search menu icon-carat-right cmu-wordmark

Archive: 2016

Autonomy, Robotics, Verification, DDoS Attacks, and Software Testing: The Top 10 Posts of 2016

Autonomy, Robotics, Verification, DDoS Attacks, and Software Testing: The Top 10 Posts of 2016

• SEI Blog
Douglas C. Schmidt

As we have done each year since the blog's inception in 2011, this blog post presents the10 most-visited posts in 2016 in descending order ending with the most popular post. While the majority of our most popular posts were published in the last 12 months, a few, such as Don Firesmith's 2013 posts about software testing, continue to be popular with readers. 10. Verifying Software with Timers and Clocks 9. 10 At-Risk Emerging Technologies 8....

Read More
Verifying Software with Timers and Clocks (STACs)

Verifying Software with Timers and Clocks (STACs)

• SEI Blog
Sagar Chaki

This blog post is coauthored by Dionisio de Niz. Software with timers and clocks (STACs) exchange clock values to set timers and perform computation. STACs are key elements of safety-critical systems that make up the infrastructure of our daily lives. They are particularly used to control systems that interact (and must be synchronized) with the physical world. Examples include avionics systems, medical devices, cars, cell phones, and other devices that rely on software not only...

Read More
Why Did the Robot Do That?

Why Did the Robot Do That?

• SEI Blog
Stephanie Rosenthal

The growth and change in the field of robotics in the last 15 years is tremendous, due in large part to improvements in sensors and computational power. These sensors give robots an awareness of their environment, including various conditions such as light, touch, navigation, location, distance, proximity, sound, temperature, and humidity. The increasing ability of robots to sense their environments makes them an invaluable resource in a growing number of situations, from underwater explorations to...

Read More
Cybersecurity Engineering, Performance, Risk, and Secure Coding: The Latest Work from the SEI

Cybersecurity Engineering, Performance, Risk, and Secure Coding: The Latest Work from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published books, SEI technical reports, and webinars in cybersecurity engineering, performance and dependability, cyber risk and resilience management, cyber intelligence, secure coding, and the latest requirements for chief information security offficers (CISOs). These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links...

Read More
Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response

Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response

• SEI Blog
Rachel Kartch

Late last month, Internet users across the eastern seaboard of the United States had trouble accessing popular websites, such as Reddit, Netflix, and the New York Times. As reported in Wired Magazine, the disruption was the result of multiple distributed denial of service (DDoS) attacks against a single organization: Dyn, a New Hampshire-based Internet infrastructure company. DDoS attacks can be extremely disruptive, and they are on the rise. The Verisign Distributed Denial of Service Trends...

Read More
Cyber Threat Modeling: An Evaluation of Three Methods

Cyber Threat Modeling: An Evaluation of Three Methods

• SEI Blog
Forrest Shull

This post was co-authored by Nancy Mead. Cyber threat modeling, the creation of an abstraction of a system to identify possible threats, is a required activity for DoD acquisition. Identifying potential threats to a system, cyber or otherwise, is increasingly important in today's environment. The number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased by 1,121 percent from 5,503 in fiscal year 2006 to 67,168...

Read More
Security Modeling Tools

Security Modeling Tools

• SEI Blog
Julien Delange

Over the past six months, we have developed new security-focused modeling tools that capture vulnerabilities and their propagation paths in an architecture. Recent reports (such as the remote attack surface analysis of automotive systems) show that security is no longer only a matter of code and is tightly related to the software architecture. These new tools are our contribution toward improving system and software analysis. We hope they will move forward other work on security...

Read More
Seven Principles for Software Assurance

Seven Principles for Software Assurance

• SEI Blog
Nancy Mead

The exponential increase in cybercrime is a perfect example of how rapidly change is happening in cyberspace and why operational security is a critical need. In the 1990s, computer crime was usually nothing more than simple trespass. Twenty-five years later, computer crime has become a vast criminal enterprise with profits estimated at $1 trillion annually. One of the primary contributors to this astonishing success is the vulnerability of software to exploitation through defects. How pervasive...

