CERT-SEI

Developers

If you're a developer, it's important to know how to keep your organization's cyber environment protected from malicious intruders. We have many resources to help you do just that. Ask yourself the following key questions and read on.

Read our FAQ or contact us if you have questions about our work.

Do You Know the Latest Methods for Gathering Unstated Requirements?

SEI researchers will present a tutorial at the 22nd IEEE International Requirements Engineering Conference (RE'14) to describe KJ+, a method for determining the unstated needs of varied stakeholders.

Do You Have the Latest Information about Heartbleed?

Read our take on Heartbleed, and listen to technical staff from the SEI and Codenomicon discuss the impact of the Heartbleed bug.

Are You Addressing Security in Software Development?

Our research addresses security and survivability throughout the development and acquisition lifecycles.

Complexity Modeling and Analysis
The Software Assurance Modeling Framework provides a way to model aspects of the assurance ecosystem, such as security, and examine the gaps, barriers, and incentives that affect how you form, adopt, and use assurance solutions.

Software Security Assurance Measurement and Analysis
The goal of this research is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the lifecycle and supply chain.

Supply Chain Assurance
This research can help acquirers by describing an approach to assure the security of supply chains.

Survivability Analysis Framework
The SAF is a structured view of technology, people, and activities that helps organizations characterize the complexity of multi-system and multi-organizational business processes.

SQUARE
Security Quality Requirements Engineering (SQUARE) is a nine-step process that helps organizations build security, including privacy, into the early stages of the production lifecycle.

Software Security Engineering: A Guide for Project Managers
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.

Are There Vulnerabilities in Your Software?

Our researchers help engineers detect, eliminate, and avoid creating vulnerabilities in software in multiple ways, including identifying insecure coding practices and developing secure alternatives that software developers can use to take practical steps to reduce or eliminate vulnerabilities before deployment.

Secure Coding Standards Research and Development
We coordinate the development of secure coding standards by security researchers, language experts, and software developers using a wiki-based community process.

Vulnerability Notes Database
The Vulnerability Notes Database provides timely information about software vulnerabilities.

Secure Coding Research
Our researchers investigate how to avoid security problems and incorporate good coding practices looking at different coding topics, including thread usage, buffer overflow, the use of pointers, integer overflow, and more.

Blogging Researchers
Our researchers regularly contribute to the CERT/CC and SEI blogs to discuss vulnerability discovery, analysis, and disclosure. The team also presents techniques for managing and mitigating vulnerabilities. Team members discuss current research in these areas and in the field of secure coding.

Are Your Networks As Secure as They Need to Be?

We develop cutting-edge network analysis techniques and tools for operational use in high-impact environments so that organizations are better able to defend their networks from potential attacks. 

FloCon Conferences
We sponsor FloCon, open conferences where operational network analysts, tool developers, researchers, and other parties interested in the analysis of large volumes of traffic showcase the next generation of flow-based analysis techniques. FloCon 2015 takes pace in Portland in January, 2015. Registration is open, and we are also accepting abstracts for presentations, posters, and demonstrations that support this year's conference theme, Formalizing the Art."

NetSA Research
Our researchers are working in the following areas: Scalable Intrusion Detection, Anomaly Detection, Network Profiling, Incident Handling, Advanced Persistent Threat / Intrusion Set Studies, Closed Network Defense, Indicator Expansion, Sophisticated Malware Detection, Metrics and Measurement, Network Defense Architecture and Engineering, Network Security Testbeds, and Network Security Prototyping.

Are You Aware of Insider Threats?

Our work in insider threat enables effective insider threat programs by performing research, modeling, analysis, and outreach to define socio-technical best practices so that organizations are better able to deter, detect, and respond to evolving insider threats. Learn more about insider threats on our related work area pages and through the Cybersecurity Watch Survey. We can evaluate your organization and conduct a confidential insider threat vulnerability assessment.

How Can You Contribute to Your Organization's Resilience?

Our work in resilience creates tools, techniques, and methods that help organizations manage operational risk and improve operational resilience.

CERT-RMM Products and Services
You can contribute to your organization's resilience by using CERT-RMM products and services.

CERT-RMM Users Group Workshop Series
This workshop series shows you how to work with industry and government experts and other industry-leading organizations to manage operational risk.

Develop Secure Code

SCALe
The SCALe conformance process consists of commercial, open source, and experimental analysis that is used to analyze various code bases to perform conformance testing against CERT secure coding standards.

Secure Coding Standards
These rules and recommendations help you to develop (and evaluate) secure, safe, and reliable software.

Secure Coding in C and C++
This course provides practical advice on secure practices in C and C++ programming, provides a detailed explanation of common programming errors in C and C++, and describes how these errors can lead to code that is vulnerable to exploitation.

Build Security into Your Software Projects

SQUARE
This method enables your organization to develop more secure, survivable software and systems, realize more predictable schedules and costs, and achieve lower costs.

Security Requirements Engineering Using the SQUARE Method
This course teaches you an overview of security requirements engineering and the SQUARE methodology, including going through the SQUARE steps in detail.

Security Assurance Methods in Support of Cyber Security
This workshop focuses on four critical software assurance areas: security requirements, software supply chain assurance, mission thread analysis, and measurement. It exposes you to concepts and resources available to use for addressing software security assurance across the acquisition and development lifecycles.

