Allen D. Householder
Software Engineering Institute
Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications of complex systems theory and machine learning to software and system security, fuzzing, and modeling of information sharing and trust among cybersecurity responders.
Publications by Allen D. Householder
-
Improving Interoperability in Coordinated Vulnerability Disclosure with Vultron
February 28, 2023 • Podcast
Allen D. Householder
Allen Householder, a senior vulnerability and incident researcher with the SEI’s CERT Division, talks with SEI principal investigator Suzanne Miller about Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).
learn more -
Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
September 15, 2022 • Special Report
Allen D. Householder
This report proposes a formal protocol specification for MPCVD to improve the interoperability of both CVD and MPCVD processes.
read -
Coordinated Vulnerability Disclosure User Stories
August 25, 2022 • White Paper
Brad RunyonEric HatlebackAllen D. Householder
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
read -
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
July 01, 2021 • Special Report
Allen D. HouseholderJonathan Spring
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
read -
Managing Vulnerabilities in Machine Learning and Artificial Intelligence Systems
June 10, 2021 • Podcast
Nathan M. VanHoudnosJonathan SpringAllen D. Householder
Allen Householder, Jonathan Spring, and Nathan VanHoudnos discuss how to manage vulnerabilities in AI/ML systems.
learn more -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
April 30, 2021 • White Paper
Jonathan SpringAllen D. HouseholderEric Hatleback
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
read -
A Stakeholder-Specific Vulnerability Categorization
October 29, 2020 • Podcast
Allen D. HouseholderEric HatlebackJonathan Spring
Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
learn more -
On Managing Vulnerabilities in AI/ML Systems
October 01, 2020 • Conference Paper
Jonathan SpringAllen D. HouseholderApril Galyardt
This paper explores how the current paradigm of vulnerability management might adapt to include machine learning systems.
read -
Historical Analysis of Exploit Availability Timelines
August 13, 2020 • White Paper
Allen D. HouseholderJeff Chrabaszcz (Govini)Trent Novelly
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
read -
The CERT Guide to Coordinated Vulnerability Disclosure
March 26, 2020 • Podcast
Allen D. HouseholderDavid Warren
Allen Householder and David Warren discuss the CERT Guide to Coordinated Vulnerability Disclosure, which is used by security researchers, software vendors, and other stakeholders in informing others about security vulnerabilities.
learn more -
Penetration Tests Are The Check Engine Light On Your Security Operations
January 07, 2020 • White Paper
Allen D. HouseholderDan J. Klinedinst
A penetration test serves as a lagging indicator of a network security operations problem. Organizations should implement and document several security controls before a penetration test can be useful.
read -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
December 04, 2019 • White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
read -
Future Reach Conversation: Countering Adversarial Operations Made Possible by AI
November 22, 2019 • Video
Allen D. HouseholderLujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering)Kathleen Carley (Carnegie Mellon School of Computer Science)
Watch as Dr. Matt Gaston, Director of SEI Emerging Technology Center, moderates discussion on countering adversarial operations made possible by AI
watch -
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
June 24, 2019 • White Paper
Andrew P. MooreAllen D. Householder
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
read -
Towards Improving CVSS
December 04, 2018 • White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
read -
Modeling the Operations of the Vulnerability Ecosystem
October 23, 2018 • Poster
Allen D. Householder
This poster describes models, metrics, datasets, and key performance indicators developed to improve vulnerability response.
read -
Analyzing 24 Years of CVD
March 01, 2018 • Presentation
Allen D. Householder
The CERT/CC has pioneered the Coordinated Vulnerability Disclosure (CVD) process. In the past year, they analyzed their case tracking data, focusing on the distribution of case workloads over time. This slide deck contains findings from this analysis.
read -
The CERT Guide to Coordinated Vulnerability Disclosure
August 15, 2017 • Special Report
Allen D. HouseholderGarret WassermannArt Manion
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.
read -
Threat Modeling and the Internet of Things
May 12, 2016 • Podcast
Art ManionAllen D. Householder
Art Manion and Allen Householder of the CERT Vulnerability Analysis team, talk about threat modeling and its use in improving the security of the Internet of Things (IoT).
learn more -
Extending AADL for Security Design Assurance of Cyber-Physical Systems
December 16, 2015 • Technical Report
Robert J. EllisonAllen D. HouseholderJohn J. Hudak
This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of an automotive electronics system.
read -
Vulnerability Coordination and Concurrency
August 18, 2015 • Presentation
Allen D. Householder
In this talk, the presenter will describe the process of coordinating vulnerability disclosures, why it's hard, and some of the pitfalls and hidden complexities we have encountered.
read -
Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats.
August 18, 2015 • Presentation
Allen D. Householder
In this talk, we will trace the origin and evolution of a physical-world vulnerability that dates to the late 19th century, and explore whether "building security in" is even always an available option.
read -
Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items
July 22, 2015 • White Paper
Allen D. HouseholderArt Manion
In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.
read -
Strengths in Security Solutions
May 31, 2013 • White Paper
Arjuna Shunn (Microsoft)Carol WoodyRobert C. Seacord
In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.
read -
Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
October 01, 2012 • Technical Note
Allen D. Householder
In this 2012 report, Allen Householder describes an algorithm for reverting bits from a fuzzed file to those found in the original seed file to recreate the crash.
read -
Probability-Based Parameter Selection for Black-Box Fuzz Testing
August 01, 2012 • Technical Note
Allen D. HouseholderJonathan M. Foote
In this report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.
read -
A Structured Approach to Classifying Security Vulnerabilities
January 01, 2005 • Technical Note
Robert C. SeacordAllen D. Householder
In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.
read -
2002 Tech Tip: Securing an Internet Name Server
August 01, 2002 • White Paper
Allen D. HouseholderBrian King
This document discusses name server security and focuses on BIND, which is the most commonly used software for DNS servers.
read -
2001 Tech Tip: Managing the Threat of Denial-of-Service Attacks
October 01, 2001 • White Paper
Allen D. HouseholderArt ManionLinda Pesante
In this 2001 paper, the authors describe the then-current situation regarding denial-of-service (DOS) attacks and ways of addressing the problem.
read