Since its inception in 1988, the CERT Coordination Center (CERT/CC) has been analyzing and coordinating software vulnerabilities. The CERT/CC’s vulnerability response process includes discovering and reporting, analyzing, coordinating with vendors (software development organizations), and public disclosure. The results of this work are documented in the Vulnerability Notes Database. One observation highlights a disconnect between software engineering, design, and development practices and constantly evolving threats posed to highly interconnected software and systems.
The CERT/CC contributed to the Data-Driven Software Assurance (DDSA) project recently published by the SEI. A significant area of the DDSA research investigated operational vulnerabilities that “likely had their origins early in the life cycle, in the requirements and design phases.” To give one example, the lack of threat modeling, particularly in emerging domains, leads to insecurity.
This session will provide background on and examples of the life cycle of vulnerabilities, with the goal of improving the connection between software development and increased operational security. The session will also highlight design-related causes of vulnerabilities and software security issues affecting the growing “Internet of Things.”