Cybersecurity Engineering Consulting Services
We can help you to identify strategies for focusing on security in the early stages of the development and acquisition lifecycles.

Information Security for Technical Staff
This course teaches you practical techniques for protecting the security of your organization's information assets and resources, beginning with concepts and proceeding on to technical implementations.

Use Our Tools

Discover and Mitigate Existing Vulnerabilities

Our researchers have created vulnerability analysis and secure coding tools and techniques to help engineers detect, eliminate, and avoid creating vulnerabilities in software.

Monitor Your Networks

Our researchers have developed cutting-edge network analysis techniques and tools for operational use in high-impact environments so that organizations are better able to defend their networks from potential attacks.

Improve Your Forensics Investigations

Our researchers have created technologies, capabilities, and practices organizations can use to develop incident response capabilities and facilitate incident investigations. Visit our tools repository and contact us if you have any questions.

Ensure that Your Code Follows Secure Coding Standards

These tools help you to improve the security of your code:

DidFail
DidFail uses static analysis to detect potential leaks of sensitive information within a set of Android apps.

Rosecheckers
The Rosecheckers tool performs static analysis on C/C++ source files. It is designed to enforce the rules in the CERT C Coding standard. Rosecheckers finds some C coding errors that other static analysis tools do not.

Secure Coding Validation Suite
The Secure Coding Validation Suite is a set of tests that validate the rules defined in ISO Technical Specification 17961.

Clang Thread Safety Analysis
Clang Thread Safety Analysis is a tool that uses annotations to declare and enforce thread safety policies in C and C++ programs.

Compiler-Enforced Buffer Overflow Elimination
Compiler-Enforced Buffer Overflow Elimination is a tool that prevents buffer overflows in multithreaded code and has additional features not found in other memory safety mechanisms.

AIR Integer Model
The as-if infinitely ranged (AIR) integer model provides a mostly-automated mechanism for eliminating integer overflow, truncation, and other integer-related exception-creating conditions.

Dranzer
Dranzer discovers certain classes of vulnerabilities in Microsoft Windows ActiveX controls.

Basic Fuzzing Framework (BFF)
Basic Fuzzing Framework (BFF) is a mutational file fuzz testing tool that consists of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. A version of the BFF that runs natively on Mac OS X is also available.

Failure Observation Engine (FOE)
Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.

CERT Triage Tools
CERT Triage Tools classify Linux application defects by severity. These Tools assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing.

Take a Course to Improve Your Development

Introduction to the CERT Resilience Management Model
This three-day course introduces a model-based process improvement approach to managing operational resilience using the CERT Resilience Management Model (CERT-RMM) V1.1.

CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series
This training presents tools, techniques, and methods to enable organizations to improve their security and business continuity activities by focusing on actively managing operational resilience.

CERT Resilience Management Model Appraisal Boot Camp
This two-day course provides an overview of the CERT-RMM Capability Appraisal Method, which addresses the application of the Standard CMMI Appraisal Method for Process Improvement (SCAMPI) for the CERT Resilience Management Model (CERT-RMM) V1.1.

Security Requirements Engineering Using the SQUARE Method
In this workshop we will present an overview of security requirements engineering and the SQUARE methodology.

Malware Analysis Apprenticeship
This five-day, hands-on course provides participants with an opportunity to learn best practices for analyzing malicious code.

Advanced Forensic Response and Analysis
This course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis.

Software Assurance Methods in Support of Cyber Security
This workshop is focused on four critical software assurance areas: security requirements, software supply chain assurance, mission thread analysis, and measurement.

Secure Coding in C and C++
This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation.

Applied Cybersecurity, Incident Response, and Forensics
This five-day, hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.

Information Security for Technical Staff
This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. The courses focuses on understanding and applying the concept of survivability through the effective management of risk, threats, policy, system configuration, availability, and personnel.

Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. Next, students will be introduced to the CERT Defense-in-Depth Framework: eight operationally focused and interdependent management components that will be synergistically applied to a fictitious organization's Information Technology (IT) enterprise.

Read About the Latest Vulnerabilities and Mitigations

Vulnerability Notes Database
The Vulnerability Notes Database provides timely information about software vulnerabilities.

CERT/CC Blog
Our team members regularly contribute to the CERT/CC blog to discuss vulnerability discovery, analysis, and disclosure. The team also presents techniques for managing and mitigating vulnerabilities. Team members discuss current research in these areas and in the field of secure coding.

SEI Blog
Our team members also contribute to the SEI blog to discuss a variety of topics that relate to security, software development, and more.

Report a Vulnerability

We accept reports of security vulnerabilities and serve as a coordinating body that works with affected vendors to resolve vulnerabilities. Report a vulnerability or contact us if you have questions about vulnerabilities.

Request a Workshop

Request a one- or two-day workshop that covers the SQUARE methodology.

Collaborate with Us

  • share what secure coding approaches have worked for you
  • contribute to the development of coding standards for Ada, C#, Fortran, Python, JavaScript, and SPARK
  • volunteer to contribute to our proof-of-concept prototype designed to identify and eliminate thread usage errors
  • pilot the Software Assurance Modeling Framework

Contact Us About Specific Tools, Services, or Events