By David Mundie
Senior Member of the Technical Staff
CSIRT Development Team
engineering involves the manipulation of individuals to get them to
unwittingly perform actions that cause harm or increase the probability
of causing future harm, which we call “unintentional insider threat.”
This blog post highlights recent research that aims to add to the body of knowledge about the factors that lead to unintentional insider threat (UIT)
and about how organizations in industry and government can protect
themselves. This research is part of an ongoing body of work on social
engineering and UIT conducted by the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute.
By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate
This blog post was co-authored by Barbora Batokova and Todd Waits.
The source of a recent Target security breach
that allowed intruders to gain access to more than 40 million credit
and debit cards of customers between Nov. 27 and Dec. 14, 2013, has been
traced to a heating, ventilation, and air conditioning (HVAC) service sub-contractor in Sharpsburg, Pa., just outside of Pittsburgh, according to a Feb. 5 post on a Wall Street Journal blog.
The post stated that the intruders were able to gain access to Target’s
system after stealing login credentials from one of Target’s HVAC
subcontractors, who had been given remote access. This breach
demonstrates how any vulnerability
in a critical information system can be exploited to disrupt or harm
the normal operation of any commercial or industrial sector. In this
blog post, we will present a tool we have developed that increases a
security incident responder’s ability to assess risk and identify the
appropriate incident response plan for critical information systems.
By C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate
This blog post is the first in a series on DevOps
At Flickr, the video- and photo-sharing website, the live software platform is updated at least 10 times a day. Flickr accomplishes this through an automated testing cycle that includes comprehensive unit testing and integration testing at all levels of the software stack in a realistic staging environment. If the code passes, it is then tagged, released, built, and pushed into production. This type of lean organization, where software is delivered on a continuous basis, is exactly what the agile founders envisioned when crafting their manifesto: a nimble, stream-lined process for developing and deploying software into the hands of users while continuously integrating feedback and new requirements. A key to Flickr’s prolific deployment is DevOps, a software development concept that literally and figuratively blends development and operations staff and tools in response to the increasing need for interoperability. This blog post, the first in a series, introduces DevOps and explores its impact from an internal perspective on our own software development practices and through the lens of its impact on the software community at large.
By Lori Flynn
Member of the Technical Staff
CERT Secure Coding team
Although the CERT Secure Coding team has developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java’s application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of Defense.
This blog post, the first in a series, discusses the initial
development of our Android rules and guidelines. This initial
development included mapping our existing Java secure coding rules and
guidelines to Android applicability and also the creation of new
Android- only rules for Java secure coding.
To view a video of this blog post in its entirety, please click here.
By Douglas C. Schmidt
To view a video of the introduction, please click here.
The Better Buying Power 2.0
initiative is a concerted effort by the United States Department of
Defense to achieve greater efficiencies in the development, sustainment,
and recompetition of major defense acquisition programs through cost
control, elimination of unproductive processes and bureaucracy, and
promotion of open competition. This SEI blog posting describes how the
Navy is operationalizing Better Buying Power in the context of their Open Systems Architecture and Business Innovation initiatives. This posting also presents the results from a recent online war game
that underscore the importance of automated testing in these
initiatives to help avoid common traps and pitfalls of earlier cost