Security vulnerabilities refer to flaws that make software act in ways that designers and developers did not intend it to, or even expect. Research in vulnerability analysis aims to improve ways of discovering vulnerabilities and making them public to prevent attackers from exploiting them.
The use of software has expanded into all aspects of our lives to the point that vulnerabilities have the potential to directly affect everyone. In the past, computer users might have been the only people that needed to worry about vulnerabilities. Today, anyone that uses smartphones, smart watches, smart TVs, or any other connected device or system is susceptible to having their information or property stolen. Even activities such as flying on an airplane, going to the hospital to get testing or medications, or using your credit cards are not completely secure. How can you protect yourself? In an environment where software is everywhere, opting out is simply not an option.
Vulnerabilities can also affect government agencies, industry, and critical infrastructure, such as power or water-treatment plants, local and federal government agencies, hospitals, banking institutions, and more. A successful attack against any of these entities could be catastrophic, resulting in massive data breaches or even injuries and death.
Today’s software-development environments create many easy opportunities for adversaries. Organizations must be constantly alert, working tirelessly to find and mitigate vulnerabilities that could affect them.
Addressing Risk on Multiple Fronts
To reduce cybersecurity risk, SEI researchers conduct and promote coordinated vulnerability disclosure; research and publish vulnerability discovery methods and tools; work to improve vulnerability data and information systems; model vulnerability in technology ecosystems; research vulnerability presented by complicated supply chains; and model adversary behavior—all with the goal of helping organizations improve their knowledge and skills for defending their software and systems.
At the SEI, we’ve been working to help keep organizations and the public informed about vulnerabilities for almost 30 years. In 1988, we published our first advisory on vulnerabilities that were exploited by the Morris worm, which was one of the first types of malware to successfully replicate widely over the Internet, causing widespread damage.
Since then, we have worked on many vulnerability reports, and we often consult with software vendors about releasing patches and fixes. The CERT Division of the SEI notifies the public of vulnerabilities, providing detailed technical information and mitigation strategies via CERT Vulnerability Notes, which propagate to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). Recently, the CERT Coordination Center (CERT/CC) rolled out a new, web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). VINCE helps scale communications and increase the level of direct collaboration between vulnerability reporters, coordinators, and software vendors, aiding the vendor to provide a fix or patch.
We are also closely involved in working on standards and policy development, process engineering, and outreach. Our work on disclosures is transferred to the U.S. Department of Defense (DoD), as well as other organizations. CERT researchers analyze vulnerability data, collaborate with others to improve information exchange, and interface with external standards groups such as the NIST, NVD, and Common Vulnerability and Exposures (CVE) system to enhance data formats or exchange protocols. Beyond our work with security defects in deployed software, we also perform vulnerability discovery to catch defects early in the development lifecycle and develop downloadable vulnerability discovery and analysis tools.
What We Offer
Vulnerability Response Capability Development
This one-day course is designed for managers and project leaders who are trying to respond to vulnerabilities reported in their products.
Report a Vulnerability
The CERT Coordination Center (CERT/CC) prioritizes coordination efforts on vulnerabilities that affect multiple vendors or that impact safety, critical or internet infrastructure, or national security.
CERT BFF – Basic Fuzzing Network
The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms. BFF performs mutational fuzzing on software that consumes file input.
CERT FOE – Failure Observation Engine
The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input.
CERT Tapioca is a network-layer man-in-the-middle (MITM) proxy framework based on mitmproxy. CERT Tapioca is installable on Red Hat Enterprise Linux, CentOS, Fedora, Ubuntu, openSUSE, and Raspbian.
GDB 'Exploitable' Plugin
The GDB 'exploitable' plugin can be used to assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing and prioritizing their coordination in the software development process.
CERT Vulnerability Data Archive and Tools
The CERT Vulnerability Data Archive contains nearly all of the non-sensitive vulnerability data collected by the CERT/CC, from the inception of the vulnerability notes database (approximately May 1998) to the date the archive was prepared.
The Latest from the SEI Blog
Vultron: A Protocol for Coordinated Vulnerability Disclosure
September 26, 2022 • Blog Post
This post introduces Vultron, a protocol for multi-party coordinated vulnerability disclosure...read
UEFI – Terra Firma for Attackers
August 01, 2022 • Blog Post
This blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile...read
Our Vision for the Future of Security Vulnerabilities
Understanding vulnerabilities in embedded and connected software-reliant systems—including cars, implanted medical devices, airplanes, industrial control systems, and emerging domains—is key to the future of defending against security vulnerabilities. To proactively identify, assess, and resolve new risks, SEI researchers will continue to work on advancing tools and methodologies. As new attackers continue to discover and exploit new security vulnerabilities, and as the complexity of attacks increase, the SEI’s research will continue to respond to improve the strength of our defenses.
Read our wiki to learn more.