search menu icon-carat-right cmu-wordmark

Subject: Vulnerability Analysis

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for...

Read More
Threat Modeling: 12 Available Methods

Threat Modeling: 12 Available Methods

• SEI Blog
Nataliya Shevchenko

Almost all software systems today face a variety of threats, and the number of threats grows as technology changes. Malware that exploits software vulnerabilities grew 151 percent in the second quarter of 2018, and cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. Threats can come from outside or within organizations, and they can have devastating consequences. Attacks can disable systems entirely or lead to the leaking of sensitive information, which would...

Read More
Decision-Making Factors for Selecting Application Security Testing Tools

Decision-Making Factors for Selecting Application Security Testing Tools

• SEI Blog
Thomas Scanlon

In the first post in this series, I presented 10 types of application security testing (AST) tools and discussed when and how to use them. In this post, I will delve into the decision-making factors to consider when selecting an AST tool and present guidance in the form of lists that can easily be referenced as checklists by those responsible for application security testing....

Read More
10 Types of Application Security Testing Tools: When and How to Use Them

10 Types of Application Security Testing Tools: When and How to Use Them

• SEI Blog
Thomas Scanlon

Bugs and weaknesses in software are common: 84 percent of software breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing (AST) tools. With a growing number of application security testing tools available, it can be confusing for information technology (IT) leaders, developers, and engineers to know which tools address which issues. This blog post, the first in a series on application security testing...

Read More
8 At-Risk Emerging Technologies

8 At-Risk Emerging Technologies

• SEI Blog
Dan J. Klinedinst

by Dan KlinedinstVulnerability AnalystCERT Division As the world becomes increasingly interconnected through technology, information security vulnerabilities emerge from the deepening complexity. Unexpected interactions between hardware and software components can magnify the impact of a vulnerability. As technology continues its shift away from the PC-centric environment of the past to a cloud-based, perpetually connected world, it exposes sensitive systems and networks in ways that were never before imagined. The information security community must be prepared to...

Read More
Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, white papers, webinars, and podcasts. These publications highlight the latest work of SEI technologists in military situational analysis, software architecture, insider threat, honeynets, and threat modeling. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website....

Read More
Vehicle Cybersecurity: The Jeep Hack and Beyond

Vehicle Cybersecurity: The Jeep Hack and Beyond

• SEI Blog
Christopher King

This blog post was co-authored by Dan Klinedinst. Automobiles are often referred to as "computers on wheels" with newer models containing more than 100 million lines of code. All this code provides features such as forward collision warning systems and automatic emergency braking to keep drivers safe. This code offers other benefits such as traffic detection, smartphone integration, and enhanced navigation. These features also introduce an increased risk of compromise, as demonstrated by researchers Chris...

Read More
10 At-Risk Emerging Technologies

10 At-Risk Emerging Technologies

• SEI Blog
Christopher King

In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies. Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study. Researchers in the SEI's CERT Division recently examined the security of a large swath of technology domains being developed in industry and maturing over the next five years. Our team...

Read More
Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

• SEI Blog
Greg Shannon

In 2014, approximately 1 billion records of personably identifiable information were compromised as a result of cybersecurity vulnerabilities. In the face of this onslaught of compromises, it is important to examine fundamental insecurities that CERT researchers have identified and that readers of the CERT/CC blog have found compelling. This post, the first in a series highlighting CERT resources available to the public including blogs and notes, focuses on the CERT/CC blog. This blog post highlights...

Read More
Heartbleed: Q&A

Heartbleed: Q&A

• SEI Blog
Will Dormann

The Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security(SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: Would the vulnerability have been detected by static analysis tools? If the vulnerability has been in the wild for two years, why did it take so long to...

Read More
Secure Coding to Prevent Vulnerabilities

Secure Coding to Prevent Vulnerabilities

• SEI Blog
Robert Seacord

Software developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address code style issues (i.e., style guides), CERT secure coding standards focus on identifying unsafe, unreliable, and insecure coding practices, such as those that resulted in the Heartbleed vulnerability. For more than 10 years, the CERT...

Read More
A New Approach to Cyber Incident Response

A New Approach to Cyber Incident Response

• SEI Blog
Anne Connell

According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information" has increased by 782 percent--from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber...

Read More