Security Cert New Podcast Released Protecting the internet and its users against cyber attacks requires a significant increase in the number of skilled cyber warriors. Security Cert New Insider Threat Blog Entry The Entry Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage has been posted. Security Cert Spotlight On: Malicious Insiders and Organized Crime Activity This TN is the fifth article in the Spotlight On quarterly series published by the CERT Insider Threat Center. Security Cert Spotlight On: Malicious Insiders and Organized Crime Activity This TN is the fifth article in the Spotlight On quarterly series published by the CERT Insider Threat Center. Security Cert New CERT/CC Blog Entry The entry "CNAME flux" has been posted. Security Cert Using Defined Processes as a Context for Resilience Measures Technical Note Released This technical note describes how implementation-level processes can help organizations define measures of operational resilience. Security Cert New Podcast Released Electronic health records bring many benefits along with security and privacy challenges. Security Cert Standards-Based Automated Remediation 2011 Update Released This report updates the development of standards for remediation of vulnerabilities and compliance issues on Department of Defense networked systems for 2011. Security Cert Insider Threat Control Released Insider Threat Control: Using a SIEM Signature to Detect Potential Precursors to IT Sabotage presents a technique for detecting potential insider sabotage over an organization's network. Security Cert New Insider Threat Blog Entry The entry "Preparing for Negative Workplace Events - Managing Employee Expectations" has been posted. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Controls" has been posted. Security Cert New Insider Threat Blog Entry The entry "Data Exfiltration and Output Devices - An Overlooked Threat" has been posted. Security Cert CERT Oracle Secure Coding Standard for Java Book Published The CERT Oracle Secure Coding Standard for Java has been published by Addison-Wesley Professional. Security Cert New Insider Threat Demonstration Series Launched The CERT Insider Threat Center has released the first video in a series of insider threat demonstrations. Security Cert Insider Threat Control Technical Note Released This technical note describes how organizations can use Splunk to detect insider theft of intellectual property. Security Cert Agenda Now Available for Upcoming Workshop The Institute for Information Infrastructure Protection (I3P) and the CERT Program will present the workshop "Cyber Security CPR: Coordinated Private Response to Computer Security Incidents" in Arlington, VA on October 12-13. See the web page for a link to the agenda. Security Cert New Podcast Released Measures of operational resilience should answer key questions, inform decisions, and affect behavior. Security Cert Community College Education Report Published The fourth volume in the Software Assurance Curriculum Project focuses on community college courses for software assurance. Security Cert 2010 CERT Research Report Published The CERT Program is internationally known for developing practices and technologies to protect, detect, and respond to attacks, accidents, and failures on networked systems. This report describes progress in our innovative research projects and activities. Security Cert New CERT/CC Blog Entry The entry "Challenges in Network Monitoring above the Enterprise" has been published. Security Cert New Podcast Released Use of Domain Name System security extensions can help prevent website hijacking attacks. Security Cert New Podcast Released Use of Domain Name System security extensions can help prevent website hijacking attacks. Security Cert New Insider Threat Blog Entry The entry "The Necessity of Best Practices for the Prevention and Detection of Insider Threats" has been posted. Security Cert New Insider Threat Blog Entry The entry "The CERT Insider Threat Database" has been posted. Security Cert Keeping Your Family Safe in a Highly Connected World As our world becomes highly connected where endless data is just a click away and using networked devices has become almost a necessity, protecting your personal information and family privacy is of great concern. Security Cert Measures for Managing Operational Resilience Technical Report Published In this technical report Resilient Enterprise Management (REM) team members suggest a set of top ten strategic measures for managing operational resilience. Security Cert New Podcast Released Depending on the service model, cloud providers and customers can monitor and implement controls to better protect their sensitive information. Security Cert Standards-Based Automated Remediation Special Report Released This report describes the development of standards for remediation of vulnerabilities and compliance issues on Department of Defense networked systems. Security Cert New Insider Threat Blog Entry The entry "Theft of Intellectual Property and Tips for Prevention" has been published. Security Cert Request for Proposal - SEI Code Review Process The SEI is issuing a Request for Proposal seeking interested organizations with experience performing web penetration and source code audits in systems developed in C#, Java, Ruby, Perl, Python, JavaScript, and PHP. Security Cert New Podcast Released Analyzing malware is essential to assess the damage and reduce the impact associated with ongoing infection. Security Cert New CERT PGP Key CERT has updated its PGP key. We strongly urge you to encrypt sensitive information. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Deep Dive: Theft of Intellectual Property" has been posted. Security Cert New CERT/CC Blog Entry The entry Signed Java and Cisco AnyConnect has been posted. Security Cert A Preliminary Model of Insider Theft of Intellectual Property Technical Note Published This technical note presents research findings on insider theft of intellectual property. Security Cert CERT Used XNET for Forensics Challenge This article describes the role that XNET played in the CERT Forensics Challenge, designed for the 2011 National Security Agency Cyber Defense Exercise. Security Cert New CERT/CC Blog Entry The entry "Effectiveness of Microsoft Office File Validation" has been published. Security Cert New Insider Threat Blog Entry The entry "Insider Threat and Physical Security of Organizations" has been published. Security Cert New Podcast Released Over 100 electric power utilities are accelerating their transformation to the smart grid by using the Smart Grid Maturity Model. Security Cert New CERT Blogs Index This main index page displays the ten most recent entries across all of our blogs. You can reach this page through the blogs link in the bottom navigation. Security Cert Trusted Computing in Embedded Systems Workshop Released This SEI Special Report describes the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University. Security Cert Software Security Measurement and Analysis Presentation Released Cyber Security Engineering researchers at CERT have released a presentation describing their Security Measurement and Analysis (SMA) Project. Security Cert SPREE Workshop SPREE Workshop registration is now open. You can register by using this form (pdf). Security Cert New CERT/CC Blog Entry The entry "A Security Comparison: Microsoft Office vs. Oracle Openoffice" has been published. Security Cert New CERT/CC Blog Entry The entry "A Security Comparison: Microsoft Office vs. Oracle Openoffice" has been published. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Best Practices from Industry" has been published. Security Cert New Podcast Released BuBusiness l leaders must address risk at the enterprise, business process, and system levels to effectively protect against today's and tomorrow's threats. Security Cert 2011 CyberSecurity Watch Survey Released The 2011 CyberSecurity Watch Survey press release and data sample have been released. Security Cert New CERT/CC Blog Entry The entry "Announcing the CERT Basic Fuzzing Framework 2.0" has been published. Security Cert Function Extraction (FX) Research for Computation of Software Behavior Technical Report Released This technical report discusses use of algorithms to compute overall malware behavior. Security Cert Risk and Resilience: Considerations for Information Security Risk Assessment and Management Julia Allen and Jim Cebula gave this presentation at RSA Conference 2011 in San Francisco, California. Security Cert New Insider Threat Blog Entry The entry "Insider Threats in the Software Development Lifecycle" has been published. Security Cert New Podcast Released Scenario-based exercises help organizations, governments, and nations prepare for, identify, and mitigate cyber risks. Security Cert New Insider Threat Presentation Published "Combat IT Sabotage: Technical Solutions From The CERT Insider Threat Lab," presentated at RSA Conference 2011 in San Francisco, California, is now available. Security Cert An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases Technical Note Published This techincal note provides an overview of techniques employed by malicious insiders to steal intellectual property. Security Cert Integrating the MSwA Reference Curriculum into the MSIS Model Curriculum Technical Note Published This technical note examines how the MSwA Reference Curriculum recommendations might be integrated into the model curriculum recommendations for a MSIS degree. Security Cert New CERT/CC Blog Entry The entry "'Network Monitoring for Web-Based Threats' released" has been published. Security Cert Changes to Vulnerability Analysis Blog To allow for expansion into other technical areas, the Vulnerability Analysis Blog has been converted to the CERT/CC Blog. Security Cert Network Monitoring for Web-Based Threats Report Published This report models the approach a focused attacker would take in order to breach an organization through web-based protocols and provides detection or prevention methods to counter that approach. Security Cert Security and Privacy Engineering (SPREE) Workshop Scheduled for June The SPREE Workshop will be held at Carnegie Mellon University on June 15-16, 2011. Discussions will focus on security and privacy challenges associated with developing and maintaining software as data-driven technology continues to advance. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Case Trends of Technical and Non-Technical Employees" has been published. Security Cert New Podcast Released Technical controls may be effective in helping prevent, detect, and respond to insider crimes. Security Cert Trust and Trusted Computing Platforms Technical Note Published This technical note examines the capabilities and limitations of hardware-based trusted platforms in general, and the Trusted Platform Module (TPM) from the perspective of trusted applications in particular. Security Cert Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data Technical Note Published This paper demonstrates how to extract and map technical information from previous insider crimes. Security Cert Software Supply Chain Risk Management Technical Note Published This technical note considers current practices in software supply chain analysis and suggests foundational practices. Security Cert CERT Resilience Management Model Book Published The CERT Resilience Management Model (CERT-RMM) Version 1.1 has been published by Addison-Wesley Professional. Security Cert A Taxonomy of Operational Cyber Security Risks Published This technical note presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk. Security Cert Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems Report Published The Source Code Analysis Laboratory (SCALe) is an operational capability that tests software applications for conformance to one of the CERT secure coding standards. Security Cert CERT Approach to Cybersecurity Workforce Development Report Published This report presents a new, continuous approach to cybersecurity workforce development. