SEI Blog | Secure Development

SEI Blog | Secure Developmenthttp://sei.cmu.edu/feeds/topic/secure-development/atom/?utm_source=blog&utm_medium=rss2026-03-04T00:00:00-05:00Updates on changes and additions to the SEI Blog for posts matching Secure DevelopmentThe Five Pillars of Software Assurance in System Acquisition2026-03-04T00:00:00-05:002026-03-04T00:00:00-05:00Dr. Carol Woody, Christopher Alberts, Michael Bandor, Timothy A. Chickhttps://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post presents five foundational capabilities to support the acquisition of a system with effective software assurance.

Tailoring 9 Zero Trust and Security Principles to Weapon Systems2025-12-09T00:00:00-05:002025-12-09T00:00:00-05:00Christopher Alberts, Timothy Morrow, Rhonda Brown, Charles Wallenhttps://www.sei.cmu.edu/blog/tailoring-9-zero-trust-and-security-principles-to-weapon-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Our latest post outlines how 9 zero trust and security principles might apply to weapon systems.

AI-Powered Memory Safety with the Pointer Ownership Model2025-12-03T00:00:00-05:002025-12-03T00:00:00-05:00David Svoboda, Lori Flynnhttps://www.sei.cmu.edu/blog/ai-powered-memory-safety-with-the-pointer-ownership-model/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post highlights work to automate C Code Security with AI-Powered memory safety.

Managing Security and Resilience Risks Across the Lifecycle2025-07-23T00:00:00-04:002025-07-23T00:00:00-04:00Christopher Alberts, Charles Wallen, Dr. Carol Woody, Michael Bandorhttps://www.sei.cmu.edu/blog/managing-security-and-resilience-risks-across-the-lifecycle/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post introduces the Security Engineering Framework, a schema of software-focused engineering practices that acquisition programs can use to manage security and resilience risks across the lifecycle.

Detection and Repair: The Cost of Remediation2025-03-03T00:00:00-05:002025-03-03T00:00:00-05:00David Svobodahttps://www.sei.cmu.edu/blog/detection-and-repair-the-cost-of-remediation/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This year, we plan on making some exciting updates to the SEI CERT C Coding Standard. This blog post is about one of our ideas for improving the standard.

Measurement Challenges in Software Assurance and Supply Chain Risk Management2024-05-20T00:00:00-04:002024-05-20T00:00:00-04:00Nancy Mead, Dr. Carol Woody, Scott Hissamhttps://www.sei.cmu.edu/blog/measurement-challenges-in-software-assurance-and-supply-chain-risk-management/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This SEI Blog post examines the current state of measurement in software assurance and supply chain management, with a particular focus on open source software, and highlights promising measurement approaches.

What Recent Vulnerabilities Mean to Rust2024-04-29T00:00:00-04:002024-04-29T00:00:00-04:00David Svobodahttps://www.sei.cmu.edu/blog/what-recent-vulnerabilities-mean-to-rust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

In recent weeks several vulnerabilities have rocked the Rust community causing many to question its safety. This post examines two such vulnerabilities.

The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain2023-11-06T00:00:00-05:002023-11-06T00:00:00-05:00Christopher Alberts, Michael Bandor, Charles Wallen, Dr. Carol Woodyhttps://www.sei.cmu.edu/blog/the-sei-sbom-framework-informing-third-party-software-management-in-your-supply-chain/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post presents a framework to promote the use of SBOMs and establish practices and processes that organizations can leverage as they build their programs.

Rust Vulnerability Analysis and Maturity Challenges2023-01-23T00:00:00-05:002023-01-23T00:00:00-05:00Garret Wassermann, David Svobodahttps://www.sei.cmu.edu/blog/rust-vulnerability-analysis-and-maturity-challenges/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post explores tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole and how that might impact future security responses.

Rust Software Security: A Current State Assessment2022-12-12T00:00:00-05:002022-12-12T00:00:00-05:00Joe Sible, David Svobodahttps://www.sei.cmu.edu/blog/rust-software-security-a-current-state-assessment/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post examines security issues with the Rust programming language.

Taking Up the Challenge of Open Source Software Security in the DoD2022-08-15T00:00:00-04:002022-08-15T00:00:00-04:00Scott Hissamhttps://www.sei.cmu.edu/blog/taking-up-the-challenge-of-open-source-software-security-in-the-dod/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post describes a workshop hosted by the SEI to start a conversation to elevate the trustworthiness of free and open source software, particularly in DoD settings.

11 Leading Practices When Implementing a Container Strategy2021-11-08T00:00:00-05:002021-11-08T00:00:00-05:00Andrew Mellinger, William Nichols, Jay Palathttps://www.sei.cmu.edu/blog/11-leading-practices-when-implementing-a-container-strategy/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

While containers are frequently lauded in the latest software development trends, switching from using virtual machines and deploying an organization-wide container strategy remains non-trivial.

Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems2021-10-25T00:00:00-04:002021-10-25T00:00:00-04:00Lori Flynnhttps://www.sei.cmu.edu/blog/release-of-scaife-system-version-200-provides-support-for-continuous-integration-ci-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Key features in new release of SCAIFE System Version 2.0.0 including support for continuous-integration (CI) systems, and status of evolving SEI SCAIFE work

A Technique for Decompiling Binary Code for Software Assurance and Localized Repair2021-10-11T00:00:00-04:002021-10-11T00:00:00-04:00William Klieberhttps://www.sei.cmu.edu/blog/a-technique-for-decompiling-binary-code-for-software-assurance-and-localized-repair/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The DoD has a significant amount of software available only in binary form. It is impractical to ensure that this software is free from vulnerabilities and malicious code.

Anti-Tamper for Software Components2021-06-21T00:00:00-04:002021-06-21T00:00:00-04:00Scott Hissamhttps://www.sei.cmu.edu/blog/anti-tamper-for-software-components/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post explains how to identify software components within systems that are in danger of being exploited and that should be protected by anti-tamper practices.

A Public Repository of Data for Static-Analysis Classification Research2020-11-02T00:00:00-05:002020-11-02T00:00:00-05:00Lori Flynnhttps://www.sei.cmu.edu/blog/public-repository-data-static-analysis-classification-research/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code and tool output to monitor and test the performance of their automated classification of meta-alerts.

Automated Code Repair to Ensure Memory Safety2020-02-24T00:00:00-05:002020-02-24T00:00:00-05:00William Klieberhttps://www.sei.cmu.edu/blog/automated-code-repair-to-ensure-memory-safety/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS....

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts2019-07-22T00:00:00-04:002019-07-22T00:00:00-04:00Lori Flynn, Ebonie McNeilhttps://www.sei.cmu.edu/blog/an-application-programming-interface-for-classifying-and-prioritizing-static-analysis-alerts/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications2019-04-01T00:00:00-04:002019-04-01T00:00:00-04:00David Svobodahttps://www.sei.cmu.edu/blog/how-to-use-static-analysis-to-enforce-sei-cert-coding-standards-for-iot-applications/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT)....

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things2019-02-11T00:00:00-05:002019-02-11T00:00:00-05:00David Svobodahttps://www.sei.cmu.edu/blog/using-the-sei-cert-coding-standards-to-improve-security-of-the-internet-of-things/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity....