Entries for month: November 2012

The Latest Research from the SEI

Agile , Cloud Computing , Secure Coding , Software Assurance , Team Software Process (TSP) No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in information assurance and agile, the Team Software Process (TSP), CERT secure coding standards, resource allocation, fuzzing, cloud computing interoperability, and cloud computing at the tactical edge. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

Read more...

Strategic Planning: Developing Business Drivers for Performance Improvement

Acquisition , Strategic Planning No Comments »

By Linda Parker Gates
Senior Member of the Technical Staff
Acquisition Support Program

Linda Parker GatesOrganizational improvement efforts should be driven by business needs, not by the content of improvement models.  While improvement models, such as the Capability Maturity Model Integration (CMMI) or the Baldrige Criteria for Performance Excellence, provide excellent guidance and best practice standards, the way in which those models are implemented must be guided by the same drivers that influence any other business decision.  Business drivers are the collection of people, information, and conditions that initiate and support activities that help an organization accomplish its mission. These drivers should be the guiding force behind performance improvement because they represent key factors or influences that matter to an organization’s success.  But how do we identify these drivers? This blog posting, the latest in a continuing series on the SEI’s work on strategic planning, describes how we are using integrated strategic planning and the associated information framework to derive the most vital business drivers for performance improvement. 

Read more...

Writing Effective YARA Signatures to Identify Malware

Malware , CERT 3 Comments »

By David French
Senior Malware Researcher
CERT

David FrenchIn previous blog posts, I have written about applying similarity measures to malicious code to identify related files and reduce analysis expense. Another way to observe similarity in malicious code is to leverage analyst insights by identifying files that possess some property in common with a particular file of interest. One way to do this is by using YARA, an open-source project that helps researchers identify and classify malware. YARA has gained enormous popularity in recent years as a way for malware researchers and network defenders to communicate their knowledge about malicious files, from identifiers for specific families to signatures capturing common tools, techniques, and procedures (TTPs). This blog post provides guidelines for using YARA effectively, focusing on selection of objective criteria derived from malware, the type of criteria most useful in identifying related malware (including strings, resources, and functions), and guidelines for creating YARA signatures using these criteria.

Read more...

Helping Developers Address Security with the CERT C Secure Coding Standard

Secure Coding , CERT 2 Comments »

By David Keaton,
Senior Member of the Technical Staff
CERT Secure Coding Team

David Keaton By analyzing vulnerability reports for the C, C++, Perl, and Java programming languages, the CERT Secure Coding Team observed that a relatively small number of programming errors leads to most vulnerabilities. Our research focuses on identifying insecure coding practices and developing secure alternatives that software programmers can use to reduce or eliminate vulnerabilities before software is deployed. In a previous post, I described our work to identify vulnerabilities that informed the revision of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard for the C programming language. The CERT Secure Coding Team has also been working on the CERT C Secure Coding Standard, which contains a set of rules and guidelines to help developers code securely. This posting describes our latest set of rules and recommendations, which aims to help developers avoid undefined and/or unexpected behavior in deployed code. 

Read more...