The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering
As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and webcasts highlighting our work in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity. These publications highlight the latest work of SEI technologists in these areas.
We have also included the SEI Year in Review as well as a podcast exploring the importance of fostering diversity in software engineering and a webcast featuring opportunities for women in cybersecurity.
This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.
The SEI listens and probes intently to learn our sponsor’s needs, so that our work provides a path to solving critical artificial intelligence (AI), software engineering, and cybersecurity issues. In this SEI Year in Review, you’ll read of some prominent recent results that express our loud and clear response:
- With funding and support by the Office of the Director of National Intelligence, the SEI is fostering a community to develop a discipline for AI engineering, to assure that AI-enabled systems are scalable, robust and secure, and human-centered.
- Having been at the forefront of software engineering technologies and practices for decades, we have launched an effort to build and lead a community that will form a national agenda to architect the future of software engineering and articulate a research roadmap.
Continuing to bring together government and industry, we introduced the CERT/CC Vulnerability Information and Coordination Environment (VINCE) to increase the level of direct collaboration between vulnerability reporters, coordinators, and software vendors.
Download the SEI Year in Review.
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
by Allen D. Householder, Jonathan Spring
Coordinated Vulnerability Disclosure (CVD) stands as a consensus response to the persistent fact of vulnerable software, yet few performance indicators have been proposed to measure its efficacy at the broadest scales. In this report, we seek to fill that gap. We begin by deriving a model of all possible CVD histories from first principles, organizing those histories into a partial ordering based on a set of desired criteria. We then compute a baseline expectation for the frequency of each desired criteria and propose a new set of performance indicators to measure the efficacy of CVD practices based on the differentiation of skill and luck in observation data. As a proof of concept, we apply these indicators to a variety of longitudinal observations of CVD practice and find evidence of significant skill to be prevalent. We conclude with reflections on how this model and its accompanying performance indicators could be used by various stakeholders (vendors, system owners, coordinators, and governments) to interpret the quality of their CVD practices.
Download the SEI special report.
Planning and Design Considerations for Data Centers
by Lyndsi A. Hughes, David Sweeney, and Mark Kasunic
This report shares important lessons learned from establishing small- to mid-size data centers. These data centers were established within their own organization and for client organizations within the United States government to support development and operations. Their current focus is to establish on-premises data centers that support modern DevSecOps practices and enabling technologies.
This report is intended to help information technology (IT) personnel and management who are responsible for designing and deploying data center technology to become familiar with topics that must be addressed for a successful outcome. While it is beyond the scope of the report to delve into all the details associated with implementing data center operations, it will help IT personnel and management get started.
Download the SEI technical note.
Accenture: An Automation Maturity Journey
by Rajendra T. Prasad (Accenture)
Accenture, an early adopter of the Capability Maturity Model Integration (CMMI) framework, faced numerous challenges related to a rapidly changing market. Its clients were looking to Accenture to help them “hyper-drive” system transformations to achieve greater cost effectiveness, faster speed, better quality, and continuous innovation to stay relevant in the market. To achieve these goals, Accenture launched an automation journey built around what it calls “The 4S Model”: Simple, Seamless, Scalable, Sustainable. The process produced intelligent tools to automation for transformation that enabled Accenture and its clients to transform rapidly and meet the challenges of a changing market and business landscape. Process improvement initiatives are now implemented across more than 50 percent of Accenture’s industry client base, with new automation opportunities identified every three hours. Automation strategy, process, and technology programs established have shown an impact on client value delivered, delivery performance, and people performance. Some of the key metrics that have shown a significant improvement consistently are productivity, quality (defects), effort, and schedule. In 2020, the Carnegie Mellon University Software Engineering Institute and IEEE recognized Accenture with the Watts Humphrey Software Process Achievement Award. For more information on the SPA Award, visit https://resources.sei.cmu.edu/news-events/events/watts/.
Download the SEI technical report.
In this SEI Podcast, Grace Lewis hosts a panel discussion with Ipek Ozkaya, Nathan West, and Jay Palat about diversity in software engineering. Panelists share their perspectives about their own experiences in the software engineering field, the value of diversity to enhance problem solving from multiple perspectives, and strategies for supporting and encouraging underrepresented groups to become involved in the field.
View/listen to the podcast.
Opportunities for Women in Cybersecurity
by Matthew J. Butkovic, Ebonie McNeil, Sharon Mudd, Marisa Midler
In May 2021, according to CyberSeek, the cybersecurity job market resource, there were approximately 465,000 open positions in cybersecurity nationwide. With such a large pool of jobs, opportunities exist for all interested candidates.
In this episode, you meet SEI staff members who come from diverse, educational, cultural, and professional backgrounds. SEI technical director Matthew Butkovic interviews Sharon Mudd, senior cybersecurity operation researcher; Ebonie McNeil, DevOps engineer; Marisa Midler, associate penetration tester; and Wei-ren Murray, software engineer. They discuss careers in cybersecurity, and share the highlights of their work at the SEI, as well as challenges and lessons learned along the way. They also review the SEI’s involvement in the WiCYS (Women in Cybersecurity) 2021 Conference and how it is helping recruit candidates to fill open positions.
View the webcast.
Applying Scientific Methods in Cybersecurity
by Leigh B. Metcalf and Jonathan Spring
In this SEI Podcast, Leigh Metcalf and Jonathan Spring discuss with Suzanne Miller the application of scientific methods to cybersecurity. As described in their recently published book, Using Science in Cybersecurity, Metcalf and Spring describe a common-sense approach and practical tools for applying scientific rigor to the field of cybersecurity.
View/listen to the podcast.
This post has been shared 3 times.
More By The Author
Technical Issues in Navigating the Transition from Sustainment to Engineering Software-Reliant Systems
Navigating People Concerns when Transitioning from Sustainment to Engineering Software-Reliant Systems
The Latest Work from the SEI: Artificial Intelligence, DevSecOps, and Security Incident Response
Process Concerns When Navigating the Transition from Sustainment to Engineering Software-Reliant Systems
More In CERT/CC Vulnerabilities
CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security
Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.