When security is built into software from the ground up, software is more resistant to attacks. Organizations that have focused on security in the early stages have seen major reductions in operational vulnerabilities, resulting in reductions in software patching. Our research from one case study showed that the cost to fix requirement problems identified later in the project cost close to $2.5 million; the cost to fix these problems early in the life cycle was $500,000.

The CERT Cyber Security Engineering (CSE) team focuses on research and education to help software and systems acquirers, managers, developers, and operators address security and survivability throughout the development and acquisition life cycles—especially in the early stages. The team has created methods and solutions that can be integrated into existing practices.

The CSE team also provides resources for the Build Security In (BSI) website, which it manages for the Department of Homeland Security. BSI was noted in Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program (pdf), released in December 2011 from the Executive Office of the U.S. President.

May 3, 2012

Report on Monitoring for Insider Theft of Intellectual Property Released
This report presents a way organizations can mitigate the risk of theft of intellectual property by departing insiders.

May 2, 2012

Source Code Analysis Laboratory (SCALe) Technical Note Released
This technical note describes SCALe, a demonstration process for testing software for conformance against secure coding standards.

May 1, 2012

Insider Threat Security Reference Architecture Technical Report Released
This report describes the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the threat organizations face from their own insiders.

more announcements

headlines