SEI CERT Division Releases Downloadable Source Code Analysis Tool
PITTSBURGH, Aug. 15, 2018—The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University today announced the release of its Source Code Analysis Laboratory (SCALe) application. This is the first release of the SCALe application to the public via open-source.
SCALe can be used for auditing software in any source code language. This version of SCALe provides categories of alerts for tools based on two code flaw taxonomies—CERT Secure Coding Standards and MITRE’s Common Weakness Enumeration (CWE). The CERT Secure Coding Standards support detailed guidance for secure development in C, C++, Java, and Perl.
The SCALe application can be used to identify source code flaws that may lead to vulnerabilities. By using output from multiple flaw-finding static analysis tools, SCALe can be used to efficiently analyze more code defects than any single static analysis tool would find.
“Using multiple static analysis tools can greatly increase the types of flaws found,” said Lori Flynn, senior software security researcher at the SEI. “The alerts must be examined by an expert who determines whether each alert represents an actual code defect. Typically there are too many alerts, and not all can be manually examined. The SCALe system is designed to make this process easier. We are researching ways to automate the process of accurate alert classification and sophisticated methods of alert prioritization, and this version of SCALe includes features added over the last three years intended to assist with that.”
The SCALe application simplifies the process of auditing alerts. It takes as input the source code for a program, plus output from static analysis tools (flaw-finding tools and code metrics tools) that were run on the code. With this input, it provides a browser-based interface to the alerts and their associated code. It provides simple prioritizations of the alerts and relevant information about the potential vulnerabilities and how to fix the code based on the CERT Secure Coding Standards and CWEs. It makes auditor work more efficient by fusing alerts into a single view that requires only one audit determination.
SCALe provides an easy-to-use graphical user interface for examining alerts, identifying true positives and other determinations, and saving the audit information to a database.
For more information about the SCALe application, see https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=473847. Download the application at https://github.com/cmu-sei/SCALe.
SEI Seeks Responses to ODNI-Sponsored Online Cyber Intelligence Survey
Pittsburgh, Pa., August 9, 2018—The Emerging Technology Center at the Software Engineering Institute (SEI) at Carnegie Mellon University today issued a call for U.S.-owned organizations to participate in a cyber intelligence tradecraft survey. The survey is part of a cyber intelligence study the SEI is conducting on behalf of the Office of the Director of National Intelligence (ODNI).
Cyber intelligence—acquiring and analyzing information about cyber capabilities, intentions, and activities to enhance decision making—is a rapidly changing field.
“As an intellectual discipline, cyber intelligence is still in its relative infancy, which makes it especially important to identify and share best practices,” said Jim Richberg, ODNI’s national intelligence manager for cyber. “The insight we gain from this study will improve our ability to produce and share actionable cyber intelligence in both government and the private sector.”
The study, which the SEI will complete in 2019, will describe how organizations across the federal government, industry, and academia conduct cyber intelligence activities, identifying common challenges and best practices.
The online survey extends the reach of qualitative, in-person interviews the SEI is conducting as part of the study, which began in December 2017.
“Over the course of our interviews with organizations, we’ve noticed several trends and themes, which we’ve used to develop a survey,” said Jared Ettinger of the SEI’s cyber intelligence team. “With the online survey, we have a chance to increase the scale of our research. For example, we’ll be able to understand the use of certain tools and processes across sectors.”
The Cyber Intelligence Tradecraft Survey requires approximately 15 minutes to complete and asks questions based in five key areas:
environmental context (factors that shape an organization’s cyber intelligence effort)
data gathering (how an organization collects information)
functional analysis (the technical “what” and “how” of cyber intelligence)
strategic analysis (the “who” and “why” of cyber intelligence)
decision-maker reporting and feedback (how a cyber intelligence team interacts with leadership)
The SEI will issue a report based on the study in early 2019.
The SEI team is still accepting organizations for in-person interviews and specifically invites organizations from the manufacturing, healthcare, food and agriculture, and water sectors to apply. Interview participants receive a private comparative analysis of their own cyber intelligence efforts as well as access to overall study results prior to public release.
