Establishing Trust in the Wireless Emergency Alerts Service

Handheld Devices , Wireless Emergency Alerts No Comments »

By Carol Woody 
Technical Manager 
Cybersecurity Engineering 

This blog post was co-authored by Robert Ellison.

Carol Woody The Wireless Emergency Alerts (WEA) service went online in April 2012, giving emergency management agencies such as the National Weather Service or a city’s hazardous materials team  a way to send messages to mobile phone users located in a geographic area in the event of an emergency. Since the launch of the WEA service, the newest addition to the Federal Emergency Management Agency (FEMA) Integrated Public Alert and Warning System (IPAWS),“trust” has emerged as a key issue for all involved. Alert originators at emergency management agencies must trust WEA to deliver alerts to the public in an accurate and timely manner. The public must also trust the WEA service before it will act on the alerts. Managing trust in WEA is a responsibility shared among many stakeholders who are engaged with WEA. This blog post, the first in a series, highlights recent research aimed at enhancing both the trust of alert originators in the WEA service and the public’s trust in the alerts it receives. 

Read more...

A Generalized Model for Automated DevOps

DevOps 2 Comments »

By C. Aaron Cois
Software Engineering Team Lead 
CERT Cyber Security Solutions Directorate 

This blog post is the second in a series on DevOps

C. Aaron Cois To maintain a competitive edge, software organizations should be early adopters of innovation. To achieve this edge, organizations from Flickr and IBM to small tech startups are increasingly adopting an environment of deep collaboration between development and operations (DevOps) teams and technologies, which historically have been two disjointed groups responsible for information technology development. “The value of DevOps can be illustrated as an innovation and delivery lifecycle, with a continuous feedback loop to learn and respond to customer needs,” Ashok Reddy writes in the technical white paper, DevOps: The IBM approach. Beyond innovation and delivery, DevOps provides a means for automating repetitive tasks within the software development lifecycle (SDLC), such as software builds, testing, and deployments, allowing them to occur more naturally and frequently throughout the SDLC. This blog post, the second in our series, presents a generalized model for automated DevOps and describes the significant potential advantages for a modern software development team. 

Read more...

The Latest Research from the SEI

Acquisition , Insider Threat No Comments »

By Douglas C. Schmidt
Principal Researcher


Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in cybersecurity risks,software assuranceadvanced persistent threatinternational insider threat,Wireless Emergency Alerts Servicesecurity and survivability, and acquisition

This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website. 

Read more...

Needed: Improved Collaboration Between Software and Systems Engineering

Systems Engineering 11 Comments »

By Sarah A. Sheard
Senior Engineer
Software Solutions Division
This post is the first in a series on this topic

Sarah SheardThe Government Accountability Office (GAO) recently reported that acquisition program costs typically run 26 percent over budget, with development costs exceeding initial estimates by 40 percent. Moreover, many programs fail to deliver capabilities when promised, experiencing a 21-month delay on average.  The report attributes the “optimistic assumptions about system requirements, technology, and design maturity [that] play a large part in these failures” to a lack of disciplined systems engineering analysis early in the program. What acquisition managers do not always realize is the importance of focusing on software engineering during the early systems engineering effort. Improving on this collaboration is difficult partly because both disciplines appear in a variety of roles and practices. This post, the first in a series, addresses the interaction between systems and software engineering by identifying the similarities and differences between the two disciplines and describing the benefits both could realize through a more collaborative approach. 

Read more...

Heartbleed: Q&A

Secure Coding , Team Software Process (TSP) , Vulnerability Analysis 1 Comment »

By Will Dormann
Vulnerability Analyst
CERT Division

Will DormannThe Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: 

  • Would the vulnerability have been detected by static analysis tools? 
  • If the vulnerability has been in the wild for two years, why did it take so long to bring this to public knowledge now? 
  • Who is ultimately responsible for open-source code reviews and testing? 
  • Is there anything we can do to work around Heartbleed to provide security for banking and email web browser applications? 

In late April 2014, researchers from the Carnegie Mellon University Software Engineering Institute and Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, participated in a panel to discuss Heartbleed and strategies for preventing future vulnerabilities. During the panel discussion, we did not have enough time to address all of the questions from our audience, so we transcribed the questions and panel members wrote responses. This blog posting presents questions asked by audience members during the Heartbleed webinar and the answers developed by our researchers. (If you would like to view the entire webinar, click here.)

Read more...