search menu icon-carat-right cmu-wordmark

Software Assurance, Data Governance, and Malware Analysis: The Latest Work from the SEI


As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI technical reports, white papers, podcasts and webinars on software assurance, data governance, self-adaptive systems, engineering high-assurance software for distributed adaptive real-time (DART) systems, technical debt, and automating malware collection and analysis. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Prototype Software Assurance Framework (SAF): Introduction and Overview
By Christopher J. Alberts, Carol Woody, PhD

Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the Software Engineering Institute (SEI) indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent DoD directives are beginning to shift programs' priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure.

This report introduces the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program's current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems. This report presents Version 0.2 of the SAF and features three pilot applications of it.
Download the report.

6 Things You Need to Know About Data Governance
By John Klein

Data governance is a set of practices that imposes a cost on data publishers and enables data consumers to get value faster and more efficiently. Agile data governance is based on the principle that the costs imposed on data publishers should be less than the value created by data consumers. This presentation provides a framework to guide governance decisions.
Download the presentation.

Efficient Decision-Making under Uncertainty for Proactive Self-Adaptation
By Gabriel Moreno, Javier Cámara (CMU), David Garlan, Bradley Schmerl

Proactive latency-aware adaptation is an approach for self-adaptive systems that improves over reactive adaptation by considering both the current and anticipated adaptation needs of the system, and taking into account the latency of adaptation tactics so that they can be started with the necessary lead time. Making an adaptation decision with these characteristics requires solving an optimization problem to select the adaptation path that maximizes an objective function over a finite look-ahead horizon. Since this is a problem of selecting adaptation actions in the context of the probabilistic behavior of the environment, Markov decision processes (MDP) are a suitable approach. However, given all the possible interactions between the different and possibly concurrent adaptation tactics, the system, and the environment, constructing the MDP is a complex task. Probabilistic model checking can be used to deal with this problem since it takes as input a formal specification of the stochastic system, which is internally translated into an MDP, and solved. One drawback of this solution is that the MDP has to be constructed every time an adaptation decision has to be made to incorporate the latest predictions of the environment behavior. In this paper we present an approach that eliminates that run-time overhead by constructing most of the MDP offline, also using formal specification. At run time, the adaptation decision is made by solving the MDP through stochastic dynamic programming, weaving in the stochastic environment model as the solution is computed. Our experimental results show that this approach reduces the adaptation decision time by an order of magnitude compared to the probabilistic model checking approach, while producing the same results.
Download the white paper.

Building and Scaling a Malware Analysis System
By Brent Frye

For nearly 15 years, the SEI has been collecting malware samples into the CERT Artifact Catalog and analyzing them. In this webinar, Brent Frye describes some of the issues involved in automating the collection and analysis of malware, which has seen exponential growth over the past decade. It also discusses how scaling up systems to support this growth compares to approaches for scaling up the number of users at high-traffic sites.
View the webinar.

Verifying Distributed Adaptive Real-Time Systems
By Sagar Chaki and James Edmondson

Making sure government and privately owned drones share international air space safely and effectively is a top priority for government officials. Distributed Adaptive Real-Time (DART) systems are key to many areas of Department of Defense (DoD) capability, including the safe execution of autonomous, multi-unmanned aerial systems missions having civilian benefits. DART systems promise to revolutionize several such areas of mutual civilian-DoD interest, such as robotics, transportation, energy, and health care. To fully realize the potential of DART systems, however, the software controlling them must be engineered for high-assurance and certified to operate safely and effectively. In short, these systems must satisfy guaranteed and highly-critical safety requirements (e.g., collision avoidance) while adapting smartly to achieve application requirements, such as protection coverage, while operating in dynamic and uncertain environments. In this podcast, James Edmondson and Sagar Chaki describe an architecture and approach to engineering high-assurance software for DART systems.
View the podcast.

Technical Debt as a Core Software Engineering Practice
By Ipek Ozkaya

As software developers deal with issues such as legacy modernization, agile adoption, and architecture, they need to be able to articulate the tradeoffs of design and business decisions. In this podcast, Ipek Ozkaya talks about managing technical debt as a core software engineering practice and its importance in the education of future software engineers.
View the podcast.

Additional Resources

For the latest publications on SEI research, please visit


Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed