Software Engineering Institute | Carnegie Mellon University

SEI Insights

Recent Posts

My prior blog post on product lines in DoD sustainment described the complexity of contractual relationships in a DoD software product line. Recall that a software product line is a collection of related products with shared software artifacts and engineering services that has been developed by a single organization in support of multiple programs serving multiple missions and different customers. A product line can reduce cost of development and support. In exchange, it can be...

This post was co-authored by Drew Walsh. Continuing our industry sector series, this blog post highlights insider threat trends in the State and Local Government subsector and explores distinct characteristics of fraud, the most common insider case type in the CERT Insider Threat Corpus for this subsector....

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's top 10, which features posts published between January 1, 2018, and December 31, 2018, brought an ever-increasing number of visitors to the blog. 10. Why You Should Apply Agile-DevOps Earlier in the Lifecycle9. Best Practices and Considerations in Egress Filtering8. Deep Learning: Going Deeper toward Meaningful Patterns in Complex Data7. Why Does Software Cost So Much?6. Revealing...

The Second International Conference on Technical Debt will be held in Montréal, QC, Canada, on May 26-27, 2019, collocated with ICSE 2019. The conference brings together leading software researchers, practitioners, and tool vendors to explore theoretical and practical approaches that manage technical debt. Technical debt describes a universal software development phenomenon: design or implementation constructs that are expedient in the short term, but set up a technical context that can make future change more costly...

This post was co-authored by Ebonie McNeil. Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in Lori's first blog post on this topic, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool since 2010 as part of our...

According to DevSecOps: Early, Everywhere, at Scale, a survey published by Sonatype, "Mature DevOps organizations are able to perform automated security analysis on each phase (design, develop, test) more often than non-DevOps organizations." Since DevOps enables strong collaboration and automation of the process and enforces traceability, mature DevOps organizations are more likely to perform automated security analysis than non DevOps organizations. My previous blog post, Microcosm: A Secure DevOps Pipeline as Code, helped address the...



Timely insights about vulnerabilities, network situational awareness, and research in the security field offered by CERT Division researchers.


Technical Guidelines and practical advice for DevOps. Posts cover issues relating to understanding and achieving successful DevOps including cultural shifts, barriers to collaboration, continuous integration, continuous deployment, and automation.


Insider Threat

Advice and best practices for organizations wanting to help better deter, detect, and respond to evolving insider threats.


The SEI Architecture Technology User Network’s blog covers topics relating to software architecture and connects the professional network of software, systems, and enterprise architects from around the world, representing industry, academia, and government.

SEI Blog

Ongoing and exploratory research on topics that include secure coding, malware analysis, testing, organizational planning, agile software development, big data, quality assurance, cloud computing, and software sustainment across the lifecycle.