Secure Coding for the Android Platform

Android , Java , Secure Coding No Comments »

By Lori Flynn
Member of the Technical Staff
CERT Secure Coding team

Lori FlynnAlthough the CERT Secure Coding team has developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java’s application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of Defense. This blog post, the first in a series, discusses the initial development of our Android rules and guidelines. This initial development included mapping our existing Java secure coding rules and guidelines to Android applicability and also the creation of new Android- only rules for Java secure coding.

Read more...

The Importance of Automated Testing in Open Systems Architecture Initiatives

Automated Testing , Common Operating Platform Environments (COPEs) , Open Systems Architectures No Comments »

To view a video of this blog post in its entirety, please click here.

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt To view a video of the introduction, please click here.

The Better Buying Power 2.0 initiative is a concerted effort by the United States Department of Defense to achieve greater efficiencies in the development, sustainment, and recompetition of major defense acquisition programs through cost control, elimination of unproductive processes and bureaucracy, and promotion of open competition. This SEI blog posting describes how the Navy is operationalizing Better Buying Power in the context of their Open Systems Architecture and Business Innovation initiatives.  This posting also presents the results from a recent online war game that underscore the importance of automated testing in these initiatives to help avoid common traps and pitfalls of earlier cost containment measures.

Read more...

A New Approach to Cyber Incident Response

Critical Infrastructure Protection , Vulnerability Analysis No Comments »

By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate 

This blog post was co-authored by Tim Palko. 

Anne ConnellAccording to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact “federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information” has increased by 782 percent—from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber incidents, “challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners.” Progress in this area was hindered by “difficulties in sharing and accessing classified information and the lack of a centralized information-sharing system,” the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate are developing to provide the various agencies and organizations that respond to cyber incidents a platform by which to share information and forge collaborations.  

Read more...

Data Analytics for Open Source Software Assessment

Emerging Technologies , Open Source Software , Software Assurance , Software Quality No Comments »

By Kate Ambrose Sereno
Technical Analyst
SEI Emerging Technology Center

This post was co-authored by Naomi Anderson

Kate Ambrose-SerenoIn 2012, the White House released its federal digital strategy. What’s noteworthy about this release is that the executive office distributed the strategy using Bootstrap, an open source software (OSS) tool developed by Twitter and made freely available to the public via the code hosting site GitHub. This is not the only evidence that we have seen of increased government interest in OSS adoption. Indeed, the 2013 report The Future of Open Source Software revealed that 34 percent of its respondents were government entities using OSS products. The Carnegie Mellon University Software Engineering Institute (SEI) has seen increased interest and adoption of OSS products across the federal government, including the Department of Defense (DoD), the intelligence community (IC), and the Department of Homeland Security. The catalyst for this increase has been innovators in government seeking creative solutions to rapidly field urgently needed technologies. While the rise of OSS adoption signals a new approach for government acquirers, it is not without risks that that must be acknowledged and addressed, particularly given current certification and accreditation (C&A) techniques. This blog post will discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software.

Read more...

Using Quality Attributes as a Means to Improve Acquisition Strategies

Acquisition , Architecture No Comments »

By Lisa Brownsword,
Senior Members of the Technical Staff

Lisa BrownswordAlthough software is increasingly important to the success of government programs, there is often little consideration given to its impact on early key program decisions. The Carnegie Mellon University Software Engineering Institute (SEI) is conducting a multi-phase research initiative aimed at answering the question: is the probability of a program’s success improved through deliberately producing a program acquisition strategy and software architecture that are mutually constrained and aligned? Moreover, can we develop a method that helps government program offices produce such alignment? This blog post, the third in a series on this multi-year research, describes our approach to determining how acquisition quality attributes can be expressed and used to facilitate alignment among the software architecture and acquisition strategy.

Read more...