http://www.sei.cmu.edu/feeds/topic/Updates on changes and additions to the SEI Blog for posts matching Secure Developmenten-usWed, 04 Mar 2026 00:00:00 -0500https://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post presents five foundational capabilities to support the acquisition of a system with effective software assurance.Dr. Carol Woody, Christopher Alberts, Michael Bandor, Timothy A. ChickWed, 04 Mar 2026 00:00:00 -0500https://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/tailoring-9-zero-trust-and-security-principles-to-weapon-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesOur latest post outlines how 9 zero trust and security principles might apply to weapon systems.Christopher Alberts, Timothy Morrow, Rhonda Brown, Charles WallenTue, 09 Dec 2025 00:00:00 -0500https://www.sei.cmu.edu/blog/tailoring-9-zero-trust-and-security-principles-to-weapon-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/ai-powered-memory-safety-with-the-pointer-ownership-model/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post highlights work to automate C Code Security with AI-Powered memory safety.David Svoboda, Lori FlynnWed, 03 Dec 2025 00:00:00 -0500https://www.sei.cmu.edu/blog/ai-powered-memory-safety-with-the-pointer-ownership-model/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/managing-security-and-resilience-risks-across-the-lifecycle/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post introduces the Security Engineering Framework, a schema of software-focused engineering practices that acquisition programs can use to manage security and resilience risks across the lifecycle.Christopher Alberts, Charles Wallen, Dr. Carol Woody, Michael BandorWed, 23 Jul 2025 00:00:00 -0400https://www.sei.cmu.edu/blog/managing-security-and-resilience-risks-across-the-lifecycle/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/detection-and-repair-the-cost-of-remediation/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis year, we plan on making some exciting updates to the SEI CERT C Coding Standard. This blog post is about one of our ideas for improving the standard.David SvobodaMon, 03 Mar 2025 00:00:00 -0500https://www.sei.cmu.edu/blog/detection-and-repair-the-cost-of-remediation/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/measurement-challenges-in-software-assurance-and-supply-chain-risk-management/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post examines the current state of measurement in software assurance and supply chain management, with a particular focus on open source software, and highlights promising measurement approaches.Nancy Mead, Dr. Carol Woody, Scott HissamMon, 20 May 2024 00:00:00 -0400https://www.sei.cmu.edu/blog/measurement-challenges-in-software-assurance-and-supply-chain-risk-management/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSupply Chain Assurancehttps://www.sei.cmu.edu/blog/what-recent-vulnerabilities-mean-to-rust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIn recent weeks several vulnerabilities have rocked the Rust community causing many to question its safety. This post examines two such vulnerabilities.David SvobodaMon, 29 Apr 2024 00:00:00 -0400https://www.sei.cmu.edu/blog/what-recent-vulnerabilities-mean-to-rust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesRusthttps://www.sei.cmu.edu/blog/the-sei-sbom-framework-informing-third-party-software-management-in-your-supply-chain/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post presents a framework to promote the use of SBOMs and establish practices and processes that organizations can leverage as they build their programs.Christopher Alberts, Michael Bandor, Charles Wallen, Dr. Carol WoodyMon, 06 Nov 2023 00:00:00 -0500https://www.sei.cmu.edu/blog/the-sei-sbom-framework-informing-third-party-software-management-in-your-supply-chain/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSupply Chain AssuranceAcquisition Transformationhttps://www.sei.cmu.edu/blog/rust-vulnerability-analysis-and-maturity-challenges/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post explores tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole and how that might impact future security responses.Garret Wassermann, David SvobodaMon, 23 Jan 2023 00:00:00 -0500https://www.sei.cmu.edu/blog/rust-vulnerability-analysis-and-maturity-challenges/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesRusthttps://www.sei.cmu.edu/blog/rust-software-security-a-current-state-assessment/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post examines security issues with the Rust programming language.Joe Sible, David SvobodaMon, 12 Dec 2022 00:00:00 -0500https://www.sei.cmu.edu/blog/rust-software-security-a-current-state-assessment/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesRusthttps://www.sei.cmu.edu/blog/taking-up-the-challenge-of-open-source-software-security-in-the-dod/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post