search menu icon-carat-right cmu-wordmark

Archive: 2015

Development of a Master of Software Assurance Reference Curriculum

Development of a Master of Software Assurance Reference Curriculum

• SEI Blog
Nancy Mead

The federal government is facing a shortage of cybersecurity professionals that puts our national security at risk, according to recent research. "As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time," the research states. Recognizing these realities, the U. S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD)...

Read More
Adding Red to Blue: 10 Tactics Defenders Can Learn from Penetration Testers

Adding Red to Blue: 10 Tactics Defenders Can Learn from Penetration Testers

• SEI Blog
Brent Kennedy

Malicious attackers and penetration testers can use some of the same tools. Attackers use them to cause harm while penetration testers use them to bring value to organizations. In this blog post, I've partnered with colleagues Jason Frank and Will Schroeder from The Veris Group's Adaptive Threat Division to describe some of the common penetration testing tools and techniques that can greatly benefit network defenders. While this blog post cannot cover all the techniques and...

Read More
Flow Analytics for Cyber Situational Awareness

Flow Analytics for Cyber Situational Awareness

• SEI Blog
Sid Faber

It's the holiday season, a traditionally busy time for many data centers as online shopping surges and many of the staff take vacations. When you see abnormal traffic patterns and overall volume starts to rise, what is the best way to determine the cause? People could be drawn to your business, and you will soon need to add surge capacity, or maybe you are in the beginnings of a denial-of-service attack and need to contact...

Read More
A Discussion on Open-Systems Architecture

A Discussion on Open-Systems Architecture

• SEI Blog
Carol Sledge

At an open architecture summit in November 2014, Katrina G. McFarland, assistant secretary of defense for acquisition said that 75 percent of all Defense Department acquisition strategies implement open systems architecture across all services and agencies. "This department is seriously engaged in trying to understand how to help our program managers and our department and our industry look at open architecture and its benefits," McFarland said, "and understand truly what our objectives are related to...

Read More
OSA: 4 Best Practices for Open Software Ecosystems

OSA: 4 Best Practices for Open Software Ecosystems

• SEI Blog
Bryce Meyer

Many systems and platforms, from unmanned aerial vehicles to minivans and smartphones, are realizing the promise of Open Systems Architecture (OSA). A core tenet of OSA is the broad availability of standards and designs, the sharing of information between developers, and in some cases downloadable tool kits. In return for openness, a broader community of potential developers and applications emerges, which in turn increases adoption and use. Consequently, there is a trade-off. Openness is a...

Read More
Agile Project Management for Information Security Continuous Monitoring Response

Agile Project Management for Information Security Continuous Monitoring Response

• SEI Blog
Doug Gray

According to the National Institute of Standards and Technology (NIST), Information Security Continuous Monitoring (ISCM) is a process for continuously analyzing, reporting, and responding to risks to operational resilience (in an automated manner, whenever possible). Compared to the traditional method of collecting and assessing risks at longer intervals--for instance, monthly or annually--ISCM promises to provide near-real-time situational awareness of an organization's risk profile. ISCM creates challenges as well as benefits, however, because the velocity of...

Read More
Toward Efficient and Effective Software Sustainment

Toward Efficient and Effective Software Sustainment

• SEI Blog
Mike Phillips

In my preceding blog posts, I promised to provide more examples highlighting the importance of software sustainment in the U.S. Department of Defense (DoD). My focus is on sustaining legacy weapons systems that are no longer in production, but are expected to remain a key component of our defense capability for decades to come. Despite the fact that these legacy systems are no longer in the acquisition phase, software upgrade cycles are needed to refresh...

Read More
7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

• SEI Blog
SPRUCE Project

This is the first post in a three-part series. Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure...

Read More
Open System Architectures: When and Where to be Closed

Open System Architectures: When and Where to be Closed

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division Due to advances in hardware and software technologies, Department of Defense (DoD) systems today are highly capable and complex. However, they also face increasing scale, computation, and security challenges. Compounding these challenges, DoD systems were historically designed using stove-piped architectures that lock the Government into a small number of system integrators, each devising proprietary point solutions that are expensive to develop and sustain over the lifecycle. Although...

Read More
Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

Applying Threat Intelligence to Operational Resilience and Risk Management Frameworks

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division In leveraging threat intelligence, the operational resilience practitioner need not create a competing process independent of other frameworks the organization is leveraging. In fact, the use of intelligence products in managing operational resilience is not only compatible with many existing frameworks but is, in many cases, inherent. While it is beyond the scope of this blog to provide an in-depth discussion of some of the more widely...

Read More
Is Java More Secure than C?

