To reduce the security risks posed by software vulnerabilities, we strive to address both the number of vulnerabilities in software that is being developed and the number of vulnerabilities in software that is already deployed. Our vulnerability analysis work is divided into two areas. Identifying and reducing the number of new vulnerabilities before the software is deployed is the focus of our vulnerability discovery effort, while our vulnerability remediation work deals with existing vulnerabilities in deployed software. We regularly comment on issues of importance to the vulnerability analysis and security community through the CERT/CC Blog.

Vulnerability discovery

With vulnerability discovery, we strive to help engineers understand how vulnerabilities are created and discovered. Our goal is that with this education, engineers will learn how detect and eliminate—and eventually avoid—vulnerabilities in software products before the products are shipped.

Vulnerability remediation

The unfortunate reality is that many software products are being shipped with vulnerabilities that attackers may be able to exploit. Our vulnerability remediation process involves four basic steps, but we also promote a comprehensive approach to protecting systems.