As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in cyber risk and resilience management, Agile/DevOps and risk management, best practices in insider threat, and dynamic design analysis. This post also includes a link to our recently published 2017 SEI Year in Review. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

The 2017 SEI Year in Review

By the Software Engineering Institute

The SEI Year in Review highlights the work of the Software Engineering Institute undertaken from October 1, 2016 to September 30, 2017.

Message from the Director and CEO

Without question, our national defense and security organizations know the threats our nation faces from adversaries across all operational domains, including cyberspace. The Defense Science Board's 2017 report on priorities (Seven Defense Priorities for the New Administration), for instance, spells out danger from enemy states, non-state actors, and others against U.S. armed forces and our information infrastructure.

Consequently, those organizations also are aware that software quality is more important than ever to mission success and sustaining information superiority. Our national defense and security organizations depend on complex, software-based technologies to identify threats, plan operations, conduct missions, arm warfighters, and train personnel. In addition, our weapon systems and the people who operate them are relying more and more on software-enabled autonomous systems.

Yet, in the Department of Defense (DoD) and elsewhere in the federal government, software development and sustainment organizations experience problems because of the sheer complexity of the software needed to deliver advanced capabilities and the resulting quality concerns manifested in rampant cost and vulnerability issues.

At the Carnegie Mellon University Software Engineering Institute (CMU SEI), a DoD-sponsored federally funded research and development center (FFRDC), we develop software-based technologies to improve software quality by bending the software cost curve, reducing cyber risk by wringing out software defects before they can be exploited as vulnerabilities, and building cyber workforce readiness.

In addition, we seek to enable our sponsor and other government organizations to leap ahead technologically by realizing the potential of artificial intelligence and autonomous systems based on software that is resilient, assured, continually responsive to operational needs, and affordable.

More than ever, as it negotiates a technology landscape dominated by software's strikingly expanding and deepening role as an edge in a dangerous world, the DoD--as well as the Defense Industrial Base, civil government, and industry--needs innovative technologies for software quality and security from its entire R&D network, especially CMU SEI.

Paul D. Nielsen
Director and CEO
Download the 2017 Year in Review.

SEI Webinar: Is Software Spoiling Us?
By Jeff Boleng, Grace Lewis, Eliezer Kanal, Satya Venneti, Joseph D. Yankel

In an almost incalculable number of ways, we delight in software's benefits with no appreciation for the software that provides them. It fuels the breakthroughs we enjoy as our mobile devices, self-parking automobiles, smart home appliances, online purchasing websites, and more. Have software's repeated successes, and the assumption that they will continue endlessly, discounted perceptions of its importance among leadership in civilian government, national defense, and national security organizations?

This panel discussion features

• examples of and some reasons for software advancements
• future directions for software and cybersecurity
• difficulties for the DoD in adopting software advances
• some suggestions for the DoD and government

View the webinar.

Cyber Mutual Assistance Workshop Report
By Jonathon Monken (PJM Interconnection), Dr. Fernando Maymi (Army Cyber Institute), Dan Bennett, PhD (Army Cyber Institute), LTC Dan Huynh (Army Cyber Institute), MAJ Blake Rhoades (Army Cyber Institute), CPT Matt Hutchison (Army Cyber Institute), CW3 Judy Esquibel (Army Cyber Institute), Bill Lawrence (North American Electric Reliability Corporation), Katie C. Stewart

This report describes a Cyber Mutual Assistance Workshop (CMAW), its significance, and its outcomes. The CMAW was intended to explore the interconnectedness of the North American Power Sector and possible sources of aid, should the sector fall victim to a cyber attack. The objective of the CMAW was to enable better understanding of capabilities, not only in the sector's own cyber security workforce, but in possible mutual support from city, state, and federal government entities, and across other sectors' cyber security communities. The Army Cyber Institute, alongside the Electric Infrastructure Security Council and the Software Engineering Institute's CERT Coordination Center, aimed to explore and evoke national conversation on the possibility of mutual cyber assistance in times of duress and the importance to that endeavor of prior understanding and relationships between concerned parties.
Download the special report.

SEI Product Line Bibliography
by the Software Engineering Institute

A product line is a set of products that together address a particular market segment or fulfill a particular mission. Product lines are nothing new in manufacturing. But software product lines based on interproduct commonality are a relatively new concept that is rapidly emerging as a viable and important software development paradigm. Product flexibility is the anthem of the software marketplace, and product lines fulfill the promise of tailor-made systems built specifically for the needs of particular customers or customer groups. A product line succeeds because the commonalities shared by the software products can be exploited to achieve economies of production. Organizations are finding that this practice of building sets of related systems from common assets can yield remarkable quantitative improvements in productivity, time to market, product quality, and customer satisfaction. But along with the gains come risks. Using a product line approach constitutes a new technical strategy for the organization. Organizational and management issues constitute obstacles that are critical to overcome and often add more risk because they are less obvious. Building a software product line and bringing it to market require a blend of skillful engineering as well as both technical and organizational management. These skills are necessary to overcome the pitfalls that may bring failure to an unsophisticated organization.

This bibliography lists SEI and non-SEI resources that have informed the SEI Product Lines efforts. It includes examples of real software product lines listed in the Catalog of Software Product Lines. The examples cover diverse domains and show the kind of improvements your organization can achieve using a product line approach.
Download the white paper.

How Risk Management Fits into Agile & DevOps in Government
By Timothy A. Chick, Will Hayes, Eileen Wrubel, Hasan Yasar

DevOps, which breaks down software development silos to encourage free communication and constant collaboration, reinforces many Agile methodologies. Equally important, the Risk Management Framework, provides a clearly defined framework that helps program managers incorporate security and risk management activities into the software and systems development life cycle. In this podcast, Eileen Wrubel, technical lead for the SEI's Agile-in-Government program leads a roundtable discussion into how Agile, DevOps, and the Risk Management Framework can work together. The panelists include Tim Chick, Will Hayes, and Hasan Yasar.
Download the podcast.

SEI Cyber Minute: Why Use Dynamic Design Analysis?
By Rick Kazman

Design flaws are introduced unknowingly by the daily activities of developers--adding features and fixing bugs. If left unaddressed, these flaws degrade the system over time, making it harder to understand, maintain, extend, and fix. By considering dynamic information in conjunction with static information, we can precisely locate such design flaws, and determine the root causes of bugs more quickly.
View the SEI Cyber Minute.

5 Best Practices for Preventing and Responding to Insider Threat By Randall F. Trzeciak

Insider threat continues to be a problem with approximately 50 percent of organizations experiencing at least one malicious insider incident per year, according to the 2017 U.S. State of Cybercrime Survey. Although the attack methods vary depending on the industry, the primary types of attacks identified by researchers at the CERT Insider Threat Center--theft of intellectual property, sabotage, fraud, and espionage--continue to hold true. In our work with public and private industry, we continue to see that insider threats are influenced by a combination of technical, behavioral, and organizational issues. In this podcast Randy Trzeciak, technical manager of the CERT National Insider Threat Center, discusses the fifth edition of the Common Sense Guide to Mitigating Insider Threats, which highlights policies, procedures, and technologies to mitigate insider threats in all areas of an organization.
Download the podcast.

Additional Resources

View the latest SEI research in the SEI digital library.
View the latest installments in the SEI Podcast Series.
View the latest installments in the SEI Webinar Series.