Is Java More Secure than C?

• SEI Blog
David Svoboda

By David Svoboda Senior Member of the Technical Staff CERT Division Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When we began writing the SEI CERT Oracle Coding Standard for Java, we thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. We naively assumed that a more...

Read More
Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management

• SEI Blog
Doug Gray

By Douglas Gray Information Security Engineer CERT Division What differentiates cybersecurity from other domains in information technology (IT)? Cybersecurity must account for an adversary. It is the intentions, capabilities, prevailing attack patterns of these adversaries that form the basis of risk management and the development of requirements for cybersecurity programs. In this blog post, the first in a series, I present strategies for enabling resilience practitioners to organize and articulate their intelligence needs, as well...

Read More
A Taxonomy of Testing: What-Based and When-Based Testing Types

A Taxonomy of Testing: What-Based and When-Based Testing Types

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division There are more than 200 different types of testing, and many stakeholders in testing--including the testers themselves and test managers--are often largely unaware of them or do not know how to perform them. Similarly, test planning frequently overlooks important types of testing. The primary goal of this series of blog posts is to raise awareness of the large number of test types, to verify adequate completeness of...

Read More
Managing Software Complexity in Models

Managing Software Complexity in Models

• SEI Blog
Julien Delange

By Julien Delange Member of the Technical Staff Software Solutions Division For decades, safety-critical systems have become more software intensive in every domain--in avionics, aerospace, automobiles, and medicine. Software acquisition is now one of the biggest production costs for safety-critical systems. These systems are made up of several software and hardware components, executed on different components, and interconnected using various buses and protocols. For instance, cars are now equipped with more than 70 electronic control...

Read More
Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

Agile, Architecture Fault Analysis, the BIS Wassenaar Rule, and Computer Network Design: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

By Douglas C. Schmidt Principal Researcher As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, technical notes, and white papers. These reports highlight the latest work of SEI technologists in Agile software development and Agile-at-scale, software architecture fault analysis, computer network design, confidence in system properties, and system-of-systems development as well as commentary from two CERT...

Read More
A Taxonomy of Testing

A Taxonomy of Testing

• SEI Blog
Donald Firesmith

By Donald Firesmith Principal Engineer Software Solutions Division While evaluating the test programs of numerous defense contractors, we have often observed that they are quite incomplete. For example, they typically fail to address all the relevant types of testing that should be used to (1) uncover defects (2) provide evidence concerning the quality and maturity of the system or software under test, and (3) demonstrate the readiness of the system or software for acceptance and...

Read More
The SEI Technical Strategic Plan

The SEI Technical Strategic Plan

• SEI Blog
Kevin Fall

By Kevin FallDeputy Director, Research, and CTO This is the second installment in a series on the SEI's technical strategic plan. Department of Defense (DoD) systems are becoming increasingly software reliant, at a time when concerns about cybersecurity are at an all-time high. Consequently, the DoD, and the government more broadly, is expending significantly more time, effort, and money in creating, securing, and maintaining software-reliant systems and networks. Our first post in this series provided...

Read More
The Pharos Framework: Binary Static Analysis of Object Oriented Code

The Pharos Framework: Binary Static Analysis of Object Oriented Code

• SEI Blog
Jeffrey Gennari

Object-oriented programs present considerable challenges to reverse engineers. For example, C++ classes are high-level structures that lead to complex arrangements of assembly instructions when compiled. These complexities are exacerbated for malware analysts because malware rarely has source code available; thus, analysts must grapple with sophisticated data structures exclusively at the machine code level. As more and more object-oriented malware is written in C++, analysts are increasingly faced with the challenges of reverse engineering C++ data...

Read More
10 Recommended Practices for Achieving Agile at Scale

10 Recommended Practices for Achieving Agile at Scale

• SEI Blog
SPRUCE Project

This is the second installment of two blog posts highlighting recommended practices for achieving Agile at Scale that was originally published on the Cyber Security & Information Systems Information Analysis Center (CSIAC) website. The first post in the series by Ipek Ozkaya and Robert Nord explored challenges to achieving Agile at Scale and presented the first five recommended practices: 1. Team coordination2. Architectural runway3. Align development and decomposition.4. Quality-attribute scenarios5. Test-driven developmentThis post presents the...

Read More
SEI Unveils a New Blogging Platform

SEI Unveils a New Blogging Platform

• SEI Blog
Douglas C. Schmidt

We are writing to let our SEI Blog readers know about some changes to SEI blogs that make our content areas more accessible and easier to navigate. On August 6, 2015, the SEI will unveil a new website, SEI Insights, that will give you access to all SEI blogs--the CERT/CC, Insider Threat, DevOps and SATURN, and SEI--in one mobile-friendly location. At SEI Insights, readers can quickly review the most recent posts from all SEI blogs...