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Case Trends for Employee Type and Employment Status" has been published. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Case Trends for Employee Type and Employment Status" has been published. Security Cert How Resilient Is My Organization? Use the CERT Resilience Management Model (CERT-RMM) to help ensure that critical assets and services perform as expected in the face of stress and disruption. Security Cert New Insider Threat Blog Entry The entry "Upcoming Insider Threat Presentations" has been published. Security Cert CERT Career Fair Scheduled for January Representatives from CERT will be in Arlington, VA on January 26-27 to meet with candidates interested in job opportunities. Applicants must submit resumes in advance for this appointment-only event. Security Cert Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability This special report is the first in a series of best practices information that interested organizations and governments can use to begin to develop a national incident management capability. Security Cert New Podcast Released Government agencies and private industry must build effective partnerships to secure national critical infrastructures. Security Cert Measuring Operational Resilience Using the CERT Resilience Management Model This Technical Note is the first in a series of publications designed to start a dialog on the topic of meaningful measurement. Security Cert New CERT PGP Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New Podcast Released Knowledge about software assurance is essential to ensure that complex systems function as intended. Security Cert New Insider Threat Blog Entry The entry "Interesting Insider Threat Statistics" has been published. Security Cert New Insider Threat Blog Entry The entry "Interesting Insider Threat Statistics" has been published. Security Cert FloCon 2011 Registration Open Registration for FloCon 2011 is now open. The early bird registration fee will begin at $660.00 until November 22, 2010. Please use discount code FLOCONNEB when registering on or before November 22, 2010. Security Cert New Insider Threat Blog Entry The entry "A Threat-Centric Approach to Detecting and Preventing Insider Threat" has been published. Security Cert Participation Opportunities for FloCon 2011 Published The call for presentations, a description of sponsorship opportunities, and the sponsorship agreement have been released. Security Cert Integrated Measurement and Analysis Framework for Software Security Technical Note Published This report is the first in a series that addresses how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF) for software security. Security Cert Security Requirements Reusability and the SQUARE Methodology R-SQUARE incorporates reusable security goals and requirements into a variant of Security Quality Requirements Engineering (SQUARE). Security Cert Building Assured Systems Framework Report Published The BASF addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems. Security Cert Upcoming IEEE Smart Grid Survivability Workshop This workshop will take place October 13-14, 2010 in Arlington, Virginia Security Cert New Podcast Released Organizations can benchmark their software security practices against 109 observed activities from 30 organizations. Security Cert New Vulnerability Analysis Blog Entry The entry "CERT Basic Fuzzing Framework Update" has been published. Security Cert New Insider Threat Blog Entry The entry "Insider Threat Deep Dive: IT Sabotage" has been published. Security Cert New CERT PGP Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert Insider Threat Blog Released The first entry in our new insider threat blog has been published. Security Cert FloCon 2010 Proceedings Available Proceedings from FloCon 2010 have been released. Security Cert Software Assurance Curriculum Materials Available A Master of Software Assurance Reference Curriculum and undergraduate course outlines are now available for download. Security Cert New Podcast Released Internet-connected mobile devices are becoming increasingly attractive targets. Security Cert FloCon 2011 Announced FloCon 2011 will take place in Salt Lake City, Utah, January 10-13, 2011. Security Cert New Podcast Released A national CSIRT is essential for protecting national and economic security, and ensuring the continuity of government agencies and critical infrastructures. Security Cert Technical Note on Adapting the SQUARE Process for Privacy Requirements Engineering Published This technical note explores the use of a disciplined approach to identifying privacy requirements, primarily how the Security Quality Requirements Engineering (SQUARE) process, which was developed for security requirements engineering, can be adapted for