search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering and Cybersecurity

Latest Posts

7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

• SEI Blog
SPRUCE Project

This is the first post in a three-part series. Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure...

Read More
Open System Architectures: When and Where to be Closed

Open System Architectures: When and Where to be Closed

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division Due to advances in hardware and software technologies, Department of Defense (DoD) systems today are highly capable and complex. However, they also face increasing scale, computation, and security challenges. Compounding these challenges, DoD systems were historically designed using stove-piped architectures that lock the Government into a small number of system integrators, each devising proprietary point solutions that are expensive to develop and sustain over the lifecycle. Although...

Read More
Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division In leveraging threat intelligence, the operational resilience practitioner need not create a competing process independent of other frameworks the organization is leveraging. In fact, the use of intelligence products in managing operational resilience is not only compatible with many existing frameworks but is, in many cases, inherent. While it is beyond the scope of this blog to provide an in-depth discussion of some of the more widely...

Read More
Is Java More Secure than C?

Is Java More Secure than C?

• SEI Blog
David Svoboda

By David Svoboda Senior Member of the Technical Staff CERT Division Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more...

Read More
Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division What differentiates cybersecurity from other domains in information technology (IT)? Cybersecurity must account for an adversary. It is the intentions, capabilities, prevailing attack patterns of these adversaries that form the basis of risk management and the development of requirements for cybersecurity programs. In this blog post, the first in a series, I present strategies for enabling resilience practitioners to organize and articulate their intelligence needs, as well...

Read More
A Taxonomy of Testing: What-Based and When-Based Testing Types

A Taxonomy of Testing: What-Based and When-Based Testing Types

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division There are more than 200 different types of testing, and many stakeholders in testing--including the testers themselves and test managers--are often largely unaware of them or do not know how to perform them. Similarly, test planning frequently overlooks important types of testing. The primary goal of this series of blog posts is to raise awareness of the large number of test types, to verify adequate completeness of...

Read More
Managing Software Complexity in Models

Managing Software Complexity in Models

• SEI Blog
Julien Delange

By Julien Delange Member of the Technical Staff Software Solutions Division For decades, safety-critical systems have become more software intensive in every domain--in avionics, aerospace, automobiles, and medicine. Software acquisition is now one of the biggest production costs for safety-critical systems. These systems are made up of several software and hardware components, executed on different components, and interconnected using various buses and protocols. For instance, cars are now equipped with more than 70 electronic control...

Read More
Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

By Douglas C. Schmidt Principal Researcher As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, technical notes, and white papers. These reports highlight the latest work of SEI technologists in Agile software development and Agile-at-scale, software architecture fault analysis, computer network design, confidence in system properties, and system-of-systems development as well as commentary from two CERT...

Read More