describes a workshop hosted by the SEI to start a conversation to elevate the trustworthiness of free and open source software, particularly in DoD settings.Scott HissamMon, 15 Aug 2022 00:00:00 -0400https://www.sei.cmu.edu/blog/taking-up-the-challenge-of-open-source-software-security-in-the-dod/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSoftware AssuranceSupply Chainshttps://www.sei.cmu.edu/blog/11-leading-practices-when-implementing-a-container-strategy/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesWhile containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.Andrew Mellinger, William Nichols, Jay PalatMon, 08 Nov 2021 00:00:00 -0500https://www.sei.cmu.edu/blog/11-leading-practices-when-implementing-a-container-strategy/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/release-of-scaife-system-version-200-provides-support-for-continuous-integration-ci-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesKey features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE workLori FlynnMon, 25 Oct 2021 00:00:00 -0400https://www.sei.cmu.edu/blog/release-of-scaife-system-version-200-provides-support-for-continuous-integration-ci-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesContinuous Deployment of CapabilitySCALE: A Static Analysis Auditing ToolSecure CodingMachine LearningStatic AnalysisStatic Analysis Classification and PrioritizationSecure DevelopmentArtificial IntelligenceSource Code Analysis Integrated Framework Environment (SCAIFE)https://www.sei.cmu.edu/blog/a-technique-for-decompiling-binary-code-for-software-assurance-and-localized-repair/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.William KlieberMon, 11 Oct 2021 00:00:00 -0400https://www.sei.cmu.edu/blog/a-technique-for-decompiling-binary-code-for-software-assurance-and-localized-repair/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updateshttps://www.sei.cmu.edu/blog/anti-tamper-for-software-components/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.Scott HissamMon, 21 Jun 2021 00:00:00 -0400https://www.sei.cmu.edu/blog/anti-tamper-for-software-components/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSoftware AssuranceSystem ResilienceCyber Risk and Resilience ManagementSupply Chainshttps://www.sei.cmu.edu/blog/public-repository-data-static-analysis-classification-research/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code and tool output to monitor and test the performance of their automated classification of meta-alerts.Lori FlynnMon, 02 Nov 2020 00:00:00 -0500https://www.sei.cmu.edu/blog/public-repository-data-static-analysis-classification-research/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesStatic Analysis Classification and PrioritizationSCALE: A Static Analysis Auditing ToolSource Code Analysis Integrated Framework Environment (SCAIFE)https://www.sei.cmu.edu/blog/automated-code-repair-to-ensure-memory-safety/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesMemory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....William KlieberMon, 24 Feb 2020 00:00:00 -0500https://www.sei.cmu.edu/blog/automated-code-repair-to-ensure-memory-safety/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecure CodingSecure Developmenthttps://www.sei.cmu.edu/blog/an-application-programming-interface-for-classifying-and-prioritizing-static-analysis-alerts/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIn this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.Lori Flynn, Ebonie McNeilMon, 22 Jul 2019 00:00:00 -0400https://www.sei.cmu.edu/blog/an-application-programming-interface-for-classifying-and-prioritizing-static-analysis-alerts/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesStatic Analysis Classification and PrioritizationSCALE: A Static Analysis Auditing Toolhttps://www.sei.cmu.edu/blog/how-to-use-static-analysis-to-enforce-sei-cert-coding-standards-for-iot-applications/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT)....David SvobodaMon, 01 Apr 2019 00:00:00 -0400https://www.sei.cmu.edu/blog/how-to-use-static-analysis-to-enforce-sei-cert-coding-standards-for-iot-applications/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity-Related RequirementsSecure CodingCyber Risk and Resilience ManagementStatic AnalysisCybersecuritySecure DevelopmentCyber MissionsBest Practices in Network Securityhttps://www.sei.cmu.edu/blog/using-the-sei-cert-coding-standards-to-improve-security-of-the-internet-of-things/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity....David SvobodaMon, 11 Feb 2019 00:00:00 -0500https://www.sei.cmu.edu/blog/using-the-sei-cert-coding-standards-to-improve-security-of-the-internet-of-things/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity-Related RequirementsSecure CodingSecure DevelopmentCyber MissionsInternet of Things