privacy requirements engineering in software development. Security Cert Spotlight On: Insider Threat from Trusted Business Partners Published This article focuses on cases in the CERT Insider Threat Center database in which malicious insiders were employed by a trusted business partner of the victim organization. These cases involve outsourcing as well as individual contractors and consultants. Security Cert New Podcast Released Securing systems that control physical switches, valves, pumps, meters, and manufacturing lines as these systems connect to the internet is critical for service continuity. Security Cert CERT/CC Enhancing Collaboration Between National CSIRTs The CERT/CC has created both a wiki and an operational mailing list for authorized technical staff at national CSIRTs. These tools will promote collaboration and information exchange about technical projects and other relevant work. Security Cert CERT/CC Enhancing Collaboration Between National CSIRTs The CERT/CC has created both a wiki and an operational mailing list for authorized technical staff at national CSIRTs. These tools will promote collaboration and information exchange about technical projects and other relevant work. Security Cert New Podcast Released Complex, distributed, multi-year investigations of computer crimes require sophisticated methods, techniques, and tools. Security Cert National CSIRTs to Meet in Miami On June 19-20, the CERT/CC is hosting a meeting of CSIRTs with national responsibility in Miami, Florida. Attendees will discuss the unique challenges facing national CSIRTs and will share information about projects and solutions. Security Cert Fuzz Testing Tool Available The CERT Basic Fuzzing Framework (BFF) is a Linux-based tool for fuzz testing software that runs on Linux. This free tool is now available for download. Security Cert Java Concurrency Guidelines Report Published The CERT Oracle Secure Coding Standard for Java provides guidelines for securrogramming language Security Cert Second Edition of Specifications for Managed Strings Report Published This report describes a managed string library for the C programming language. Security Cert Survivability Analysis Framework Technical Note Published The technical note describes the Survivability Analysis Framework (SAF), which can be used to examine the elements of an operational process and evaluate the survivability of an organization. Security Cert New Podcast Released To help identify and eliminate security vulnerabilities, subject all software that you build and buy to fuzz testing. Security Cert Resilience Management Model Report Published The CERT-RMM report describes the key concepts, components, and process area relationships of the model, which is an innovative way to approach the challenge of managing operational resilience in complex, risk-evolving environments. Security Cert Technical Report About Network Behavior Published The report, Identifying Anomalous Port-Specific Network Behavior, describes a method for detecting behavior that may be a precursor to internet-wide attacks. Security Cert New Podcast Released Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses. Security Cert 2009 CERT Research Annual Report Published CERT is developing theoretical foundations and engineering methods to help ensure the security of critical systems and networks. This report describes progress in CERT research projects and opportunities for collaboration. Security Cert New Insider Threat Presentation Published "The Key to Successful Monitoring for Detection of Insider Attacks," presentated at RSA Conference 2010 in San Francisco, California, is now available. Security Cert New Podcast Released Being able to respond effectively when faced with a disruptive event requires that staff members learn to become more resilient. Security Cert New CERT PGP Public Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New Podcast Released CISOs must leave no room for anyone to deny that they understand what is expected of them when developing secure software. Security Cert 2010 Vulnerability Discovery Workshop On February 1, 2010, CERT hosted a workshop with vulnerability researchers and software vendors to discuss ideas, tools, and techniques used to find vulnerabilities. Security Cert MITRE CWE and CERT Secure Coding Standards This paper describes the Common Weakness Enumeration (CWE) and the CERT secure coding standards and explains the relationship between them. Security Cert Instrumented Fuzz Testing Using AIR Integers Published This paper presents the as-if infinitely ranged (AIR) integer model, which provides a largely automated mechanism for eliminating integer overflow, truncation, and other integral exceptional conditions. Security Cert Results of 2010 CyberSecurity Watch Survey Released This survey, a cooperative effort of multiple organizations, collected answers from more than 500 rent executives, professionals, and consultants. Security Cert New Podcast Released Students learn how to combine multiple facets of digital forensics and draw conclusions to support full-scale investigations. Security Cert New CERT PGP Public Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New Podcast Released The SGMM provides a roadmap to guide an organization's transformation to the smart grid. Security Cert New Podcast Released Addressing privacy during software development is just as important as addressing security. Security Cert SQUARE Tool Is Now Available Addressing privacy during software development is just as important as addressing security. Security Cert New Podcast Released Network defenders and business