As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in systems of systems integration from an architectural perspective, unintentional insider threat that derives from social engineering, identifying physical security gaps in international mail processing centers and similar facilities, countermeasures used by cloud service providers, the Team Software Process (TSP), and key automation and analysis techniques. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

Understanding Patterns for System-of-Systems Integration
By Rick Kazman, Claus Nielsen (No Affiliation), and Klaus Schmid

Creating a successful system of systems--one that meets the needs of its stakeholders today and can evolve and scale to sustain those stakeholders into the future--is a very complex engineering challenge. In a system of systems (SoS), one of the biggest challenges is in achieving cooperation and interoperation among systems through some form of system integration. Previous work has approached the information system integration challenge in a generic way, not specific to an SoS context, or has provided only a limited range of solutions. This technical report discusses how an IT architect can address the SoS integration challenge from an architectural perspective; it also illustrates the breadth of potential solutions to the challenge through a categorization of SoS software architectural patterns. To demonstrate the practical relevance of this work, the authors instantiate this categorization with a set of patterns described in both the research literature and by companies that support SoS platforms.
Download the PDF

Unintentional Insider Threats: Social Engineering
By the CERT Insider Threat Center

The research documented in this report seeks to advance the understanding of the unintentional insider threat (UIT) that derives from social engineering. The goals of this research are to collect data on additional UIT social engineering incidents to build a set of cases for the Management and Education of the Risk of Insider Threat (MERIT) database and to analyze such cases to identify possible behavioral and technical patterns and precursors. The authors hope that this research will inform future research and development of UIT mitigation strategies.
Download the PDF

A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure
By Greg Crabb (U.S. Postal Inspection Service), Julia H. Allen, Pamela D. Curtis, Nader Mehravari

The safety, security, and resilience of international postal, shipping, and transportation critical infrastructure are vital to the global supply chain that enables worldwide commerce and communications. But security on an international scale continues to fail in the face of new threats. Owners and operators of critical postal, shipping, and transportation operations need new methods to identify, assess, and mitigate security risks and gaps in the most effective manner possible. The U.S. Postal Inspection Service, in collaboration with the Universal Postal Union (UPU) and the CERT Division at the SEI, developed a physical security assessment method to identify gaps in the security of international mail processing centers and similar shipping and transportation processing facilities. This assessment method and its associated field instrument are designed to be repeatable, cost effective, scalable, accurate, meaningful, and transparent. Since the method uses UPU standards as its reference, it may be used by the international community to evaluate the security of postal administrations around the world. The method also can be applied to other types of critical transportation services, such as metropolitan transit systems. This report describes the history, development approach, field experiences, and benefits of this method.
Download the PDF

Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations
By Lori Flynn, Greg Porter (Heinz College at Carnegie Mellon University), Chas DiFatta (No Affiliation)

Throughout the third quarter of 2013, researchers in the CERT Insider Threat Center contacted commercial and government cloud service providers (CSPs) to better understand the administrative and technical risks posed by CSP insiders and the countermeasures that CSPs are considering and deploying to identify and mitigate insider attacks. Based on the insight obtained from participating CSPs, CERT researchers have examined how existing CSP insider threat management practices may be improved. Researchers also examined the CERT Division's Insider Threat Assessment workbooks to identify some data types useful for CSP security information and event management (SIEM) systems, specifically for mitigating insider threats. A table listing those identified data sources may be of use for CSPs adding logging, analysis, and alerts to their SIEM systems. This report contains observations obtained from interview and survey responses of participating CSP personnel, considerations for improving insider threat mitigation processes, and current challenges within the CSP community as observed by the Insider Threat Center team.
Download the PDF

TSP Symposium 2013 Proceedings
By Sergio Cardona (Universidad del Quindío), Diego Vallespir (Universidad de la República), Rafael Rincón (Universidad EAFIT), J. Pascoal Faria (University of Porto), Fernanda Grazioli (Universidad de la República), Pedro C. Henriques (Strongstep - Innovation in Software Quality), Jim McHale, Silvana Moreno (Universidad de la República), William Nichols, Leticia Pérez (Universidad de la República), Mushtaq Raza (University of Porto)

The 2013 TSP Symposium was organized by the SEI and took place September 16-19 in Dallas, Texas. The goal of the TSP Symposium is to bring together practitioners and academics who share a common passion to change the world of software engineering for the better through disciplined practice. The conference theme was "When Software Really Matters," which explored the idea that when product quality is critical, high-quality practices are the best way to achieve it. In keeping with that theme, the community contributed a variety of technical papers describing their experiences and research using the Personal Software Process (PSP) and Team Software Process (TSP). This report contains the four papers selected by the TSP Symposium Technical Program Committee. The topics include demonstrating the impact of the PSP on software quality and effort by eliminating the programming learning effect, analyzing student performance during the introduction of the PSP using an empirical cross-course comparison, incorporating PSP practices into introductory programming courses, and analyzing factors affecting productivity performance in PSP training.
Download the PDF

Using Software Development Tools and Practices in Acquisition
By Harry L. Levinson and Richard Librizzi

Acquiring software-reliant systems from an external resource can be time consuming, costly, and often unreliable. During independent technical assessments and customer engagements, the SEI observed many contractors who are not utilizing mature, readily available software development tools when creating code for government programs. These tools include static analysis, test automation, and peer review techniques. In addition to the aforementioned tools being important for software developers, they offer significant insight and confidence to customers who acquire software products.

There are many benefits from making these tools and practices integral to software development and acquisition processes, including:

• reduced risk: programs deliver more predictably
• improved customer satisfaction: products developed experience fewer field defects
• lower cost of ownership: programs experience lower life-cycle maintenance costs when deployed operationally

This technical note provides an introduction to key automation and analysis techniques, the use of which the authors contend will benefit motivated acquirers and developers.
Download the PDF

Additional Resources

For the latest SEI technical reports and papers, please visit
http://www.sei.cmu.edu/library/reportspapers.cfm