Read More
Resilience, Secure Coding, Data Science, Insider Threat, and Scheduling: The Latest Research from the SEI

Resilience, Secure Coding, Data Science, Insider Threat, and Scheduling: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI technical reports, white papers, and webinars in resilience, effective cyber workforce development, secure coding, data science, insider threat, and scheduling. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website....

Read More
Verifying Distributed Adaptive Real-Time Systems

Verifying Distributed Adaptive Real-Time Systems

• SEI Blog
James Edmondson

This post was co-authored by Sagar Chaki In 2011, the U.S. Government maintained a fleet of approximately 8,000 unmanned aerial systems (UAS), commonly referred to as "drones," a number that continues to grow. "No weapon system has had a more profound impact on the United States' ability to provide persistence on the battlefield than the UAVs," according to a report from the 2012 Defense Science Board. Making sure government and privately owned drones share international...

Read More
Why Netflow Data Still Matters

Why Netflow Data Still Matters

• SEI Blog
Emily Sarneso

Network flow plays a vital role in the future of network security and analysis. With more devices connecting to the Internet, networks are larger and faster than ever before. Therefore, capturing and analyzing packet capture data (pcap) on a large network is often prohibitively expensive. Cisco developed NetFlow 20 years ago to reduce the amount of information collected from a communication by aggregating packets with the same IP addresses, transport ports, and protocol (also known...

Read More
Secure Coding in C++11 and C++14

Secure Coding in C++11 and C++14

• SEI Blog
Aaron Ballman

Writing secure C++ code is hard. C++11 and C++14 have added new facilities that change the way programmers write C++ code with the introduction of features like lambdas and concurrency. Few resources exist, however, describing how these new facilities also increase the number of ways in which security vulnerabilities can be introduced into a program or how to avoid using these facilities insecurely. Previous secure coding efforts, including the SEI CERT C Coding Standard and...

Read More
Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data

Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data

• SEI Blog
Tim Shimeall

By the close of 2016, "Annual global IP traffic will pass the zettabyte ([ZB]; 1000 exabytes [EB]) threshold and will reach 2.3 ZBs per year by 2020" according to Cisco's Visual Networking Index. The report further states that in the same time frame smartphone traffic will exceed PC traffic. While capturing and evaluating network traffic enables defenders of large-scale organizational networks to generate security alerts and identify intrusions, operators of networks with even comparatively modest...

Read More
Modeling and Simulation in Insider Threat

Modeling and Simulation in Insider Threat

• SEI Blog
Andrew Moore

A 2016 study on cybersecurity and digital trust found that 69 percent of organizations surveyed experienced an attempted or successful theft or corruption of data by insiders in the last 12 months. Despite the impact of insider threat--and continued mandates that government agencies and their contractors put insider threat programs in place--a number of organizations still have not implemented them. Moreover, the programs that have been implemented often have serious deficiencies. One impediment to organizations...

Read More
Data Science, Blacklists, and Mixed-Critical Software: The Latest Research from the SEI

Data Science, Blacklists, and Mixed-Critical Software: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog posting summarizes some recently published SEI technical reports, white papers, and webinars in early lifecycle cost estimation, data science, host protection strategies, blacklists, the Architectural Analysis and Design Language (AADL), architecture fault modeling and analysis, and programming and verifying distributed mixed-synchrony and mixed-critical software. These publications highlight the latest work of SEI technologists in these areas. This post includes...

Read More
The Future of Managing Technical Debt

The Future of Managing Technical Debt

• SEI Blog
Robert Nord

Software engineers increasingly recognize technical debt as a problem they care about, but they lack methods and tools to help them strategically plan, track, and pay down debt. The concept provides a vocabulary to engage researchers from a practice point of view, but they often lack an empirical basis and data science on which to validate their work on technical debt. Our recent Dagstuhl Seminar on Managing Technical Debt in Software Engineering provided a venue...