leaders can use NetSA measures and evidence to better protect their networks. Security Cert CERT Tactical Response and Analysis Challege Tests Cybersecurity Skills Twenty-nine competing teams from 20 countries participated in the Tactical Response and Analysis Challenge (TRAC) conducted by the SEI's CERT PRogram as part of the weeklong International Cyber Defense Workshop (ICDW), which concluded November 13, 2009. Security Cert New Podcast Released Providing critical services during times of stress depends on documented, tested business continuity plans. Security Cert Spotlight On - Insider Theft of Intellectual Property inside the U.S. Involving Foreign Governments or Organizations This report is the third in the quarterly series, Spotlight On, published by the Insider Threat Center at CERT and funded by CyLab. This article focuses on insider theft of intellectual property inside the U.S. involving foreign governments or organizations. Security Cert Deadline for FloCon Abstracts Extended The deadline to submit abstracts for presentations and demonstrations for FloCon 2010 has been extended to Monday, November 9. Security Cert Secure Design Patterns This newly updated technical report describes a set of secure design patterns, which are descriptions or templates describing a general solution to a security problem that can be applied in many different situations. Security Cert New Podcast Released A defined, managed process for third party relationships is essential, particularly when business is disrupted. Security Cert New Podcast Released The smart grid is the use of digital technology to modernize the power grid, which comes with some new privacy and security challenges. Security Cert New Podcast Released Electronic health records (EHRs) are possibly the most complicated area of IT today, more difficult than defense. Security Cert Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework This paper examines the effectiveness of VRDA in terms of how well it predicts responses. Security Cert New Podcast Released 282 cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat. Security Cert Spotlight On: Malicious Insiders with Ties to the Internet Underground Community (pdf), March 2009 This report is the second in the quarterly series, Spotlight On, published by the Insider Threat Center at CERT and funded by CyLab. This article focuses on insider threat cases in which the insider had relationships with the internet underground community. Security Cert New Podcast Released Automation, innovation, reaction, and expansion are the foundation for obtaining meaningful network traffic intelligence in today's extended enterprise. Security Cert Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model This paper provides observations about and a preliminary system dynamics model of one class of insider crime based on empirical data. Security Cert As-if Infinitely Ranged Integer Model Published This paper presents a model for automating the elimination of integer overflow and truncation in C and C++ programming code. Security Cert As-if Infinitely Ranged Integer Model Published This paper presents a model for automating the elimination of integer overflow and truncation in C and C++ programming code. Security Cert New Podcast Released Business leaders need new approaches to address multi-enterprise, systems of systems risks across the life cycle and supply chain. Security Cert Resiliency Management Model v1.0 Released CERT has published the first process areas of the Resiliency Management Model, a capability model for operational resiliency management. Security Cert Winners of Best Practices Contest 2009 Announced The winners of the Best Practices Contest 2009 were announced at the FIRST conference in Kyoto, Japan. Read the winning submissions. Security Cert New CERT PGP Public Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New Podcast Released When considering cloud services, business leaders need to weigh the economic benefits against the security and privacy risks. Security Cert New Podcast Released Business leaders need to take action to better mitigate sophisticated social engineering attacks. Security Cert New Podcast Released Business leaders need to take action to better mitigate sophisticated social engineering attacks. Security Cert New Podcast Released Now may be the time to examine our responsibilities when developing software with known, preventable errors - along with some possible consequences. Security Cert Making the Business Case for Software Assurance Published This report provides guidance for making the business case for building software assurance into software products during each software development life-cycle activity. Security Cert Making the Business Case for Software Assurance Published This report provides guidance for making the business case for building software assurance into software products during each software development life-cycle activity. Security Cert CERT Releases Dranzer Tool As part of their vulnerability discovery efforts, CERT has released Dranzer, an open source tool that software developers can use to test for ActiveX vulnerabilities. Security Cert New Podcast Released Capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs. Security Cert Linux Forensics Tools Repository Released The CERT forensics tools repository, a collection of add-on packages for Fedora, provides many useful cyber forensics tools for analysts and practitioners. Security Cert New Podcast Released Observed practice, represented as a maturity model, can serve as a basis for developing more secure software. Security Cert Secure