Read More
10 Recommended Practices for Achieving Agile at Scale

10 Recommended Practices for Achieving Agile at Scale

• SEI Blog
SPRUCE Project

This post is the first in a two-part series highlighting 10 recommended practices for achieving agile at scale. Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available...

Read More
A Field Study of Technical Debt

A Field Study of Technical Debt

• SEI Blog
Neil Ernst

In their haste to deliver software capabilities, developers sometimes engage in less-than-optimal coding practices. If not addressed, these shortcuts can ultimately yield unexpected rework costs that offset the benefits of rapid delivery. Technical debt conceptualizes the tradeoff between the short-term benefits of rapid delivery and long-term value. Taking shortcuts to expedite the delivery of features in the short term incurs technical debt, analogous to financial debt, that must be paid off later to optimize long-term...

Read More
Context-Aware Computing in the DoD

Context-Aware Computing in the DoD

• SEI Blog
Jeff Boleng

In their current state, wearable computing devices, such as glasses, watches, or sensors embedded into your clothing, are obtrusive. Jason Hong, associate professor of computer science at Carnegie Mellon University, wrote in a 2014 co-authored article in Pervasive Computing that while wearables gather input from sensors placed optimally on our bodies, they can also be "harder to accommodate due to our social context and requirements to keep them small and lightweight."...

Read More
Testing, Agile Metrics, Fuzzy Hashing, Android, and Big Data: The SEI Blog Mid-Year Review (Top 10 Posts)

Testing, Agile Metrics, Fuzzy Hashing, Android, and Big Data: The SEI Blog Mid-Year Review (Top 10 Posts)

• SEI Blog
Douglas C. Schmidt

The SEI Blog continues to attract an ever-increasing number of readers interested in learning more about our work in agile metrics, high-performance computing, malware analysis, testing, and other topics. As we reach the mid-year point, this blog posting highlights our 10 most popular posts, and links to additional related resources you might find of interest (Many of our posts cover related research areas, so we grouped them together for ease of reference.) Before we take...

Read More
The SPRUCE Series: 8 Recommended Practices in the Software-Development of Safety-Critical Systems

The SPRUCE Series: 8 Recommended Practices in the Software-Development of Safety-Critical Systems

• SEI Blog
SPRUCE Project

This is the second installment of two blog posts highlighting recommended practices for developing safety-critical systems that was originally published on the Cyber Security & Information Systems Information Analysis Center (CSIAC) website. The first post in the series by Peter Feiler, Julien Delange, and Charles Weinstock explored challenges to developing safety critical systems and presented the first three practices: Use quality attribute scenarios and mission-tread analyses to identify safety-critical requirements. Specify safety-critical requirements, and prioritize...

Read More
The SPRUCE Series: Recommended Practices in the Software Development of Safety-Critical Systems

The SPRUCE Series: Recommended Practices in the Software Development of Safety-Critical Systems

• SEI Blog
SPRUCE Project

Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget....

Read More
AADL Code Generation for Avionics Systems

AADL Code Generation for Avionics Systems

• SEI Blog
Julien Delange

Using the Architecture Analysis & Design Language (AADL) modeling notation early in the development process not only helps the development team detect design errors before implementation, but also supports implementation efforts and produces high-quality code. Our recent blog posts and webinar have shown how AADL can identify potential design errors and help avoid propagating them through the development process, where remediation can require massive re-engineering, delay the schedule, and increase costs....

Read More
Aircraft Systems: Three Principles for Mitigating Complexity

Aircraft Systems: Three Principles for Mitigating Complexity

• SEI Blog
Sarah Sheard

This post is the first in a series introducing our research into software and system complexity and its impact in avionics. On July 6, 2013, an Asiana Airlines Boeing 777 airplane flying from Seoul, South Korea, crashed on final approach into San Francisco International airport. While 304 of the 307 passengers and crew members on board survived, almost 200 were injured (10 critically) and three young women died. The National Transportation Safety Board (NTSB) blamed...

Read More
The SPRUCE Series: 9 Recommended Practices for Managing Operational Resilience

The SPRUCE Series: 9 Recommended Practices for Managing Operational Resilience

• SEI Blog
SPRUCE Project

Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget....

Read More
The SPRUCE Series: Challenges to Managing Operational Resilience

The SPRUCE Series: Challenges to Managing Operational Resilience

• SEI Blog
SPRUCE Project

Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget....

Read More
Applying the 12 Agile Principles in the Department of Defense

Applying the 12 Agile Principles in the Department of Defense

• SEI Blog
Suzanne Miller

In 2010, the Office of Management and Budget (OMB) issued a 25-point plan to reform IT that called on federal agencies to employ "shorter delivery time frames, an approach consistent with Agile" when developing or acquiring IT. OMB data suggested Agile practices could help federal agencies and other organizations design and acquire software more effectively, but agencies needed to understand the risks involved in adopting these practices....

Read More
Resilience, Model-Driven Engineering, Software Quality, and Android App Analysis - The Latest Research from the SEI

Resilience, Model-Driven Engineering, Software Quality, and Android App Analysis - The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in governing operational resilience, model-driven engineering, software quality, Android app analysis, software architecture, and emerging technologies. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the...

Read More
Model Driven Engineering: Automatic Code Generation and Beyond

Model Driven Engineering: Automatic Code Generation and Beyond

• SEI Blog
John Klein

Acquisition executives in domains ranging from modernizing legacy business systems to developing real-time communications systems often face the following challenge:Vendors claim that model-driven engineering (MDE) tools enable developers to generate software code automatically and achieve extremely high developer productivity....

Read More
Designing Security Into Software-Reliant Systems

Designing Security Into Software-Reliant Systems

• SEI Blog
Christopher Alberts

Software is a growing component of systems used by Department of Defense (DoD), government, and industry organizations. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Despite this rise in security risk exposure, most organizations follow a familiar pattern when managing those risks....

Read More
Information Technology Systems Modernization

Information Technology Systems Modernization

• SEI Blog
William Wood

Legacy systems represent a massive operations and maintenance (O&M) expense. According to a recent study, 75 percent of North American and European enterprise information technology (IT) budgets are expended on ongoing O&M, leaving a mere 25 percent for new investments. Another study found nearly three quarters of the U.S. federal IT budget is spent supporting legacy systems. For decades, the Department of Defense (DoD) has been attempting to modernize about 2,200 business systems, which are...

Read More
Heartbleed and Goto Fail: Two Case Studies for Predicting Software Assurance Using Quality and Reliability Measures

Heartbleed and Goto Fail: Two Case Studies for Predicting Software Assurance Using Quality and Reliability Measures

• SEI Blog
Carol Woody

This post was co-authored by Bill Nichols. Mitre's Top 25 Most Dangerous Software Errors is a list that details quality problems, as well as security problems. This list aims to help software developers "prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped." These vulnerabilities often result in software that does not function as intended, presenting an opportunity for attackers to compromise...

Read More
Top 10 Insider Threat Posts

Top 10 Insider Threat Posts

• SEI Blog
Greg Shannon

For two consecutive years, organizations reported that insider crimes caused comparable damage (34 percent) to external attacks (31 percent), according to a recent cybercrime report co-sponsored by the CERT Division at the Carnegie Mellon University Software Engineering Institute. Despite this near parity, media reports of attacks often focus on external attacks and their aftermath, yet an attack can be equally or even more devastating when carried out from within an organization. Insider threats are influenced...

Read More
Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

• SEI Blog
Greg Shannon

In 2014, approximately 1 billion records of personably identifiable information were compromised as a result of cybersecurity vulnerabilities. In the face of this onslaught of compromises, it is important to examine fundamental insecurities that CERT researchers have identified and that readers of the CERT/CC blog have found compelling. This post, the first in a series highlighting CERT resources available to the public including blogs and notes, focuses on the CERT/CC blog. This blog post highlights...

Read More
An Introduction to the Mission Thread Workshop

An Introduction to the Mission Thread Workshop

• SEI Blog
Michael Gagliardi

In Department of Defense (DoD) programs, cooperation among software and system components is critical. A system of systems (SoS) is used to accomplish a number of missions where cooperation among individual systems is critical to providing (new) capabilities that the systems could not provide. SoS capabilities are a major driver in the architecture of the SoS and selection of constituent systems for the SoS. There are additional critical drivers, however, that must be accounted for...

Read More
Four Types of Shift Left Testing

Four Types of Shift Left Testing

• SEI Blog
Donald Firesmith

One of the most important and widely discussed trends within the software testing community is shift left testing, which simply means beginning testing as early as practical in the lifecycle. What is less widely known, both inside and outside the testing community, is that testers can employ four fundamentally-different approaches to shift testing to the left. Unfortunately, different people commonly use the generic term shift left to mean different approaches, which can lead to serious...

