When security is built into software from the ground up, software is more resistant to attacks. Organizations that have focused on security in the early stages have seen major reductions in operational vulnerabilities, resulting in reductions in software patching. Our research from one case study showed that the cost to fix requirement problems identified later in the project cost close to $2.5 million; the cost to fix these problems early in the life cycle was $500,000.

The CERT Cyber Security Engineering (CSE) team focuses on research and education to help software and systems acquirers, managers, developers, and operators address security and survivability throughout the development and acquisition life cycles—especially in the early stages. The team has created methods and solutions that can be integrated into existing practices.

The CSE team also provides resources for the Build Security In (BSI) website, which it manages for the Department of Homeland Security. BSI was noted in Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program (pdf), released in December 2011 from the Executive Office of the U.S. President.

February 16, 2012

New Insider Threat Blog Entry
The entry "Insiders and Organized Crime" has been posted.

February 14, 2012

The CERT Guide to Insider Threats Book Published
This book describes the CERT Insider Threat Center's practical findings on insider cyber crimes, as well as guidance and countermeasures for organizations.

February 14, 2012

Risk-Based Measurement and Analysis: Application to Software Security Technical Note Released
This technical note presents the foundations of a risk-based software security measurement and analysis method.

more announcements

headlines