As a part of an ongoing effort to maintain you knowledgeable about our newest work, this weblog publish summarizes some latest publications from the SEI within the areas of utility programming interfaces (APIs), software program payments of supplies (SBOMs), safe improvement, Structure Evaluation and Design Language (AADL), and static evaluation.
These publications spotlight the newest work from SEI technologists in these areas. This publish features a itemizing of every publication, writer(s), and hyperlinks the place they are often accessed on the SEI web site.
Software Programming Interface (API) Vulnerabilities and Dangers
by McKinley Sconiers-Hasan
Internet-accessible utility programming interfaces (APIs) are more and more frequent, and they’re typically designed and carried out in a manner that creates safety dangers. Constructing on a taxonomy from OWASP, this report describes 11 frequent vulnerabilities and three dangers associated to APIs, offering recommendations about methods to repair or scale back their impression. Suggestions embody utilizing a regular API documentation course of, utilizing automated testing, and making certain the safety of the id and entry administration system.
Learn the SEI Particular Report.
Software program Invoice of Supplies (SBOM) Concerns for Operational Check & Analysis Actions
by Michael Bandor
This white paper seems to be at potential roles for SBOM inside numerous Operational Check & Analysis (OT&E) actions. It seems to be on the historical past and background of SBOMs, latest developments (as of the creation of the white paper), basic challenges and inquiries to ask, and 5 particular use circumstances. It concludes with conclusions and proposals.
SBOMs are at the moment in early and ranging levels of adoption throughout trade and throughout the DoD. There are nonetheless points with the standard (e.g., completeness, accuracy, foreign money, and so forth.) of the SBOMs being produced, in addition to adherence to the minimal important parts recognized by the U.S. Division of Commerce. Legacy programs in addition to cloud-based programs current challenges for producing SBOMs. The DoD is at the moment creating proposed steerage for addressing the SBOM requirement by packages.
Given this early section of adoption, it is suggested that SBOMs be used to enhance however not change the present strategies utilized by Operational Check (OT) personnel in efficiency of the testing features and to not rely solely on the SBOM data. The restrictions usually are not intrinsic, and we are able to anticipate that SBOMs will show to be more and more vital and helpful for OT actions.
Learn the SEI white paper.
Safe Techniques Don’t Occur by Accident
by Timothy A. Chick
Most cybersecurity breaches are as a result of defects in design or code, together with each coding and logic errors. One of the simplest ways to deal with these challenges is to design and construct safer options. On this webcast, Tim Chick discusses how safety might be an integral side of your complete software program lifecycle. The important thing to success is to comply with deliberate engineering practices centered on lowering safety dangers by way of the usage of software program assurance strategies.
What attendees will study:
- the significance of cybersecurity, together with examples of safety failures
- qualities to take a look at when evaluating third-party software program
- the connection between high quality and safety
- engineering strategies used all through the event lifecycle to scale back cyber dangers
Reachability of System Operation Modes in AADL
by Lutz Wrage
Parts in an AADL (Structure Evaluation and Design Language) mannequin can have modes that decide which subcomponents and connections are lively. Transitions between modes are triggered by occasions originating from the modeled system’s atmosphere or from different parts within the mannequin. Modes and transitions can happen on any stage of the element hierarchy. The mixtures of element modes (referred to as system operation modes or SOMs) outline the system’s configurations. You will need to know which SOMs can really happen within the system, particularly within the space of system security, as a result of a system could comprise parts that shouldn’t be lively concurrently, for instance, a automobile’s brake and accelerator. This report presents an algorithm that constructs the set of reachable SOMs for a given AADL mannequin and the transitions between them.
Learn the SEI Technical Report.
Automated Restore of Static Evaluation Alerts
by David Svoboda
Builders know that static evaluation helps make code safer. Nevertheless, heuristic static evaluation instruments typically produce numerous false positives, hindering their usefulness. On this podcast, David Svoboda, a software program safety engineer within the SEI’s CERT Division, discusses Redemption, a brand new open-source instrument from the SEI that routinely repairs frequent errors in C/C++ code generated from static evaluation alerts, making code safer and static evaluation much less overwhelming.
Hearken to/view the podcast.
Navigating Functionality-Primarily based Planning: The Advantages, Challenges, and Implementation Necessities
By Anandi Hira and William Nichols
Functionality-based planning (CBP) defines a framework for acquisition and design that encompasses a complete view of current skills and future wants for the aim of supporting strategic choices relating to what is required and methods to successfully obtain it. Each enterprise and authorities acquisition domains use CBP for monetary success or to design well-balanced protection programs. Unsurprisingly, the definitions fluctuate throughout these domains. This paper endeavors to reconcile these definitions to offer a overarching view of CBP, its potential, and sensible implementation of its ideas.
Learn the white paper.
My Story in Computing, with Sam Procter
by Sam Procter
Sam Procter, an SEI senior structure researcher, began out learning laptop science on the College of Nebraska, however he didn’t adore it. It wasn’t till he took his first software program engineering course that he knew he’d discovered his profession path. On this SEI podcast, Procter discusses early influences that formed his profession, the significance of embracing several types of range in his analysis and work, and the worth of work-life steadiness.
Hearken to/view the podcast.
Extra Assets
View the newest SEI analysis within the SEI Digital Library.
View the newest podcasts within the SEI Podcast Sequence.
View the newest installments within the SEI Webcast Sequence.