Reports in Security & Survivability

sorted descending by Publication Date


Software Assurance Competency Model
(May 2013)
Authors: Thomas B. Hilburn (Embry-Riddle Aeronautical University), Mark A. Ardis (Stevens Institute of Technology), Glenn Johnson ((ISC)2), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Nancy R. Mead

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
(March 2013)
Authors: Andrew P. Moore, David McIntire (CERT), Dave Mundie, David Zubrow

Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
(March 2013)
Authors: George Silowash, Todd Lewellen, Joshua W. Burns, Daniel L. Costa

The MAL: A Malware Analysis Lexicon
(February 2013)
Authors: Dave Mundie, David McIntire (CERT)

Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders
(January 2013)
Authors: George Silowash, Todd Lewellen

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources
(January 2013)
Authors: George Silowash, Christopher King

Common Sense Guide to Mitigating Insider Threats, 4th Edition
(December 2012)
Authors: George Silowash, Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak, Timothy J. Shimeall, Lori Flynn

Analyzing Cases of Resilience Success and Failure—A Research Study
(December 2012)
Authors: Julia H. Allen, Pamela D. Curtis, Nader Mehravari (Executive VP at IT Cadre and SEI Affiliate), Andrew P. Moore, Kevin G. Partridge, Robert W. Stoddard, Randall F. Trzeciak

Supporting the Use of CERT® Secure Coding Standards in DoD Acquisitions
(October 2012)
Authors: Timothy Morrow, Robert C. Seacord, John K. Bergey, Philip Miller

Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
(October 2012)
Author: Allen D. Householder

Communication Among Incident Responders - A Study
(September 2012)
Authors: Brett Tjaden, Robert Floodeen

Competency Lifecycle Roadmap: Toward Performance Readiness
(September 2012)
Authors: Sandra Behrens, Christopher J. Alberts (CERT), Robin Ruefle

Probability-Based Parameter Selection for Black-Box Fuzz Testing
(August 2012)
Authors: Allen D. Householder, Jonathan M. Foote

Network Profiling Using Flow
(August 2012)
Authors: Austin Whisnant, Sid Faber

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
(July 2012)
Authors: Adam Cummings (CERT), Todd Lewellen, David McIntire (CERT), Andrew P. Moore, Randall F. Trzeciak

Report from the First CERT-RMM Users Group Workshop Series
(May 2012)
Authors: Julia H. Allen, Lisa R. Young

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
(May 2012)
Authors: Andrew P. Moore, Michael Hanley, Dave Mundie

Source Code Analysis Laboratory (SCALe)
(May 2012)
Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

Insider Threat Security Reference Architecture
(May 2012)
Authors: Joji Montelibano, Andrew P. Moore

CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 1
(March 2012)
Authors: Kevin G. Partridge, Lisa R. Young

Principles of Trust for Embedded Systems
(March 2012)
Author: David Fisher

Mission Risk Diagnostic (MRD) Method Description
(February 2012)
Authors: Christopher J. Alberts (CERT), Audrey J. Dorofee

Risk-Based Measurement and Analysis: Application to Software Security
(February 2012)
Authors: Christopher J. Alberts (CERT), Julia H. Allen, Robert W. Stoddard

Spotlight On: Malicious Insiders and Organized Crime Activity
(January 2012)
Author: Christopher King

Using Defined Processes as a Context for Resilience Measures
(December 2011)
Authors: Julia H. Allen, Pamela D. Curtis, Linda Parker Gates

Standards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
(December 2011)
Authors: Sagar Chaki, Rita C. Creel, Jeff Davenport, Mike Kinney (National Security Agency), Benjamin McCormick, Mary Popeck

CERT® Resilience Management Model Capability Appraisal Method (CAM) Version 1.1
(October 2011)
Author: Resilient Enterprise Management Team

CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1
(October 2011)
Authors: Kevin G. Partridge, Lisa R. Young

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
(October 2011)
Authors: Michael Hanley, Joji Montelibano

2010 CERT Research Report
(September 2011)

Measures for Managing Operational Resilience
(July 2011)
Authors: Julia H. Allen, Pamela D. Curtis

Standards-Based Automated Remediation: A Remediation Manager Reference Implementation
(July 2011)
Authors: Sagar Chaki, Rita C. Creel, Jeff Davenport, Mike Kinney (National Security Agency), Benjamin McCormick, Mary Popeck

A Preliminary Model of Insider Theft of Intellectual Property
(June 2011)
Authors: Andrew P. Moore, Dawn Cappelli, Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University), Eric D. Shaw, Derrick Spooner, Randall F. Trzeciak

Trusted Computing in Embedded Systems Workshop
(April 2011)
Authors: Archie D. Andrews, Jonathan M. McCune

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0
(April 2011)
Authors: John Haller, Samuel A. Merrell, Matthew J. Butkovic, Bradford J. Willke

Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
(March 2011)
Authors: Nancy R. Mead, Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory)

Function Extraction (FX) Research for Computation of Software Behavior: 2010 Development and Application of Semantic Reduction Theorems for Behavior Analysis
(February 2011)
Authors: Richard C. Linger (Oak Ridge National Laboratory), Tim Daly, Mark Pleszkoch

An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases
(February 2011)
Authors: Michael Hanley, Tyler Dean, Will Schroeder, Matt Houy, Randall F. Trzeciak, Joji Montelibano

Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems
(February 2011)
Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead, Jeff Ingalsbe (University of Detroit Mercy)

Network Monitoring for Web-Based Threats
(February 2011)
Author: Matthew Heckathorn

Trust and Trusted Computing Platforms
(January 2011)
Authors: David Fisher, Jonathan M. McCune, Archie D. Andrews

Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data
(January 2011)
Author: Michael Hanley

Software Supply Chain Risk Management: From Products to Systems of Systems
(January 2011)
Authors: Robert J. Ellison, Christopher J. Alberts (CERT), Rita C. Creel, Audrey J. Dorofee, Carol Woody

Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
(December 2010)
Authors: Robert C. Seacord, Will Dormann, James McCurley, Philip Miller, Robert W. Stoddard, David Svoboda, Jefferson Welch

A Taxonomy of Operational Cyber Security Risks
(December 2010)
Authors: James J. Cebula, Lisa R. Young

Measuring Operational Resilience Using the CERT Resilience Management Model
(September 2010)
Authors: Julia H. Allen, Noopur Davis

Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
(August 2010)
Authors: Nancy R. Mead, Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory), James McDonald (Monmouth University)

Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines
(August 2010)
Authors: Nancy R. Mead, Thomas B. Hilburn (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory)

Adapting the SQUARE Process for Privacy Requirements Engineering
(July 2010)
Authors: Ashwini Bijwe (Carnegie Mellon University), Nancy R. Mead

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability
(June 2010)
Authors: John Haller, Samuel A. Merrell, Matthew J. Butkovic, Bradford J. Willke

Java Concurrency Guidelines
(June 2010)
Authors: Fred Long, Dhruv Mohindra, Robert C. Seacord, David Svoboda

Specifications for Managed Strings, Second Edition
(June 2010)
Authors: Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, David Svoboda

Survivability Analysis Framework
(June 2010)
Authors: Robert J. Ellison, Carol Woody

CERT Resilience Management Model, Version 1.0
(May 2010)
Authors: Richard A. Caralli, Julia H. Allen, Pamela D. Curtis, David W. White, Lisa R. Young

Identifying Anomalous Port-Specific Network Behavior
(May 2010)
Author: Rhiannon Weaver

As-If Infinitely Ranged Integer Model, Second Edition
(April 2010)
Authors: Roger Dannenberg (School of Computer Science, Carnegie Mellon University), Will Dormann, David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

Results of SEI Independent Research and Development Projects (FY 2009)
(December 2009)
Authors: Len Bass, Paul C. Clements, Dionisio de Niz, Peter H. Feiler, Matthew Geiger, Jeffrey Hansen, Jörgen Hansson, Scott Hissam, James Ivers, Mark H. Klein, Karthik Lakshmanan, Gabriel Moreno, Daniel Plakosh, R. Rajkumar, Kristopher Rush, Cal Waits, Kurt C. Wallnau, Lutz Wrage

Privacy Risk Assessment Case Studies in Support of SQUARE
(July 2009)
Authors: Varokas Panusuwan, Prashanth Batlagundu

As-if Infinitely Ranged Integer Model
(July 2009)
Authors: David Keaton, Thomas Plum (Plum Hall, Inc.), Robert C. Seacord, David Svoboda, Alex Volkovitsky, Timothy Wilson

Making the Business Case for Software Assurance
(April 2009)
Authors: Nancy R. Mead, Julia H. Allen, W. Arthur Conklin, Antonio Drommi, John Harrison, Jeff Ingalsbe (University of Detroit Mercy), James Rainey, Dan Shoemaker (University of Detroit Mercy)

Secure Design Patterns
(March 2009)
Authors: Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, Kazuya Togashi (JPCERT/CC)

Multi-View Decision Making (MVDM) Workshop
(February 2009)
Authors: Christopher J. Alberts (CERT), James Smith, Carol Woody

High-Fidelity E-Learning: The SEI's Virtual Training Environment (VTE)
(January 2009)
Authors: Jim Wrubel, David W. White, Julia H. Allen

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
(August 2008)
Authors: Cal Waits, Joseph A. Akinyele, Richard Nolan, Larry Rogers

