Vulnerability Analysis
To reduce the security risks posed by software vulnerabilities, we
strive to address both the number of vulnerabilities in software that
is being developed and the number of vulnerabilities in software that
is already deployed. Our vulnerability analysis work is divided into
two areas. Identifying and reducing the number of new vulnerabilities
before the software is deployed is the focus of our vulnerability
discovery effort, while our vulnerability remediation work deals with
existing vulnerabilities in deployed software. We regularly comment on
issues of importance to the vulnerability analysis and security
community through the CERT/CC Blog.
Vulnerability discovery
With vulnerability discovery, we
strive to help engineers understand how vulnerabilities are created
and found. Our goal is that, with this education, engineers will
learn how to detect and eliminate—and eventually
avoid—vulnerabilities in software products before the products
are shipped.
In 2010, the CERT/CC held a workshop with
vulnerability researchers and software vendors to discuss ideas, tools, and
techniques used to find vulnerabilities. We have made available the slides and papers from the
formal talks.
Vulnerability remediation
The unfortunate reality is that many software products are being
shipped with vulnerabilities that attackers may be able to
exploit. Our vulnerability
remediation process involves four basic steps, but we also promote
a comprehensive approach to protecting systems.
|
