search menu icon-carat-right cmu-wordmark

Subject: Security-Related Requirements

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

• SEI Blog
David Svoboda

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles today have more than 100 million lines of code, and connectivity between cars and the outside world through, for example, infotainment systems and the Global Positioning System (GPS) expose a number of interfaces that can be attacked to communicate with an automobile in unintended and...

Read More
Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

• SEI Blog
David Svoboda

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from the systems to which they were connected, and even a thermometer in a casino's fish tank was used to gain access to the casino's infrastructure and extract data about customers, gamblers, etc. In this blog...

Read More
Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for...

Read More
Threat Modeling: 12 Available Methods

Threat Modeling: 12 Available Methods

• SEI Blog
Nataliya Shevchenko

Almost all software systems today face a variety of threats, and the number of threats grows as technology changes. Malware that exploits software vulnerabilities grew 151 percent in the second quarter of 2018, and cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. Threats can come from outside or within organizations, and they can have devastating consequences. Attacks can disable systems entirely or lead to the leaking of sensitive information, which would...

Read More
Decision-Making Factors for Selecting Application Security Testing Tools

Decision-Making Factors for Selecting Application Security Testing Tools

• SEI Blog
Thomas Scanlon

In the first post in this series, I presented 10 types of application security testing (AST) tools and discussed when and how to use them. In this post, I will delve into the decision-making factors to consider when selecting an AST tool and present guidance in the form of lists that can easily be referenced as checklists by those responsible for application security testing....

Read More
IPv6 Adoption: 4 Questions and Answers

IPv6 Adoption: 4 Questions and Answers

• SEI Blog
Joseph Mayes

IPv6 deployment is on the rise. Google reported that as of July 14 2018, 23.94 percent of users accessed its site via IPv6, up 6.16 percent from that same date in 2017. Drafted in 1998 and an Internet Standard as of July 2017, Internet Protocol 6 (IPv6) is intended to replace IPv4 in assigning devices on the internet a unique identity. Plans for IPv6 got underway after it was realized that IPv4's cap of 4.3...

Read More
10 Types of Application Security Testing Tools: When and How to Use Them

10 Types of Application Security Testing Tools: When and How to Use Them

• SEI Blog
Thomas Scanlon

Bugs and weaknesses in software are common: 84 percent of software breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing (AST) tools. With a growing number of application security testing tools available, it can be confusing for information technology (IT) leaders, developers, and engineers to know which tools address which issues. This blog post, the first in a series on application security testing...

Read More
The Need to Specify Requirements for Off-Nominal Behavior

The Need to Specify Requirements for Off-Nominal Behavior

• SEI Blog
Donald Firesmith

In our work with acquisition programs, we've often observed a major problem: requirements specifications that are incomplete, with many functional requirements missing. Whereas requirements specifications typically specify normal system behavior, they are often woefully incomplete when it comes to off-nominal behavior, which deals with abnormal events and situations the system must detect and how the system must react when it detects that these events have occurred or situations exist. Thus, although requirements typically specify how...

Read More
Obstacles in Engineering Safety- and Security-Related Requirements, Second in a Three-Part Series

Obstacles in Engineering Safety- and Security-Related Requirements, Second in a Three-Part Series

• SEI Blog
Donald Firesmith

Background: In our research and acquisition work on commercial and Department of Defense (DoD) programs, ranging from relatively simple two-tier data-processing applications to large-scale multi-tier weapons systems, one of the primary problems that we see repeatedly is that acquisitionand development organizations encounter the following three obstacles concerning safety- and security-related requirements:...

Read More