Read More
Addressing the Shortfall of Secure Software Developers through Community College Education

Addressing the Shortfall of Secure Software Developers through Community College Education

• SEI Blog
Nancy Mead

The (ISC)2 Global Information Security Workforce Study (GISWS) forecasts a shortfall of 1.5 million cybersecurity professionals by 2020. Government sources also project critical shortages of cybersecurity professionals. This predicted shortfall is troubling because the growing number and sophistication of cyber attacks threatens our infrastructure, which is increasingly software dependent. This blog post--derived from the paper Meeting Industry Needs for Secure Software Development, which I coauthored with Girish Seshagiri and Julie Howar--describes a collaboration involving industry,...

Read More
Early Software Vulnerability Detection with Technical Debt

Early Software Vulnerability Detection with Technical Debt

• SEI Blog
Robert Nord

Edward J. Schwartz, a research scientist on the vulnerability analysis team, co-authored this post. Software engineers face a universal problem when developing software: weighing the benefit of an approach that is expedient in the short-term, but which can lead to complexity and cost over the long term. In software-intensive systems, these tradeoffs can create technical debt, which is a design or implementation construct that is expedient in the short term, but which sets up a...

Read More
SEI Researchers Provide Congressional Testimony on Social Security

SEI Researchers Provide Congressional Testimony on Social Security

• SEI Blog
Suzanne Miller

This post is co-authored by Will Hayes and Eileen Wrubel. On July 14, 2016, the House Ways and Means Subcommittee on Social Security convened a hearing on the Social Security Administration's (SSA) information technology modernization plan. The hearing focused on the current state of the Social Security Administration's (SSA) Information Technology (IT) modernization plan and best practices for IT modernization, including oversight of agile software development. Agile development approaches, relatively new in government settings, create...

Read More
Prototyping for Developing Big Data Systems

Prototyping for Developing Big Data Systems

• SEI Blog
Rick Kazman

There are several risks specific to big data system development. Software architects developing any system--big data or otherwise--must address risks associated with cost, schedule, and quality. All of these risks are amplified in the context of big data. Architecting big data systems is challenging because the technology landscape is new and rapidly changing, and the quality attribute challenges, particularly for performance, are substantial. Some software architects manage these risks with architecture analysis, while others use...

Read More
EMFTA: an Open Source Tool for Fault Tree Analysis

EMFTA: an Open Source Tool for Fault Tree Analysis

• SEI Blog
Julien Delange

Safety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761 mandate several analyses, such as Functional Hazard Assessment (FHA) and Failure Mode and Effect Analysis (FMEA). One popular...

Read More
A Naval Perspective on Open-Systems Architecture

A Naval Perspective on Open-Systems Architecture

• SEI Blog
Douglas C. Schmidt

This blog post was co-authored by Carol Sledge. To deliver enhanced, integrated warfighting capability at lower cost, the DoD must move away from stovepiped solutions and embrace open systems architecture (OSA) approaches that integrate business and technical practices to create systems with interoperable and reusable components. In November, the SEI launched a series of blog posts that highlight the perspectives of DoD stakeholders--including contractor and government employees--on OSA-based approaches and how they can best be...

Read More
Top 10 SEI Blog Posts of 2016

Top 10 SEI Blog Posts of 2016

• SEI Blog
Douglas C. Schmidt

The crop of Top 10 SEI blog posts published in the first half of 2016 (judged by the number of visits by our readers) represents a cross section of the type of cutting-edge work that we do at the SEI: at-risk emerging technologies, cyber intelligence, big data, vehicle cybersecurity, and what ant colonies can teach us about securing the internet. In all, readers visited the SEI blog more than 52,000 times for the first six...

Read More
Got Technical Debt? Track Technical Debt to Improve Your Development Practices

Got Technical Debt? Track Technical Debt to Improve Your Development Practices

• SEI Blog
Stephany Bellomo

What is technical debt? Why identify technical debt? Shouldn't it be captured as defects and bugs? Concretely communicating technical debt and its consequences is of interest to both researchers and software engineers. Without validated tools and techniques to achieve this goal with repeatable results, developers resort to ad hoc practices, most commonly using issue trackers or backlog-management practices to capture and track technical debt. We examined 1,264 issues from four issue trackers used in open-source...

Read More
Using Quality Metrics and Security Methods to Predict Software Assurance

Using Quality Metrics and Security Methods to Predict Software Assurance

• SEI Blog
Carol Woody

This blog post was co-authored by Nancy Mead, SEI Fellow. To ensure software will function as intended and is free of vulnerabilities (aka software assurance), software engineers must consider security early in the lifecycle, when the system is being designed and architected. Recent research on vulnerabilities supports this claim: Nearly half the weaknesses identified in the Common Weakness Enumeration (CWE) repository have been identified as design weaknesses. These weaknesses are introduced early in the lifecycle...

Read More
Helping Large Government Programs Adopt and Adapt to Agile Methods

Helping Large Government Programs Adopt and Adapt to Agile Methods

• SEI Blog
Harry Levinson

The mix of program-scale Agile and technical baseline ownership drives cheaper, better, and faster deployment of software-intensive systems. Although these practices aren't new, the SEI has seen how their combination can have dramatic effects. The Air Force Distributed Common Ground System (AF DCGS)--the Air Force's primary weapon system for intelligence, surveillance, reconnaissance, planning, direction, collection, processing, exploitation, analysis, and dissemination--employs a global communications architecture that connects multiple intelligence platforms and sensors. The AF DCGS challenge...

Read More
Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws

Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws

• SEI Blog
Lori Flynn

In 2015, the National Vulnerability Database (NVD) recorded 6,488 new software vulnerabilities, and the NVD documents a total of 74,885 software vulnerabilities discovered between 1988-2016. Static analysis tools examine code for flaws, including those that could lead to software security vulnerabilities, and produce diagnostic messages ("alerts") indicating the location of the purported flaw in the source code, the nature of the flaw, and often additional contextual information. A human auditor then evaluates the validity of...

Read More
Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, white papers, webinars, and podcasts. These publications highlight the latest work of SEI technologists in military situational analysis, software architecture, insider threat, honeynets, and threat modeling. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website....

Read More
Vehicle Cybersecurity: The Jeep Hack and Beyond

Vehicle Cybersecurity: The Jeep Hack and Beyond

• SEI Blog
Christopher King

This blog post was co-authored by Dan Klinedinst. Automobiles are often referred to as "computers on wheels" with newer models containing more than 100 million lines of code. All this code provides features such as forward collision warning systems and automatic emergency braking to keep drivers safe. This code offers other benefits such as traffic detection, smartphone integration, and enhanced navigation. These features also introduce an increased risk of compromise, as demonstrated by researchers Chris...

Read More
A Case Study in Locating the Architectural Roots of Technical Debt

A Case Study in Locating the Architectural Roots of Technical Debt

• SEI Blog
Rick Kazman

Recent research has demonstrated that in large scale software systems, bugs seldom exist in isolation. As detailed in a previous post in this series, bugs are often architecturally connected. These architectural connections are design flaws. Static analysis tools cannot find many of these flaws, so they are typically not addressed early in the software development lifecycle. Such flaws, if they are detected at all, are found after the software has been in use; at this...

Read More
10 At-Risk Emerging Technologies

10 At-Risk Emerging Technologies

• SEI Blog
Christopher King

In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies. Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study. Researchers in the SEI's CERT Division recently examined the security of a large swath of technology domains being developed in industry and maturing over the next five years. Our team...

Read More
Threat Analysis Mapping, Connected Vehicles, Emerging Technologies, and Cyber-Foraging: The Latest Research from the SEI

Threat Analysis Mapping, Connected Vehicles, Emerging Technologies, and Cyber-Foraging: The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, technical notes, and white papers. These reports highlight the latest work of SEI technologists in estimating program costs early in the development lifecycle, threat analysis mapping, risks and vulnerabilities in connected vehicles, emerging technologies, and cyber-foraging. This post includes a listing of each report, author(s), and links...

Read More
Is Your Organization Ready for Agile? - Part 7

Is Your Organization Ready for Agile? - Part 7

• SEI Blog
Suzanne Miller

This blog post is the seventh and final installment in a series on Agile adoption in regulated settings, such as the Department of Defense, Internal Revenue Service, and Food and Drug Administration. Organizations and federal agencies seeking to adopt Agile often struggle because they do not understand the adoption risks involved when contemplating the use of Agile approaches. This ongoing series on Readiness and Fit Analysis (RFA) focuses on helping federal agencies, such as the...

