Entries for month: February 2014

A New Approach to Cyber Incident Response

Critical Infrastructure Protection , Vulnerability Analysis No Comments »

By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate 

This blog post was co-authored by Tim Palko. 

Anne ConnellAccording to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact “federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information” has increased by 782 percent—from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber incidents, “challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners.” Progress in this area was hindered by “difficulties in sharing and accessing classified information and the lack of a centralized information-sharing system,” the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate are developing to provide the various agencies and organizations that respond to cyber incidents a platform by which to share information and forge collaborations.  

Read more...

Data Analytics for Open Source Software Assessment

Emerging Technologies , Open Source Software , Software Quality , Software Assurance No Comments »

By Kate Ambrose Sereno
Technical Analyst
SEI Emerging Technology Center

This post was co-authored by Naomi Anderson

Kate Ambrose-SerenoIn 2012, the White House released its federal digital strategy. What’s noteworthy about this release is that the executive office distributed the strategy using Bootstrap, an open source software (OSS) tool developed by Twitter and made freely available to the public via the code hosting site GitHub. This is not the only evidence that we have seen of increased government interest in OSS adoption. Indeed, the 2013 report The Future of Open Source Software revealed that 34 percent of its respondents were government entities using OSS products. The Carnegie Mellon University Software Engineering Institute (SEI) has seen increased interest and adoption of OSS products across the federal government, including the Department of Defense (DoD), the intelligence community (IC), and the Department of Homeland Security. The catalyst for this increase has been innovators in government seeking creative solutions to rapidly field urgently needed technologies. While the rise of OSS adoption signals a new approach for government acquirers, it is not without risks that that must be acknowledged and addressed, particularly given current certification and accreditation (C&A) techniques. This blog post will discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software.

Read more...

Using Quality Attributes as a Means to Improve Acquisition Strategies

Acquisition , Architecture No Comments »

By Lisa Brownsword,
Senior Members of the Technical Staff

Lisa BrownswordAlthough software is increasingly important to the success of government programs, there is often little consideration given to its impact on early key program decisions. The Carnegie Mellon University Software Engineering Institute (SEI) is conducting a multi-phase research initiative aimed at answering the question: is the probability of a program’s success improved through deliberately producing a program acquisition strategy and software architecture that are mutually constrained and aligned? Moreover, can we develop a method that helps government program offices produce such alignment? This blog post, the third in a series on this multi-year research, describes our approach to determining how acquisition quality attributes can be expressed and used to facilitate alignment among the software architecture and acquisition strategy.

Read more...

Provenance Inference in Software

Malware , CERT No Comments »

By Will Casey
Senior Member of the Technical Staff
CERT Division

Will Casey Code clones are implementation patterns transferred from program to program via copy mechanisms including cut-and-paste, copy-and-paste, and code-reuse.  As a software engineering practice there has been significant debate about the value of code cloning. In its most basic form, code cloning may involve a codelet (snippets of code) that undergoes various forms of evolution, such as slight modification in response to problems.  Software reuse quickens the production cycle for augmented functions and data structures. So, if a programmer copies a codelet from one file into another with slight augmentations, a new clone has been created stemming from a founder codelet.  Events like these constitute the provenance or historical record of all events affecting a codelet object. This blog posting describes exploratory research that aims to understand the evolution of source and machine code and, eventually, create a model that can recover relationships between codes, files, or executable formats where the provenance is not known.

Read more...