Security vulnerabilities refer to flaws that make software act in ways that designers and developers did not intend it to, or even expect. Research in vulnerability analysis aims to improve ways of discovering vulnerabilities and making them public to prevent attackers from exploiting them.
The use of software has expanded into all aspects of our lives to the point that vulnerabilities have the potential to directly affect everyone. In the past, computer users might have been the only people that needed to worry about vulnerabilities. Today, anyone that uses smartphones, smart watches, smart TVs, or any other connected device or system is susceptible to having their information or property stolen. Even activities such as flying on an airplane, going to the hospital to get testing or medications, or using your credit cards are not completely secure. How can you protect yourself? In an environment where software is everywhere, opting out is simply not an option.
Vulnerabilities can also affect government agencies, industry, and critical infrastructure, such as power or water-treatment plants, local and federal government agencies, hospitals, banking institutions, and more. A successful attack against any of these entities could be catastrophic, resulting in massive data breaches or even injuries and death.
Today’s software-development environments create many easy opportunities for adversaries. Organizations must be constantly alert, working tirelessly to find and mitigate vulnerabilities that could affect them.
Addressing Risk on Multiple Fronts
To reduce cybersecurity risk, SEI researchers conduct and promote coordinated vulnerability disclosure; research and publish vulnerability discovery methods and tools; work to improve vulnerability data and information systems; model vulnerability in technology ecosystems; research vulnerability presented by complicated supply chains; and model adversary behavior—all with the goal of helping organizations improve their knowledge and skills for defending their software and systems.
At the SEI, we’ve been working to help keep organizations and the public informed about vulnerabilities for almost 30 years. In 1988, we published our first advisory on vulnerabilities that were exploited by the Morris worm, which was one of the first types of malware to successfully replicate widely over the Internet, causing widespread damage.
Since then, we have worked on many vulnerability reports, and we often consult with software vendors about releasing patches and fixes. The CERT Division of the SEI notifies the public of vulnerabilities, providing detailed technical information and mitigation strategies via CERT Vulnerability Notes, which propagate to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). Recently, the CERT Coordination Center (CERT/CC) rolled out a new, web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). VINCE helps scale communications and increase the level of direct collaboration between vulnerability reporters, coordinators, and software vendors, aiding the vendor to provide a fix or patch.
We are also closely involved in working on standards and policy development, process engineering, and outreach. Our work on disclosures is transferred to the U.S. Department of Defense (DoD), as well as other organizations. CERT researchers analyze vulnerability data, collaborate with others to improve information exchange, and interface with external standards groups such as the NIST, NVD, and Common Vulnerability and Exposures (CVE) system to enhance data formats or exchange protocols. Beyond our work with security defects in deployed software, we also perform vulnerability discovery to catch defects early in the development lifecycle and develop downloadable vulnerability discovery and analysis tools.
What We Offer
The Latest from the SEI Blog
October 30, 2020 • Blog Post
Spectre. Meltdown. Dirty Cow. Heartbleed. All of these are vulnerabilities that were named by humans, sometimes for maximum impact factor or marketing. Consequently, not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational...read
Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning
October 22, 2020 • Blog Post
My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is a collaborative effort to bring MITRE's ATT&CK framework into securing...read
Our Vision for the Future of Security Vulnerabilities
Understanding vulnerabilities in embedded and connected software-reliant systems—including cars, implanted medical devices, airplanes, industrial control systems, and emerging domains—is key to the future of defending against security vulnerabilities. To proactively identify, assess, and resolve new risks, SEI researchers will continue to work on advancing tools and methodologies. As new attackers continue to discover and exploit new security vulnerabilities, and as the complexity of attacks increase, the SEI’s research will continue to respond to improve the strength of our defenses.
Read our wiki to learn more.