By Lori Flynn
Member of the Technical Staff
CERT Secure Coding team
Although the CERT Secure Coding team has developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java’s application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of Defense.
This blog post, the first in a series, discusses the initial
development of our Android rules and guidelines. This initial
development included mapping our existing Java secure coding rules and
guidelines to Android applicability and also the creation of new
Android- only rules for Java secure coding.
To view a video of this blog post in its entirety, please click here.
By Douglas C. Schmidt
To view a video of the introduction, please click here.
The Better Buying Power 2.0
initiative is a concerted effort by the United States Department of
Defense to achieve greater efficiencies in the development, sustainment,
and recompetition of major defense acquisition programs through cost
control, elimination of unproductive processes and bureaucracy, and
promotion of open competition. This SEI blog posting describes how the
Navy is operationalizing Better Buying Power in the context of their Open Systems Architecture and Business Innovation initiatives. This posting also presents the results from a recent online war game
that underscore the importance of automated testing in these
initiatives to help avoid common traps and pitfalls of earlier cost
By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate
This blog post was co-authored by Tim Palko.
According to a report issued by the Government Accountability Office (GAO) in February 2013,
the number of cybersecurity incidents reported that could impact
“federal and military operations; critical infrastructure; and the
confidentiality, integrity, and availability of sensitive government,
private sector, and personal information” has increased by 782
percent—from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also
stated that while there has been incremental progress in coordinating
the federal response to cyber incidents, “challenges remain in sharing
information among federal agencies and key private sector entities,
including critical infrastructure owners.” Progress in this area was
hindered by “difficulties in sharing and accessing classified
information and the lack of a centralized information-sharing system,”
the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate
are developing to provide the various agencies and organizations that
respond to cyber incidents a platform by which to share information and
By Kate Ambrose Sereno
SEI Emerging Technology Center
This post was co-authored by Naomi Anderson
In 2012, the White House released its federal digital strategy. What’s noteworthy about this release is that the executive office distributed the strategy using Bootstrap, an open source software (OSS) tool developed by Twitter and made freely available to the public via the code hosting site GitHub. This is not the only evidence that we have seen of increased government interest in OSS adoption. Indeed, the 2013 report The Future of Open Source Software revealed that 34 percent of its respondents were government entities using OSS products. The Carnegie Mellon University Software Engineering Institute (SEI) has seen increased interest and adoption of OSS products across the federal government, including the Department of Defense (DoD), the intelligence community (IC), and the Department of Homeland Security. The catalyst for this increase has been innovators in government seeking creative solutions to rapidly field urgently needed technologies. While the rise of OSS adoption signals a new approach for government acquirers, it is not without risks that that must be acknowledged and addressed, particularly given current certification and accreditation (C&A) techniques. This blog post will discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software.
By Lisa Brownsword,
Senior Members of the Technical Staff
software is increasingly important to the success of government
programs, there is often little consideration given to its impact on
early key program decisions. The Carnegie Mellon University Software
Engineering Institute (SEI) is conducting a multi-phase research
initiative aimed at answering the question: is the probability of a
program’s success improved through deliberately producing a program
acquisition strategy and software architecture that are mutually
constrained and aligned? Moreover, can we develop a method that helps government program offices produce such alignment? This blog post, the third in a series
on this multi-year research, describes our approach to determining how
acquisition quality attributes can be expressed and used to facilitate
alignment among the software architecture and acquisition strategy.