Design Patterns This technical report describes a set of secure design patters, which are descriptions or templates describing a general solution to a security problem that can be applied in many different situations. Security Cert New Podcast Released Requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities. Security Cert CERT Program Hosts Leaders in Security On March 10, the CERT Program at Carnegie Mellon University's Software Engineering Institute began a two-day technical symposium for a select group of leaders in experts in the cyber security field. Security Cert 2008 CERT Research Annual Report Published CERT is developing theoretical foundations and engineering methods to help ensure the security of critical systems and networks. This report describes progress in CERT research projects and opportunities for collaboration. Security Cert New Podcast Released Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite. Security Cert New Podcast Released Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite. Security Cert New Podcast Released Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite. Security Cert New Podcast Released Teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine. Security Cert New Podcast Released Teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine. Security Cert New Podcast Released Standard, compliance, and process are more effective than risk management for ensuring an adequate level of information and software security. Security Cert Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1 The third version of this guide includes new and updated practices based on an analysis of approximately 100 recent insider threat cases that occurred from 2003 to 2007 in the United States. Security Cert New Podcast Released Rich Pethia reflects on CERTs 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Security Cert New Podcast Released Being able to effectively respond to e-discovery requests depends on well-defined, enacted policies, procedures, and processes. Security Cert New Podcast Released Climate change requires new strategies for dealing with traditional IT and information security risks. Security Cert New Podcast Released Virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime. Security Cert CERT Resiliency Engineering Framework (REF) Outline Published This document provides a brief overview of the CERT Resiliency Engineering Framework, including purpose statements, goals, and specific practices for each capability area. Security Cert New Podcast Released Responding to an e-discovery request involves many of the same steps and roles as responding to a security incident. Security Cert New Podcast Released A sustainable security program is based on business-aligned strategy, policy, awareness, implementation, monitoring, and remediation. Security Cert The CERT C Secure Coding Standard Published This book is an essential desktop reference documenting the first official release of the CERT C Secure Coding Standard. Security Cert CERT Statistics Updated The CERT statistics have been updated with numbers from the third quarter of 2008. Security Cert New Podcast Released When considering whether to conduct business in online, virtual communities, business leaders need to evaluate risks and opportunities. Security Cert New Podcast Released Integrating security into university curricula is one of the key solutions to developing more secure software. Security Cert Interactive Vulnerability Reporting Form Released The interactive form enhances CERT's vulnerability analysis efforts by making it easier for vulnerability reporters to securely submit valuable information. Security Cert New Podcast Released OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. Security Cert Java Secure Coding Standard Released CERT has released the Java Secure Coding Standard in addition to existing secure coding standards for the C and C++ programming languages. CERT invites the Java community to participate in this effort by reviewing content in the Java space and providing comments. Security Cert New Technical Note Released Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory. Security Cert New Podcast Released Well-defined metrics are essential to determine which security practices are worth the investment. Security Cert New Podcast Released Software security is accomplished by thinking like an attacker and integrating security practices into your software development lifecycle. Security Cert New Podcast Released Protecting critical infrastructures and the information they use are essential for preserving our way of life. Security Cert CERT Statistics Updated The CERT statistics have been updated with numbers from the second quarter of 2008. Security Cert New Podcast Released Determining which security vulnerabilities to address should be based on the importance of the information asset. Security Cert New Podcast Released Determining which security vulnerabilities to address should be based on the importance of the information asset. Security Cert CERT Autoresponder Disabled Because of ongoing problems with the autoresponder messages being interpreted as spam, we have decided to discontinue providing an automatic acknowledgement of email sent to cert@cert.org. This change does not affect how we handle email sent to that address. Security Cert New Podcast Released During requirements engineering, software engineers need to think deeply about (and document) how software should behave when under attack. Security Cert Winners of Best Practices Security Awards Announced The winning papers from the first international