Read More
A Platform for Dynamic Defense Technologies

A Platform for Dynamic Defense Technologies

• SEI Blog
Andrew Mellinger

Dynamic Network Defense (or Moving Target Defense) is based on a simple premise: a moving target is harder to attack than a stationary target. In recent years the government has invested substantially into moving target and adaptive cyber defense. This rapidly growing field has seen recent developments of many new technologies--defenses that range from shuffling of client-to-server assignments to protect against distributed denial-of-service (DDOS) attacks, to packet header rewriting, to rebooting servers. As researchers develop...

Read More
Static Identification of Program Behavior using Sequences of API Calls

Static Identification of Program Behavior using Sequences of API Calls

• SEI Blog
Jeffrey Gennari

Much of the malware that we analyze includes some type of remote access capability. Malware analysts broadly refer to this type of malware as a remote access tool (RAT). RAT-like capabilities are possessed by many well-known malware families, such as DarkComet. As described in this series of posts, CERT researchers are exploring ways to automate common malware analysis activities. In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse...

Read More
What Ant Colonies Can Teach Us About Securing the Internet

What Ant Colonies Can Teach Us About Securing the Internet

• SEI Blog
William Casey

In cyber systems, the identities of devices can easily be spoofed and are frequent targets of cyber-attacks. Once an identity is fabricated, stolen or spoofed it may be used as a nexus to systems, thus forming a Sybil Attack. To address these and other problems associated with identity deception researchers at the Carnegie Mellon University Software Engineering Institute, New York University's Tandon School of Engineering and Courant Institute of Mathematical Sciences, and the University of...

Read More
7 Recommended Practices for Managing Intellectual Property in the Acquisition of Software-Intensive Systems

7 Recommended Practices for Managing Intellectual Property in the Acquisition of Software-Intensive Systems

• SEI Blog
SPRUCE Project

This is the third installment in a series of three blog posts highlighting seven recommended practices for acquiring intellectual property. This content was originally published on the Cyber Security & Information Analysis Center's website online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment. The first post in the series explored the challenges to acquiring intellectual property. The second post in the series presented the first four of seven practices for acquiring intellectual property....

Read More
Three Roles and Three Failure Patterns of Software Architects

Three Roles and Three Failure Patterns of Software Architects

• SEI Blog
John Klein

Listen to an audio recording of this blog post. When I was a chief architect working in industry, I was repeatedly asked the same questions: What makes an architect successful? What skills does a developer need to become a successful architect? There are no easy answers to these questions. For example, in my experience, architects are most successful when their skills and capabilities match a project's specific needs. Too often, in answering the question of...

Read More
7 Recommended Practices for Managing Intellectual Property in the Acquisition of Software-Intensive Systems

7 Recommended Practices for Managing Intellectual Property in the Acquisition of Software-Intensive Systems

• SEI Blog
SPRUCE Project

This is the second installment in a series of three blog posts highlighting seven recommended practices for acquiring intellectual property. This content was originally published on the Cyber Security & Information Analysis Center's website online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment. The first post in the series explored the challenges to acquiring intellectual property. This post, which can be read in its entirety on the SPRUCE website, will present the first...

Read More
The SPRUCE Series: The Challenges to Acquiring Intellectual Property

The SPRUCE Series: The Challenges to Acquiring Intellectual Property

• SEI Blog
SPRUCE Project

Software and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply Agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget....

Read More
A Tool to Address Cybersecurity Vulnerabilities Through Design

A Tool to Address Cybersecurity Vulnerabilities Through Design

• SEI Blog
Rick Kazman

This post was also co-authored by Carol Woody. Increasingly, software development organizations are finding that a large number of their vulnerabilities stem from design weaknesses and not coding vulnerabilities. Recent statistics indicate that research should focus on identifying design weaknesses to alleviate software bug volume. In 2011, for example when MITRE released its list of the 25 most dangerous software errors, approximately 75 percent of those errors represented design weaknesses. Viewed through another lens, more...

