search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering and Cybersecurity

Latest Posts

A Discussion on Open-Systems Architecture

A Discussion on Open-Systems Architecture

• SEI Blog
Carol Sledge

At an open architecture summit in November 2014, Katrina G. McFarland, assistant secretary of defense for acquisition said that 75 percent of all Defense Department acquisition strategies implement open systems architecture across all services and agencies. "This department is seriously engaged in trying to understand how to help our program managers and our department and our industry look at open architecture and its benefits," McFarland said, "and understand truly what our objectives are related to...

Read More
OSA: 4 Best Practices for Open Software Ecosystems

OSA: 4 Best Practices for Open Software Ecosystems

• SEI Blog
Bryce Meyer

Many systems and platforms, from unmanned aerial vehicles to minivans and smartphones, are realizing the promise of Open Systems Architecture (OSA). A core tenet of OSA is the broad availability of standards and designs, the sharing of information between developers, and in some cases downloadable tool kits. In return for openness, a broader community of potential developers and applications emerges, which in turn increases adoption and use. Consequently, there is a trade-off. Openness is a...

Read More
Agile Project Management for Information Security Continuous Monitoring Response

Agile Project Management for Information Security Continuous Monitoring Response

• SEI Blog
Doug Gray

According to the National Institute of Standards and Technology (NIST), Information Security Continuous Monitoring (ISCM) is a process for continuously analyzing, reporting, and responding to risks to operational resilience (in an automated manner, whenever possible). Compared to the traditional method of collecting and assessing risks at longer intervals--for instance, monthly or annually--ISCM promises to provide near-real-time situational awareness of an organization's risk profile. ISCM creates challenges as well as benefits, however, because the velocity of...

Read More
Toward Efficient and Effective Software Sustainment

Toward Efficient and Effective Software Sustainment

• SEI Blog
Mike Phillips

In my preceding blog posts, I promised to provide more examples highlighting the importance of software sustainment in the U.S. Department of Defense (DoD). My focus is on sustaining legacy weapons systems that are no longer in production, but are expected to remain a key component of our defense capability for decades to come. Despite the fact that these legacy systems are no longer in the acquisition phase, software upgrade cycles are needed to refresh...

Read More
7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

• SEI Blog
SPRUCE Project

This is the first post in a three-part series. Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure...

Read More
Open System Architectures: When and Where to be Closed

Open System Architectures: When and Where to be Closed

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division Due to advances in hardware and software technologies, Department of Defense (DoD) systems today are highly capable and complex. However, they also face increasing scale, computation, and security challenges. Compounding these challenges, DoD systems were historically designed using stove-piped architectures that lock the Government into a small number of system integrators, each devising proprietary point solutions that are expensive to develop and sustain over the lifecycle. Although...

Read More
Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division In leveraging threat intelligence, the operational resilience practitioner need not create a competing process independent of other frameworks the organization is leveraging. In fact, the use of intelligence products in managing operational resilience is not only compatible with many existing frameworks but is, in many cases, inherent. While it is beyond the scope of this blog to provide an in-depth discussion of some of the more widely...

Read More
Is Java More Secure than C?

Is Java More Secure than C?

• SEI Blog
David Svoboda

By David Svoboda Senior Member of the Technical Staff CERT Division Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more...

Read More