Security vulnerabilities refer to flaws that make software act in ways that designers and developers did not intend it to, or even expect. Research in vulnerability analysis aims to improve ways of discovering vulnerabilities and making them public to prevent attackers from exploiting them.

The use of software has expanded into all aspects of our lives to the point that vulnerabilities have the potential to directly affect everyone. In the past, computer users might have been the only people that needed to worry about vulnerabilities. Today, anyone that uses smartphones, smart watches, smart TVs, or any other connected device or system is susceptible to having their information or property stolen. Even activities such as flying on an airplane, going to the hospital to get testing or medications, or using your credit cards are not completely secure. How can you protect yourself? In an environment where software is everywhere, opting out is simply not an option.

Vulnerabilities can also affect government agencies, industry, and critical infrastructure, such as power or water-treatment plants, local and federal government agencies, hospitals, banking institutions, and more. A successful attack against any of these entities could be catastrophic, resulting in massive data breaches or even injuries and death.

Today’s software-development environments create many easy opportunities for adversaries. Organizations must be constantly alert, working tirelessly to find and mitigate vulnerabilities that could affect them.

Addressing Risk on Multiple Fronts

To reduce cybersecurity risk, SEI researchers conduct and promote coordinated vulnerability disclosure; research and publish vulnerability discovery methods and tools; work to improve vulnerability data and information systems; model vulnerability in technology ecosystems; research vulnerability presented by complicated supply chains; and model adversary behavior—all with the goal of helping organizations improve their knowledge and skills for defending their software and systems.

At the SEI, we’ve been working to help keep organizations and the public informed about vulnerabilities for almost 30 years. In 1988, we published our first advisory on vulnerabilities that were exploited by the Morris worm, which was one of the first types of malware to successfully replicate widely over the Internet, causing widespread damage.

Since then, we have worked on many vulnerability reports, and we often consult with software vendors about releasing patches and fixes. The CERT Division of the SEI notifies the public of vulnerabilities, providing detailed technical information and mitigation strategies via CERT Vulnerability Notes, which propagate to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). Recently, the CERT Coordination Center (CERT/CC) rolled out a new, web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). VINCE helps scale communications and increase the level of direct collaboration between vulnerability reporters, coordinators, and software vendors, aiding the vendor to provide a fix or patch.

We are also closely involved in working on standards and policy development, process engineering, and outreach. Our work on disclosures is transferred to the U.S. Department of Defense (DoD), as well as other organizations. CERT researchers analyze vulnerability data, collaborate with others to improve information exchange, and interface with external standards groups such as the NIST, NVD, and Common Vulnerability and Exposures (CVE) system to enhance data formats or exchange protocols. Beyond our work with security defects in deployed software, we also perform vulnerability discovery to catch defects early in the development lifecycle and develop downloadable vulnerability discovery and analysis tools.