SQUARE-Lite: Case Study on VADSoft Project
(August 2008)
Authors: Ashwin Gayash, Venkatesh Viswanathan, Deepa Padmanabhan

Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
(June 2008)
Authors: Stephen Dewhurst, Chad Dougherty, Yurie Ito, David Keaton, Dan Saks, Robert C. Seacord, David Svoboda, Chris Taschner, Kazuya Togashi (JPCERT/CC)

Incorporating Security Quality Requirements Engineering (SQUARE) into Standard Life-Cycle Models
(May 2008)
Authors: Nancy R. Mead, Venkatesh Viswanathan, Deepa Padmanabhan, Anusha Raveendran

Survivability Assurance for System of Systems
(May 2008)
Authors: Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures
(May 2008)
Authors: Andrew P. Moore, Dawn Cappelli, Randall F. Trzeciak

Incident Management Mission Diagnostic Method, Version 1.0
(March 2008)
Authors: Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

Governing for Enterprise Security (GES) Implementation Guide
(September 2007)
Authors: Julia H. Allen, Jody R. Westby

How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods
(September 2007)
Author: Nancy R. Mead

Process Improvement Should Link to Security: SEPG 2007 Security Track Recap
(September 2007)
Author: Carol Woody

Ranged Integers for the C Programming Language
(September 2007)
Authors: Jeff Gennari, Shaun Hedrick, Fred Long, Justin Pincar, Robert C. Seacord

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process
(May 2007)
Authors: Richard A. Caralli, James F. Stevens, Lisa R. Young, William R. Wilson

Incident Management Capability Metrics Version 0.1
(May 2007)
Authors: Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes
(May 2007)
Authors: Richard A. Caralli, James F. Stevens, Charles M. Wallen (Financial Services Technology Consortium), David W. White, William R. Wilson, Lisa R. Young

Modeling and Analysis of Information Technology Change and Access Controls in the Business Context
(March 2007)
Authors: Andrew P. Moore, Rohit S. Antao

Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks
(March 2007)
Authors: Dawn Cappelli, Akash G. Desai (Information Networking Institute, Carnegie Mellon University), Andrew P. Moore, Timothy J. Shimeall, Elise A. Weaver (Worcester Polytechnic Institute), Bradford J. Willke

Global Information Grid Survivability: Four Studies
(March 2007)
Authors: Richard C. Ciampa, Dawn Day, Jennifer R. Franks, Christopher T. Tsuboi

Technology Foundations for Computational Evaluation of Software Security Attributes
(December 2006)
Authors: Gwendolyn H. Walton, Thomas A. Longstaff, Richard C. Linger (Oak Ridge National Laboratory)

Defense-in-Depth: Foundations for Secure and Resilient Enterprises
(September 2006)
Authors: Christopher May, Josh Hammerstein, Kristopher Rush, Jeff Mattson

Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks
(September 2006)
Author: Howard F. Lipson

Specifications for Managed Strings
(May 2006)
Authors: Hal Burch, Fred Long, Robert C. Seacord

Applying OCTAVE: Practitioners Report
(May 2006)
Author: Carol Woody

Security Quality Requirements Engineering (SQUARE): Case Study Phase III
(May 2006)
Authors: Eric Hough, Don Ojoko-Adams, Lydia Chung, Frank Hung

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management
(April 2006)
Author: Richard A. Caralli

Detecting Scans at the ISP Level
(April 2006)
Authors: Carrie Gates, Josh McNutt, Joseph B. Kadane (Department of Statistics, Carnegie Mellon University), Marc I. Kellner

Toward Measures for Software Architectures
(March 2006)
Authors: Gary Chastek, Robert Ferguson

CERT Function Extraction Experiment: Quantifying FX Impact on Software Comprehension and Verification, The
(December 2005)
Authors: Rosann W. Collins, Alan R. Hevner (University of South Florida), Gwendolyn H. Walton, Richard C. Linger (Oak Ridge National Laboratory)

Security Quality Requirements Engineering
(November 2005)
Authors: Nancy R. Mead, Eric Hough, Ted Stehney II

Software Vulnerabilities in Java
(October 2005)
Author: Fred Long

Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments
(September 2005)
Authors: Christopher J. Alberts (CERT), Audrey J. Dorofee

Building Information Assurance Educational Capacity: Pilot Efforts to Date
(September 2005)
Author: Carol A. Sledge

First Responders Guide to Computer Forensics: Advanced Topics
(September 2005)
Authors: Richard Nolan, Michele Baker, Jake Branson, Josh Hammerstein, Kristopher Rush, Cal Waits, Elizabeth Schweinsberg

Impact of Function Extraction Technology on Next-Generation Software Engineering, The
(July 2005)
Authors: Alan R. Hevner (University of South Florida), Richard C. Linger (Oak Ridge National Laboratory), Rosann W. Collins, Mark Pleszkoch, Stacy J. Prowell, Gwendolyn H. Walton

Governing for Enterprise Security
(June 2005)
Author: Julia H. Allen

Information Asset Profiling
(June 2005)
Author: James F. Stevens

Report on Annual Regional Information Assurance Symposia
(June 2005)
Author: Carol A. Sledge

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector
(June 2005)
Authors: Andrew P. Moore, Marissa R. Randazzo (United States Secret Service), Michelle Keeney (United States Secret Service), Dawn Cappelli

System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II
(May 2005)
Authors: Dan Gordon, Neha Wattas, Eugene Yu, Ted Stehney II

Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
(March 2005)
Author: Carol Woody

First Responders Guide to Computer Forensics
(March 2005)
Authors: Richard Nolan, Colin O'Sullivan, Jake Branson, Cal Waits

OCTAVE-S Implementation Guide, Version 1
(January 2005)
Authors: Christopher J. Alberts (CERT), Audrey J. Dorofee, James F. Stevens, Carol Woody

Structured Approach to Classifying Security Vulnerabilities, A
(January 2005)
Authors: Robert C. Seacord, Allen D. Householder

Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System
(December 2004)
Authors: Peter Chen, Marjon Dean, Don Ojoko-Adams, Hassan Osman, Lilian Lopez, Nick Xie

Managing for Enterprise Security
(December 2004)
Author: Richard A. Caralli

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies
(November 2004)
Authors: Nick Xie, Nancy R. Mead

Defining Incident Management Processes for CSIRTs: A Work in Progress
(October 2004)
Authors: Christopher J. Alberts (CERT), Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

Security and Survivability Reasoning Frameworks and Architectural Design Tactics
(September 2004)
Authors: Robert J. Ellison, Andrew P. Moore, Len Bass, Mark H. Klein, Felix Bachmann

Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, The
(July 2004)
Author: Richard A. Caralli

Survivable Functional Units: Balancing an Enterprise's Mission and Technology
(May 2004)
Author: Larry Rogers

Advanced Information Assurance Handbook
(March 2004)
Authors: Christopher May, Michele Baker, Derek Gabbard, Travis Good, Galen Grimes, Mark Holmgren, Richard Nolan, Robert Nowak, Sean Pennline

Common Concepts Underlying Safety, Security, and Survivability Engineering
(December 2003)
Author: Donald Firesmith

Organizational Models for Computer Security Incident Response Teams (CSIRTs)
(December 2003)
Authors: Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle, Mark Zajicek

State of the Practice of Computer Security Incident Response Teams (CSIRTs)
(October 2003)
Authors: Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle, Mark Zajicek

Requirements Engineering for Survivable Systems
(September 2003)
Author: Nancy R. Mead

International Liability Issues for Software Quality
(July 2003)
Author: Nancy R. Mead

Handbook for Computer Security Incident Response Teams (CSIRTs)
(April 2003)
Authors: Moira West Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Killcrece, Robin Ruefle, Mark Zajicek

Applying FSQ Engineering Foundations to Automated Calculation of Program Behavior
(February 2003)
Author: Richard C. Linger (Oak Ridge National Laboratory)

Outsourcing Managed Security Services
(January 2003)
Authors: Julia H. Allen, Derek Gabbard, Christopher May

Network Survivability Analysis Using Easel
(December 2002)
Author: Alan M. Christie

Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues
(November 2002)
Author: Howard F. Lipson

Life-Cycle Models for Survivable Systems
(October 2002)
Authors: Richard C. Linger (Oak Ridge National Laboratory), Howard F. Lipson, John McHugh, Nancy R. Mead, Carol A. Sledge

Trustworthy Refinement Through Intrusion-Aware Design (2002)
(October 2002)
Authors: Robert J. Ellison, Andrew P. Moore

Trustworthy Refinement Through Intrusion-Aware Design
(October 2002)
Authors: Robert J. Ellison, Andrew P. Moore

Reeducation to Expand the Software Engineering Workforce: Successful Industry/University Collaborations
(July 2002)
Authors: Heidi J. Ellis, Ana Moreno, Nancy R. Mead, Stephen B. Seidman

Flow-Service-Quality (FSQ) Engineering: Foundations for Network System Analysis and Development
(June 2002)
Authors: Richard C. Linger (Oak Ridge National Laboratory), Mark Pleszkoch, Gwendolyn H. Walton, Alan R. Hevner (University of South Florida)

Can We Ever Build Survivable Systems from COTS Components?
(December 2001)
Authors: Howard F. Lipson, Nancy R. Mead, Andrew P. Moore

Case Study in Survivable Network System Analysis
(September 1998)
Authors: Robert J. Ellison, Richard C. Linger (Oak Ridge National Laboratory), Thomas A. Longstaff, Nancy R. Mead

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.