To complete the survey, visit https://www.surveymonkey.com/r/SEI_CITP. For more information about the study, see https://www.sei.cmu.edu/about/organization/etc/citp.cfm. Organizations wishing to participate in an in-person interview should contact the SEI at firstname.lastname@example.org.
CERT Division Announces Data Science in Cybersecurity Symposium
Pittsburgh, Pa., July 27, 2018—The Software Engineering Institute CERT Division today announced the 2nd annual CERT Data Science in Cybersecurity Symposium, a free one-day symposium to be held in Arlington, Va., on August 29. Registration is now open.
Modern computer networks generate incredible amounts of data, but making sense of this data is simultaneously a critically important task and a near-impossible exercise requiring advanced software and highly trained personnel.
Data science focuses on creating techniques that uncover hidden patterns in enormous data sets and developing tools that enable this discovery in any dataset and in any environment. Over the past few years, significant advances were made in both techniques and tools, enabling even the most subtle of patterns to be identified using modern computing power.
The 2018 CERT Data Science in Cybersecurity Symposium focuses on metadata and will examine the deep insights to be gleaned from what appears to be highly limited data and the relationship between cybersecurity data and privacy and how to manage that risk.
Speakers at the symposium will include
Lujo Bauer, associate professor, Carnegie Mellon University Institute for Software Research
Ari Gesher, morning keynote speaker, founding director of software engineering at Kairos Aerospace
Bob Rudis, chief security data scientist, Rapid7
Shawn Riley, chief data officer and CISO, Darklight Cybersecurity (invited)
Eliezer Kanal, technical manager, science of cybersecurity, SEI CERT Division
Doug Sicker, department head and professor, Engineering and Public Policy, Carnegie Mellon University
Mark Perlin, CSO and CEO, Cybergenetics
Lisa Gumbs, assistant general counsel for operations (ret.), Defense Intelligence Agency
April Galyardt, machine learning research scientist, SEI CERT Division
The event is free to attend, but space is limited, and registration is required to reserve a seat.
For more information about the CERT Data Science in Cybersecurity Symposium and to register, visit https://data-science-symposium.eventbrite.com.
FloCon 2019 Call for Participation Now Open
July 24, 2018—The Call for Participation for FloCon 2019 is now open. The 2019 edition will focus on applying analytics to any large-scale dataset (not just network flow data) to enhance security. Everyone interested in data-driven security is invited to submit abstracts for this conference. We are particularly interested in new, innovative ways to use big data to address thorny security problems.
FloCon 2019 will take place January 7-10, 2019 in New Orleans, Louisiana. FloCon provides a forum for exploring large-scale, next-generation data analytics in support of security operations. FloCon is geared toward operational analysts, tool developers, researchers, security professionals, and others interested in applying cutting-edge techniques to analyze and visualize large datasets for protection and defense of networked systems.
To learn more and to submit abstracts for presentations, posters, and demonstrations, visit https://resources.sei.cmu.edu/news-events/events/flocon/cfp.cfm.
To learn more about FloCon, visit
Ipek Ozkaya Named IEEE Software Editor-in-Chief
The IEEE Computer Society has named Ipek Ozkaya, a principal researcher in the SEI’s Software Solutions Division, the next Editor-in-Chief of IEEE Software, a leading bimonthly peer-reviewed journal published by the IEEE Computer Society.
Ozkaya will assume editorial duties in January 2019. Her term will run through December 2021. As editor-in-chief, Ozkaya plans to focus on publishing results that provide practical guidance and help for both established and newcomer software developers and architects.
Ozkaya notes that experienced practitioners face the challenge of staying relevant in a dynamic environment where knowledge-consumption models continually evolve from centralized and controlled to open and collaborative. Also, in government and elsewhere, newcomers to the workforce often lack the skills to make effective use of the complex software-based systems with which they must interact. For all practitioners, Ozkaya plans to work toward the transition of practical research through easily consumable means.
Ozkaya noted that she welcomes the opportunity to work closely with others in the diverse, global, technology-savvy IEEE Software community.