competition honoring best practices and advances in safeguarding the security of computer systems and networks have been posted. Security Cert New Podcast Released Targeted, innovative communications and a robust life cycle are keys for security policy success. Security Cert Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools Published This report describes a study conducted by the CERT Secure Coding Initiative and JPCERT to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects. Security Cert New Podcast Released Managing software that is developed by an outside organization can be more challenging than building it yourself. Security Cert New Podcast Released Software security is about building better, more defect-free software to reduce vulnerabilities that are targeted by attackers. Security Cert New CERT PGP Public Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New CERT PGP Public Key CERT has updated its PGP public key. We strongly urge you to encrypt sensitive information. Security Cert New Podcast Released High performing organizations effectively integrate information security controls into mainstream IT operational processes. Security Cert New Podcast Released Helping your staff learn how to identify social engineering attempts is the first step in thwarting them. Security Cert Vulnerability Analysis Blog Published In a new blog on the CERT website, CERT staff members will address various issues related to vulnerability analysis. Security Cert New Podcast Released Benchmark results can be used to compare with peers, drive performance, and help determine how much security is enough. Security Cert CERT Statistics Updated The CERT statistics have been updated with numbers from the first quarter of 2008. Security Cert CERT Authors Publish Book About Building Security into Software Products Software Security Engineering: A Guide for Project Managers will be published by Addison-Wesley in early May 2008. The book shows project managers how to build security into their software products throughout the development life cycle. Security Cert CERT Authors Publish Book About Building Security into Software Products Software Security Engineering: A Guide for Project Managers will be published by Addison-Wesley in early May 2008. The book shows project managers how to build security into their software products throughout the development life cycle. Security Cert New Podcast Released Aligning with business objectives, integrating with enterprise risks, and collaborating with stakeholders are key to ensuring information privacy. Security Cert Incident Management Mission Diagnostic Method, Version 1.0 Published This report presents a risk-based approach for determining the potential for success of an organization's incident management capability. Security Cert Incident Management Mission Diagnostic Method, Version 1.0 Published This report presents a risk-based approach for determining the potential for success of an organization's incident management capability. Security Cert New Podcast Released A sound security metrics program is grounded in selecting data that is relevant to consumers and collecting it from repeatable processes. Security Cert CERT Resiliency Engineering Framework, v0.95R Available A draft version of the CERT Resiliency Engineering Framework is now available. We welcome and encourage your feedback on these materials. Security Cert 2007 CERT Research Annual Report Published CERT is developing theoretical foundations and engineering methods to help ensure the security of critical systems and networks. This report describes progress in CERT research projects and opportunities for collaboration. Security Cert New Podcast Released Significant insider threat vulnerabilities can be introduced (and mitigated) during all phases of the software development life cycle. Security Cert New Podcast Released Significant insider threat vulnerabilities can be introduced (and mitigated) during all phases of the software development life cycle. Security Cert New Podcast Released Business leaders need to understand the risks to their organizations caused by the proliferation of botnets. Security Cert New Podcast Released Business leaders need to understand the risks to their organizations caused by the proliferation of botnets. Security Cert New Podcast Released Selecting and reporting meaningful security metrics depend on picking topics of great interest, defining the business context, and having access to sound data. Security Cert New Podcast Released Selecting and reporting meaningful security metrics depend on picking topics of great interest, defining the business context, and having access to sound data. Security Cert SQUARE Instructional Materials Released Workshop, tutorial, and academic educational materials on SQUARE (Security Quality Requirements Engineering) are now available for download. Security Cert New Podcast Released Peer-to-peer networks are being used today to unintentionally disclose government, commercial, and personal information. Security Cert CERT Statistics Updated The numbers from the fourth quarter have been incorporated, completing the 2007 statistics. Security Cert Insider Threat Studies Released Insider Threat Study: Illicit Cyber Activity in the Government Sector and Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector have been released. These reports present the findings of research efforts to examine reported insider incidents within their respective sectors. Security Cert New Podcast Released Directors and senior executives are personally accountable for protecting information entrusted to their care.