Read More
Structuring the Chief Information Security Officer (CISO) Organization

Structuring the Chief Information Security Officer (CISO) Organization

• SEI Blog
Nader Mehravari

This post was also co-authored by Julia Allen. Most organizations, no matter the size or operational environment (government or industry), employ a senior leader responsible for information security and cybersecurity. In many organizations, this role is known as chief information security officer (CISO) or director of information security. CISOs and others in this position increasingly find that traditional information security strategies and functions are no longer adequate when dealing with today's expanding and dynamic cyber-risk...

Read More
Cyber Intelligence and Critical Thinking

Cyber Intelligence and Critical Thinking

• SEI Blog
Jay McAllister

In June, representatives of organizations in the government, military, and industry sectors--including American Express and PNC--traveled to Pittsburgh to participate in a crisis simulation the SEI conducted. The crisis simulation--a collaborative effort involving experts from the SEI's Emerging Technology Center (ETC) and CERT Division--involved a scenario that asked members to sift through and identify Internet Protocol (IP) locations of different servers, as well as netflow data. Participants also sorted through social media accounts from simulated...

Read More
Big Data Technology Selection: A Case Study

Big Data Technology Selection: A Case Study

• SEI Blog
John Klein

A recent IDC forecast predicts that the big data technology and services market will realize "a 26.4 percent compound annual growth rate to $41.5 billion through 2018, or about six times the growth rate of the overall information technology market." In previous posts highlighting the SEI's research in big data, we explored some of the challenges related to the rapidly growing field, which include the need to make technology selections early in the architecture design...

Read More
Improving System and Software Security with AADL

Improving System and Software Security with AADL

• SEI Blog
Julien Delange

As our world becomes increasingly software-reliant, reports of security issues in the interconnected devices that we use throughout our day (i.e., the Internet of Things) are also increasing. This blog post discusses how to capture security requirements in architecture models, use them to build secure systems, and reduce potential security defects. This post also provides an overview of our ongoing research agenda on using architecture models for the design, analysis, and implementation of secure cyber-physical...

Read More
Final Installment: 7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

Final Installment: 7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

• SEI Blog
SPRUCE Project

This is the third installment in a series of three blog posts highlighting seven recommended practices for monitoring software-intensive system acquisition (SISA) programs. This content was originally published on the Cyber Security & Information Analysis Center's website online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment). The first two posts in the series explored the challenges to monitoring SISA programs and presented the first five recommended best practices: Address in contracts Set up...

Read More
Second Installment: 7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

Second Installment: 7 Recommended Practices for Monitoring Software-Intensive System Acquisition (SISA) Programs

• SEI Blog
SPRUCE Project

This is the second installment in a series of three blog posts highlighting seven recommended practices for monitoring software-intensive system acquisition (SISA) programs. This content was originally published on the Cyber Security & Information Analysis Center's website online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment. The first post in the series explored the challenges to monitoring SISA programs and presented the first two recommended best practices: Address in contracts Set up a...

Read More
Empirical Evaluation of API Usability and Security

Empirical Evaluation of API Usability and Security

• SEI Blog
Sam Weber

Today's computer systems often contain millions of lines of code and are constructed by integrating components, many of which are authored by various third parties. Application Programming Interfaces (APIs) are the glue that connects these software components. While the SEI and others have placed significant emphasis on developing secure coding practices, there has not been an equal emphasis placed on APIs. This blog post describes our recent research that aims to provide specific guidance to...

Read More
The Top 10 Blog Posts of 2015: Technical Debt, DevOps, Graph Analytics, Secure Coding, and Testing

The Top 10 Blog Posts of 2015: Technical Debt, DevOps, Graph Analytics, Secure Coding, and Testing

• SEI Blog
Douglas C. Schmidt

In 2015, the SEI blog launched a redesigned platform to make browsing easier, and our content areas more accessible and easier to navigate. The SEI Blog audience also continued to grow with an ever-increasing number of visitors learning more about our research in technical debt, shift-left testing, graph analytics, DevOps, secure coding, and malware analysis. In 2015 (from January 1 through December 15), the SEI blog logged 159,604 visits and sessions (we also switched analytics...

Read More