By William Wood
Senior Member of the Technical Staff
Software Solutions Division
Legacy systems represent a massive operations and maintenance (O&M) expense. According to a recent study,
75 percent of North American and European enterprise information
technology (IT) budgets are expended on ongoing O&M, leaving a mere
25 percent for new investments. Another study found nearly three quarters of the U.S. federal IT budget is spent supporting legacy systems. For decades, the Department of Defense (DoD) has been attempting to modernize about 2,200 business systems, which are supported by billions of dollars in annual expenditures that
are intended to support business functions and operations. Many of
these legacy systems were built decades ago using technologies available
at the time and have been operating successfully for many years.
Unfortunately, these systems were built with components that are
becoming obsolete and have accompanying high-licensing costs for
commercial off-the-shelf (COTS) components, awkward user interfaces, and
business processes that evolved based on expediency rather than
optimality. In addition, new software engineers familiar with current
technology are unfamiliar with the domain, and documentation is scarce
and outdated. Other problematic factors include business rules that are
embedded in code written in obsolete languages using obsolete data
structures and the fact that the cadre of aging domain experts
maintaining legacy systems are unfamiliar with newer technologies. This blog post provides a case study of a modernization effort conducted for a federal agency by SEI researchers on such a large-scale, legacy IT system.
By Carol Woody
Technical Manager of the Cybersecurity Engineering Team
This post was co-authored by Bill Nichols.
Mitre’s Top 25 Most Dangerous Software Errors
is a list that details quality problems, as well as security problems.
This list aims to help software developers “prevent the kinds of
vulnerabilities that plague the software industry, by identifying and
avoiding all-too-common mistakes that occur before software is even
shipped.” These vulnerabilities often result in software that does not
function as intended, presenting an opportunity for attackers to
compromise a system. This blog post highlights our research in examining
techniques used for addressing software defects in general and how
those can be applied to improve security detection and management.
By Chris Taschner
CERT Cyber Security Solutions Directive
This post is the latest installment in a series aimed at helping organizations adopt DevOps.
Tools used in DevOps environments such as continuous integration and continuous deployment
speed up the process of pushing code to production. Often this means
continuous deployment cycles that could result in multiple deployments
per day. Traditional security testing, which often requires manually
running multiple tests in different tools, does not keep pace with this
rapid schedule. This blog post introduces a tool called Gauntlt, which attempts to remedy this issue.
By Greg Shannon
two consecutive years, organizations reported that insider crimes caused comparable damage (34 percent) to external attacks (31
percent), according to a recent cybercrime report
co-sponsored by the CERT Division at the Carnegie Mellon University
Software Engineering Institute. Despite this near parity, media reports
of attacks often focus on external attacks and their aftermath, yet an
attack can be equally or even more devastating when carried out from
within an organization. Insider threats are influenced by a combination
of technical, behavioral, and organizational issues and must be
addressed by policies, procedures, and technologies. Researchers at the CERT Insider Threat Center define insider threat as actions by an individual who meets the following criteria:
current or former employee, contractor, or business partner who has or
has had authorized access to an organization’s network, system, or data
intentionally exceeded or intentionally used that access in a manner
that negatively affected the confidentiality, integrity, or availability
of the organization’s information or information systems.
Insider threats are influenced by a combination of technical,
behavioral, and organizational issues that organizations must address
through policies, procedures, and technologies. Insider threats are
influenced by a combination of technical, behavioral, and organizational
issues and must be addressed by policies, procedures, and technologies.
Researchers at the The CERT Insider Threat Center provides analysis and
solutions to organizations through partnerships with the U.S.
Department of Defense, the U.S. Department of Homeland Security, the
U.S. Secret Service, other federal agencies, the intelligence community,
private industry, academia, and the vendor community. This blog post,
the second in a series, introduces the CERT Insider Threat Center blog, which highlights the latest research and security solutions to help organizations protect against insider threat.
By Greg Shannon
In 2014, approximately
1 billion records of personably identifiable information were
compromised as a result of cybersecurity vulnerabilities. In the
face of this onslaught of compromises, it is important to examine
fundamental insecurities that CERT researchers have identified and that
readers of the CERT/CC blog
have found compelling. This post, the first in a series highlighting
CERT resources available to the public including blogs and vulnerability
notes, focuses on the CERT/CC blog. This blog post highlights security
vulnerability and network security resources to help organizations in government
and industry protect against breaches that compromise data.