By Douglas C. Schmidt
part of an ongoing effort to keep you informed about our latest work,
I'd like to let you know about some recently published SEI technical
reports and notes. These reports highlight the latest work of SEI
technologists in information assurance and agile, the Team Software Process (TSP), CERT secure coding standards, resource allocation, fuzzing, cloud computing interoperability, and cloud computing at the tactical edge.
This post includes a listing of each report, author(s), and links where
the published reports can be accessed on the SEI website.
By Linda Parker Gates
Senior Member of the Technical Staff
Acquisition Support Program
improvement efforts should be driven by business needs, not by the
content of improvement models. While improvement models, such as the Capability Maturity Model Integration (CMMI) or the Baldrige Criteria for Performance Excellence,
provide excellent guidance and best practice standards, the way in
which those models are implemented must be guided by the same drivers
that influence any other business decision. Business drivers are the
collection of people, information, and conditions that initiate and
support activities that help an organization accomplish its mission.
These drivers should be the guiding force behind performance improvement
because they represent key factors or influences that matter to an
organization’s success. But how do we identify these drivers? This blog
posting, the latest in a continuing series on the SEI’s work on strategic planning,
describes how we are using integrated strategic planning and the
associated information framework to derive the most vital business
drivers for performance improvement.
By David French
Senior Malware Researcher
In previous blog posts,
I have written about applying similarity measures to malicious code to
identify related files and reduce analysis expense. Another way to
observe similarity in malicious code is to leverage analyst insights by
identifying files that possess some property in common with a particular
file of interest. One way to do this is by using YARA,
an open-source project that helps researchers identify and classify
malware. YARA has gained enormous popularity in recent years as a way
for malware researchers and network defenders to communicate their
knowledge about malicious files, from identifiers for specific families
to signatures capturing common tools, techniques, and procedures (TTPs).
This blog post provides guidelines for using YARA effectively, focusing
on selection of objective criteria derived from malware, the type of
criteria most useful in identifying related malware (including strings,
resources, and functions), and guidelines for creating YARA signatures
using these criteria.
By David Keaton,
Senior Member of the Technical Staff
CERT Secure Coding Team
By analyzing vulnerability reports for the C, C++, Perl, and Java programming languages, the CERT Secure Coding Team
observed that a relatively small number of programming errors leads to
most vulnerabilities. Our research focuses on identifying insecure
coding practices and developing secure alternatives that software
programmers can use to reduce or eliminate vulnerabilities before
software is deployed. In a previous post, I described our work to identify vulnerabilities that informed the revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The CERT Secure Coding Team has also been working on the CERT C Secure Coding Standard,
which contains a set of rules and guidelines to help developers code
securely. This posting describes our latest set of rules and
recommendations, which aims to help developers avoid undefined and/or
unexpected behavior in deployed code.