Read More
An Enhanced Tool for Securing Android Apps

An Enhanced Tool for Securing Android Apps

• SEI Blog
Lori Flynn

This blog post was co-authored by Will Klieber. Each software application installed on a mobile smartphone, whether a new app or an update, can introduce new, unintentional vulnerabilities or malicious code. These problems can lead to security challenges for organizations whose staff uses mobile phones for work. In April 2014, we published a blog post highlighting DidFail (Droid Intent Data Flow Analysis for Information Leakage), which is a static analysis tool for Android app sets...

Read More
Data-Driven Software Assurance

Data-Driven Software Assurance

• SEI Blog
Michael Konrad

As recent news headlines about Shellshock, Sony, Anthem, and Target have demonstrated, software vulnerabilities are on the rise. The U.S. General Accounting Office in 2013 reported that "operational vulnerabilities have increased 780 percent over the past six years." These vulnerabilities can be hard and expensive to eradicate, especially if introduced during the design phase. One issue is that design defects exist at a deeper architectural level and thus can be hard to find and address....

Read More
AADL: Four Real-World Perspectives

AADL: Four Real-World Perspectives

• SEI Blog
Julien Delange

Mismatched assumptions about hardware, software, and their interactions often result in system problems detected too late in the development lifecycle, which is an expensive and potentially dangerous situation for developers and users of mission- and safety-critical technologies. To address this problem, the Society of Automotive Engineers (SAE) released the aerospace standard AS5506, named the Architecture Analysis & Design Language (AADL). The AADL standard,defines a modeling notation based on a textual and graphic representation used by...

Read More
Resilience, Metrics, Sustainment, and Software Assurance - The Latest Research from the SEI

Resilience, Metrics, Sustainment, and Software Assurance - The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in resilience, metrics, sustainment, and software assurance. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website....

Read More
A Five-Year Technical Strategic Plan for the SEI

A Five-Year Technical Strategic Plan for the SEI

• SEI Blog
Kevin Fall

The Department of Defense (DoD) and other government agencies increasingly rely on software and networked software systems. As one of over 40 federally funded research and development centers sponsored by the United States government, Carnegie Mellon University's Software Engineering Institute (SEI) is working to help the government acquire, design, produce, and evolve software-reliant systems in an affordable and secure manner. The quality, safety, reliability, and security of software and the cyberspace it creates are major...

Read More
Developing a Software Library for Graph Analytics

Developing a Software Library for Graph Analytics

• SEI Blog
Scott McMillan

This blog post was co-authored by Eric Werner. Graph algorithms are in wide use in Department of Defense (DoD) software applications, including intelligence analysis, autonomous systems, cyber intelligence and security, and logistics optimizations. In late 2013, several luminaries from the graph analytics community released a position paper calling for an open effort, now referred to as GraphBLAS, to define a standard for graph algorithms in terms of linear algebraic operations. BLAS stands for Basic Linear...

Read More
Incorporating Verified Design by Contract into PSP

Incorporating Verified Design by Contract into PSP

• SEI Blog
Bill Nichols

As software continues to grow in size and complexity, software programmers continue to make mistakes during development. These mistakes can result in defects in software products and can cause severe damage when the software goes into production. Through the Personal Software Process (PSP), the Carnegie Mellon University Software Engineering Institute has long advocated incorporating discipline and quantitative measurement into the software engineer's initial development work to detect and eliminate defects before the product is delivered...

Read More
Software Assurance, Social Networking Tools, Insider Threat, and Risk Analysis--The Latest Research from the SEI

Software Assurance, Social Networking Tools, Insider Threat, and Risk Analysis--The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in software assurance, social networking tools, insider threat, and the Security Engineering Risk Analysis Framework (SERA). This post includes a listing of each report, author(s), and links where the published reports can be accessed on the...

Read More
Is Your Organization Ready for Agile? - Part 6

Is Your Organization Ready for Agile? - Part 6

• SEI Blog
Suzanne Miller

This blog post is the sixth in a series on Agile adoption in regulated settings, such as the Department of Defense, Internal Revenue Service, and Food and Drug Administration. "Across the government, we've decreased the time it takes across our high-impact investments to deliver functionality by 20 days over the past year alone. That is a big indicator that agencies across the board are adopting agile or agile-like practices," Lisa Schlosser, acting federal chief information...

Read More
Supply Chain and External Dependencies Risk Management

Supply Chain and External Dependencies Risk Management

• SEI Blog
John Haller

Attacks and disruptions to complex supply chains for information and communications technology (ICT) and services are increasingly gaining attention. Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting DoD TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem. This risk management problem goes by different names, for example, Supply Chain Risk Management (SCRM) or Risk Management for...

Read More