Information Technology Systems Modernization

Architecture 1 Comment »

By William Wood
Senior Member of the Technical Staff
Software Solutions Division

William Wood Legacy systems represent a massive operations and maintenance (O&M) expense. According to a recent study, 75 percent of North American and European enterprise information technology (IT) budgets are expended on ongoing O&M, leaving a mere 25 percent for new investments. Another study found nearly three quarters of the U.S. federal IT budget is spent supporting legacy systems. For decades, the Department of Defense (DoD) has been attempting to modernize about 2,200 business systems, which are supported by billions of dollars in annual expenditures that are intended to support business functions and operations. Many of these legacy systems were built decades ago using technologies available at the time and have been operating successfully for many years. Unfortunately, these systems were built with components that are becoming obsolete and have accompanying high-licensing costs for commercial off-the-shelf (COTS) components, awkward user interfaces, and business processes that evolved based on expediency rather than optimality. In addition, new software engineers familiar with current technology are unfamiliar with the domain, and documentation is scarce and outdated. Other problematic factors include business rules that are embedded in code written in obsolete languages using obsolete data structures and the fact that the cadre of aging domain experts maintaining legacy systems are unfamiliar with newer technologies. This blog post provides a case study of a modernization effort conducted for a federal agency by SEI researchers on such a large-scale, legacy IT system. 


Heartbleed and Goto Fail: Two Case Studies for Predicting Software Assurance Using Quality and Reliability Measures

Measurement & Analysis , Software Assurance 1 Comment »

By Carol Woody
Technical Manager of the Cybersecurity Engineering Team
CERT Division

This post was co-authored by Bill Nichols.

Carol Woody Mitre’s Top 25 Most Dangerous Software Errors is a list that details quality problems, as well as security problems. This list aims to help software developers “prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.” These vulnerabilities often result in software that does not function as intended, presenting an opportunity for attackers to compromise a system. This blog post highlights our research in examining techniques used for addressing software defects in general and how those can be applied to improve security detection and management.


DevOps Technologies: Gauntlt

DevOps , DevOps Tips No Comments »

By Chris Taschner
Project Lead
CERT Cyber Security Solutions Directive

This post is the latest installment in a series aimed at helping organizations adopt DevOps.

Chris TaschnerTools used in DevOps environments such as continuous integration and continuous deployment speed up the process of pushing code to production. Often this means continuous deployment cycles that could result in multiple deployments per day. Traditional security testing, which often requires manually running multiple tests in different tools, does not keep pace with this rapid schedule. This blog post introduces a tool called Gauntlt, which attempts to remedy this issue.


Top 10 Insider Threat Posts

Insider Threat No Comments »

By Greg Shannon
Chief Scientist
CERT Division

Greg ShannonFor two consecutive years, organizations reported that insider crimes caused comparable damage (34 percent) to external attacks (31 percent), according to a recent cybercrime report co-sponsored by the CERT Division at the Carnegie Mellon University Software Engineering Institute. Despite this near parity, media reports of attacks often focus on external attacks and their aftermath, yet an attack can be equally or even more devastating when carried out from within an organization. Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Researchers at the CERT Insider Threat Center define insider threat as actions by an individual who meets the following criteria:

  • a current or former employee, contractor, or business partner who has or has had authorized access to an organization’s network, system, or data
  • and intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Insider threats are influenced by a combination of technical, behavioral, and organizational issues that organizations must address through policies, procedures, and technologies. Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Researchers at the The CERT Insider Threat Center provides analysis and solutions to organizations through partnerships with the U.S. Department of Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community. This blog post, the second in a series, introduces the CERT Insider Threat Center blog, which highlights the latest research and security solutions to help organizations protect against insider threat.


Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

Vulnerability Analysis No Comments »

By Greg Shannon
Chief Scientist
CERT Division

Greg ShannonIn 2014, approximately 1 billion records of personably identifiable information were compromised as a result of cybersecurity vulnerabilities. In the face of this onslaught of compromises, it is important to examine fundamental insecurities that CERT researchers have identified and that readers of the CERT/CC blog have found compelling. This post, the first in a series highlighting CERT resources available to the public including blogs and vulnerability notes, focuses on the CERT/CC blog.  This blog post highlights security vulnerability and network security resources to help organizations in government and industry protect against breaches that compromise data.