search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering, Cybersecurity, and AI Engineering

Latest Posts

Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

• SEI Blog
Jeffrey Gennari

Object-oriented programs continue to pose many challenges for reverse engineers and malware analysts. C++ classes tend to result in complex arrangements of assembly instructions and sophisticated data structures that are hard to analyze at the machine code level. We've long sought to simplify the process of reverse engineering object-oriented code by creating tools, such as OOAnalyzer, which automatically recovers C++-style classes from executables. OOAnalyzer includes utilities to import OOAnalyzer results into other reverse engineering frameworks,...

Read More
Selecting Measurement Data for Software Assurance Practices

Selecting Measurement Data for Software Assurance Practices

• SEI Blog
Carol Woody

Measuring the software assurance of a product as it is developed and delivered to function in a specific system context involves assembling carefully chosen metrics. These metrics should demonstrate a range of behaviors to confirm confidence that the product functions as intended and is free of vulnerabilities. The Software Assurance Framework (SAF) is a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain to promote the desired assurance behaviors....

Read More
Three Architecture Recommendations for Sustainment Organizations

Three Architecture Recommendations for Sustainment Organizations

• SEI Blog
Susan Crozier Cox

In a March 2019 report, the Defense Innovation Board (DIB)--a group of advisors focused on bringing the technical advantages employed by Silicon Valley to the Department of Defense (DoD)--noted that the United States faces threats that are evolving at an ever-increasing pace. The DIB also noted that the DoD's ability to adapt and respond to these threats is now determined by its ability to develop and deploy software to the field rapidly. As the DIB...

Read More
Testing Concurrent Systems: Concurrency Defects, Testing Techniques, and Recommendations

Testing Concurrent Systems: Concurrency Defects, Testing Techniques, and Recommendations

• SEI Blog
Donald Firesmith

Concurrency, which exists whenever multiple entities execute simultaneously, is a ubiquitous and an unavoidable fact of life in systems and software engineering. It greatly increases system and software complexity, which directly impacts testing. Concurrency leads to nondeterministic behavior and numerous types of concurrency defects that require specialized approaches to uncover. At the SEI, we are often called upon to review development planning documents including Test and Evaluation Master Plans (TEMPs) and Software Test Plans (STPs)....

Read More
Model-Based Analysis of Agile Development Practices

Model-Based Analysis of Agile Development Practices

• SEI Blog
Andrew Moore

Bill Nichols, Bill Novak, and David Zubrow helped to write this blog post. Applications of Agile development practices in government are providing experience that decision makers can use to improve policy, procedure, and practice. Behavioral modeling and simulation (BModSim) techniques (such as agent-based modeling, computational game theory, and System Dynamics) provide a way to construct valid, coherent, and executable characterizations of Agile software development. These techniques can help answer key questions about Agile concepts and...

Read More
The Vectors of Code: On Machine Learning for Software

The Vectors of Code: On Machine Learning for Software

• SEI Blog
Zachary Kurtz

This blog post provides a light technical introduction on machine learning (ML) for problems of computer code, such as detecting malicious executables or vulnerabilities in source code. Code vectors enable ML practitioners to tackle code problems that were previously approachable only with highly-specialized software engineering knowledge. Conversely, code vectors can help software analysts to leverage general, off-the-shelf ML tools without needing to become ML experts. In this post, I introduce some use cases for ML...

Read More
After the Cyber Resilience Review: A Targeted Improvement Plan for Service Continuity

After the Cyber Resilience Review: A Targeted Improvement Plan for Service Continuity

• SEI Blog
Robert Vrtis

Jeff Pinckard co-wrote this blog post. In 2011, the SEI's CERT Division developed and published the Cyber Resilience Review (CRR) on behalf of the Department of Homeland Security. Since then, hundreds of CRRs have been conducted across all critical-infrastructure sectors, including financial services, healthcare and public health, energy, and water and wastewater systems. Each CRR provides an organization with a comprehensive report that can provide a seemingly overwhelming number of options for improving the resilience...

Read More
The Latest Research from the SEI in DevSecOps, Threat Modeling, and Insider Threat

The Latest Research from the SEI in DevSecOps, Threat Modeling, and Insider Threat

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in DevSecOps, insider threat, cyber risk and resilience, software assurance, infrastructure as code, software architecture, and threat modeling. These publications highlight the latest work of SEI technologists in these areas. This blog post also presents the latest episode in our podcast series highlighting the work of...

Read More