Attacking Software Vulnerabilities
In 2014, the SEI's CERT Division introduced the Tapioca tool to check Android apps for vulnerabilities. In the first year of use, Tapioca was used to check more than one million Android apps.
The release of the open source Tapioca tool, a network-layer man-in-the-middle proxy virtual machine, is one bit of evidence of the CERT Division's continuing commitment to proactive vulnerability discovery. The CERT Division vulnerability analysis team maintains over 1,400 vendor contacts, creating vulnerability reports that eventually appear as entries in the National Vulnerability Database.
The SEI also works directly with US-CERT to publish Vulnerability Notes directly to the US-CERT website, where they are considered the authoritative statement from the government regarding a given vulnerability. In addition, the SEI's CERT Division is the only organization that has proven to be able to, repeatedly and successfully, coordinate responses to a vulnerability across industry, the DoD, and the federal government.