds of Coordinated Universal Time (UTC). NTP servers, long considered a foundational service of the Internet, have more recently been used to amplify large-scale Distributed Denial of Service (DDoS) attacks. While 2016 did not see a noticeable uptick in the frequency of DDoS attacks, the last 12 months have witnessed some of the largest...

Read More
Three Practice Areas for Using Positive Incentives to Reduce Insider Threat

Three Practice Areas for Using Positive Incentives to Reduce Insider Threat

• SEI Blog
Andrew Moore

In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In contrast, this blog post highlights results from...

Read More
Combined Arms Cyber-Kinetic Operator Training

Combined Arms Cyber-Kinetic Operator Training

• SEI Blog
Rotem Guttman

As cyber-physical systems continue to proliferate, the ability of cyber operators to support armed engagements (kinetic missions) will be critical for the Department of Defense (DoD) to maintain a technological advantage over adversaries. However, current training for cyber operators focuses entirely on the cyber aspect of operations and ignores the realities and constraints of supporting a larger mission. Similarly, kinetic operators largely think of cyber capabilities as a strategic, rather than a tactical resource, and...

Read More
Experiences Using IBM Watson in Software Assurance

Experiences Using IBM Watson in Software Assurance

• SEI Blog
Mark Sherman

Since its debut on Jeopardy in 2011, IBM's Watson has generated a lot of interest in potential applications across many industries. I recently led a research team investigating whether the Department of Defense (DoD) could use Watson to improve software assurance and help acquisition professionals assemble and review relevant evidence from documents. As this blog post describes, our work examined whether typical developers could build an IBM Watson application to support an assurance review....

Read More
Powered by Mirai

Powered by Mirai

• SEI Blog
Vijay Sarvepalli

Distributed denial-of-service (DDoS) attacks have been dominating the IT security headlines. A flurry of reporting followed the September 2016 attack on the computer security reporter Brian Krebs's web site KrebsonSecurity when he reported attack traffic that was at the unprecedented scale of gigabytes per second. In November, my colleague Rachel Kartch wrote "DDOS Attacks: Four Best Practices for Prevention and Response," outlining what we can do to defend against these attacks. In this blog post,...

Read More
Establishing Trust in Disconnected Environments

Establishing Trust in Disconnected Environments

• SEI Blog
Grace Lewis

First responders, search-and-rescue teams, and military personnel often work in "tactical edge" environments defined by limited computing resources, rapidly changing mission requirements, high levels of stress, and limited connectivity. In these tactical edge environments, software applications that enable tasks such as face recognition, language translation, decision support, and mission planning and execution are critical due to computing and battery limitations on mobile devices. Our work on tactical cloudlets addresses some of these challenges by providing...

Read More
Five Perspectives on Scaling Agile

Five Perspectives on Scaling Agile

• SEI Blog
Will Hayes

The prevalence of Agile methods in the software industry today is obvious. All major defense contractors in the market can tell you about their approaches to implementing the values and principles found in the Agile Manifesto. Published frameworks and methodologies are rapidly maturing, and a wave of associated terminology is part of the modern lexicon. We are seeing consultants feuding on Internet forums as well, with each one claiming to have the "true" answer for...

Read More
Are We Creating Organizational Debt?

Are We Creating Organizational Debt?

• SEI Blog
Linda Parker Gates

Interest in Agile and lightweight development methods in the software development community has become widespread. Our experiences with the application of Agile principles have therefore become richer. In my blog post, Toward Agile Strategic Planning, I wrote about how we can apply Agile principles to strategic planning. In this blog post, I apply another Agile concept, technical debt, to another organizational excellence issue. Specifically I explore whether organizational debt is accrued when we implement quick...

Read More
Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure

Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure

• SEI Blog
Mark Langston

The Domain Name System (DNS) is an essential component of the Internet, a virtual phone book of names and numbers, but we rarely think about it until something goes wrong. As evidenced by the recent distributed denial of service (DDoS) attack against Internet performance management company Dyn, which temporarily wiped out access to websites including Amazon, Paypal, Reddit, and the New York Times for millions of users down the Eastern Seaboard and Europe, DNS serves...

Read More
Preventing DDoS Attacks, Scaling Agile, Insider Threat, and Software Architecture: The Latest Work from the SEI

Preventing DDoS Attacks, Scaling Agile, Insider Threat, and Software Architecture: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published books, SEI technical reports, podcasts and webinars on insider threat, using malware analysis to identify overlooked security requirements, software architecture, scaling Agile methods, best practices for preventing and responding to DDoS attacks, and a special report documenting the technical history of the SEI. These publications highlight the latest work of SEI technologists in these...

Read More
Prioritizing Security Alerts: A DoD Case Study

Prioritizing Security Alerts: A DoD Case Study

• SEI Blog
Lori Flynn

Federal agencies and other organizations face an overwhelming security landscape. The arsenal available to these organizations for securing software includes static analysis tools, which search code for flaws, including those that could lead to software vulnerabilities. The sheer effort required by auditors and coders to triage the large number of potential code flaws typically identified by static analysis can hijack a software project's budget and schedule. Auditors need a tool to classify alerts and to...

Read More
Automated Code Repair in the C Programming Language

Automated Code Repair in the C Programming Language

• SEI Blog
Will Klieber

By Will Klieber CERT Secure Coding Team This blog post is co-authored by Will Snavely. Finding violations of secure coding guidelines in source code is daunting, but fixing them is an even greater challenge. We are creating automated tools for source code transformation. Experience in examining software bugs reveals that many security-relevant bugs follow common patterns (which can be automatically detected) and that there are corresponding patterns for repair (which can be performed by automatic...

Read More
The Challenges of Testing in a Non-Deterministic World

The Challenges of Testing in a Non-Deterministic World

• SEI Blog
Donald Firesmith

Many system and software developers and testers, especially those who have primarily worked in business information systems, assume that systems--even buggy systems--behave in a deterministic manner. In other words, they assume that a system or software application will always behave in exactly the same way when given identical inputs under identical conditions. This assumption, however, is not always true. While this assumption is most often false when dealing with cyber-physical systems, new and even older...

Read More