search menu icon-carat-right cmu-wordmark

Archive: 2019

The AADL Error Library: 4 Families of System Errors

The AADL Error Library: 4 Families of System Errors

• SEI Blog
Sam Procter

Peter Feiler co-authored this blog post. Classifying the way that things can go wrong in a component-based system is a hard challenge since components--and the systems that rely on them--can fail in myriad, unpredictable ways. It is nonetheless a challenge that should be addressed because component-based, software-driven systems are increasingly used for safety-critical applications. Unfortunately, many well-established classifications and taxonomies of system errors are not what we would term operationalized (i.e., directly usable in modern,...

Read More
Managing the Consequences of Technical Debt: 5 Stories from the Field

Managing the Consequences of Technical Debt: 5 Stories from the Field

• SEI Blog
Ipek Ozkaya

Rod Nord coauthored this post. If you participate in the development of software, the chances are good that you have experienced the consequences of technical debt, which communicates additional cost and rework over the software lifecycle when a short-term, easy solution is chosen instead of a better solution. Understanding and managing technical debt is an important goal for many organizations. Proactively managing technical debt promises to give organizations the ability to control the cost of...

Read More
The Technical Architecture for Product Line Acquisition in the DoD - Fourth in a Series

The Technical Architecture for Product Line Acquisition in the DoD - Fourth in a Series

• SEI Blog
Nickolas Guertin

This post is co-authored by Douglas C. Schmidt and William Scherlis. DoD technologies have traditionally relied on cyber-physical/software-intensive systems that are now widely available to all nations and non-state actors. The DoD's past practice of incorporating commercial-off-the-shelf (COTS) technologies on a system-by-system basis are insufficient to stay ahead of its adversaries and increase its pace of change for delivering innovation. The DoD thus needs new acquisition approaches that can achieve rapid delivery, flexibility, and capacity...

Read More
The Organizational Impact of a Modular Product Line Architecture in DoD Acquisition - Third in a Series

The Organizational Impact of a Modular Product Line Architecture in DoD Acquisition - Third in a Series

• SEI Blog
Nickolas Guertin

This post was co-authored by Douglas Schmidt and William Scherlis. To maintain a strategic advantage over its adversaries, the Department of Defense (DoD) must field new technologies rapidly. "It is not about speed of discovery, it is about speed of delivery to the field," Michael D. Griffin, undersecretary of defense for research and engineering, told a Senate Armed Services subcommittee in April 2018. The architecture of Department of Defenses (DoD) acquisition organizations is based on...

Read More
A 5-Step Process for Release Planning

A 5-Step Process for Release Planning

• SEI Blog
Robert Ferguson

Software products are often used for two decades or more. Several researchers have shown the cost of maintenance and sustainment ranges between 40- and 80 percent of the total lifecycle cost with a median estimate near 70 percent. Sometimes executives have asked, Why does software sustainment cost so much? This blog turns the question around to ask, Can we get better value from our continuing software investment? Of course, the answer is affirmative. We can...

Read More
Six Free Tools for Creating a Cyber Simulator

Six Free Tools for Creating a Cyber Simulator

• SEI Blog
Joseph Mayes

It can be hard for developers of cybersecurity training to create realistic simulations and training exercises when trainees are operating in closed (often classified) environments with no ability to connect to the Internet. To address this challenge, the CERT Workforce Development (CWD) Team recently released a suite of open-source and freely available tools for use in creating realistic Internet simulations for cybersecurity training and other purposes. The tools improve the realism, efficiency, and cost effectiveness...

Read More
Business Email Compromise: Operation Wire Wire and New Attack Vectors

Business Email Compromise: Operation Wire Wire and New Attack Vectors

• SEI Blog
Anne Connell

In June 2018, Federal authorities announced a significant coordinated effort to disrupt business email compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals. Operation Wire Wire, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, and the U.S. Postal Inspection Service, was conducted over a six-month period and resulted in 74 arrests in the United States...

Read More
How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

• SEI Blog
David Svoboda

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles today have more than 100 million lines of code, and connectivity between cars and the outside world through, for example, infotainment systems and the Global Positioning System (GPS) expose a number of interfaces that can be attacked to communicate with an automobile in unintended and...

Read More
Securely Connecting Africa

Securely Connecting Africa

• SEI Blog
Vijay Sarvepalli

While the Internet has enabled modernization in parts of the developing world, it has also introduced new cybersecurity challenges. Many developing countries are unprepared for large-scale cyber attacks and ongoing threats posed by hackers. A July 2017 New York Times article notes that developing countries have become an ideal testing ground for hackers. These attacks caught the attention of the Cote d'Ivoire (Ivory Coast) computer security incident response (CSIRT) team, who reached out to the...

Read More
Enabling Shift-Left Testing from Small Teams to Large Systems

Enabling Shift-Left Testing from Small Teams to Large Systems

• SEI Blog
Nanette Brown

Shift left is a familiar exhortation to teams and organizations engaged in Agile and Lean software development. It most commonly refers to incorporating test practices and an overall test sensibility early in the software development process (although it may also be applied in a DevOps context to the need to pull forward operations practices). Shift left sounds reasonably straightforward: just take the tasks that are on the right-hand side of your timeline and pull them...

Read More
Towards a New Model of Acquisition: Product-Line Architectures for the DoD - Second in a Series

Towards a New Model of Acquisition: Product-Line Architectures for the DoD - Second in a Series

• SEI Blog
Nickolas Guertin

This post was co-authored by Douglas Schmidt and William Scherlis. It is widely recognized that the Department of Defense (DoD) needs to have a nimble response to nimble adversaries. However, the inflexibility of many DoD development and acquisition practices begets inflexible architectures that often slow progress and increase risk to operational forces. This rejection of modern development methods actually increases program risk and extends development timelines, effectively reducing the value of the DoD's acquisition portfolio....

Read More
Operation Cloud Hopper Case Study

Operation Cloud Hopper Case Study

• SEI Blog
Nathaniel Richmond

In December, a grand jury indicted members of the APT10 group for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop...

Read More
The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

• SEI Blog
Paul Nielsen

Software-enabled capabilities are essential for our nation's defense systems. I recently served on a Defense Science Board (DSB) Task Force whose purpose was to determine whether iterative development practices such as Agile are applicable to the development and sustainment of software for the Department of Defense (DoD). The resulting report, Design and Acquisition of Software for Defense Systems, made seven recommendations on how to improve software acquisition in defense systems: A key evaluation criterion in...

Read More
An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

• SEI Blog
Sarah Sheard

Systems engineers working today face many challenges, both in building the complex systems of systems of the future and in building the complex systems of which they are composed. Systems engineers need to be able to design around stable requirements when there are long-lead manufactured items required, and they also need to evolve the design along with changing requirements for larger systems. Software plays an integral role in helping systems engineers accomplish these goals. The...

Read More
Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

• SEI Blog
David Svoboda

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from the systems to which they were connected, and even a thermometer in a casino's fish tank was used to gain access to the casino's infrastructure and extract data about customers, gamblers, etc. In this blog...

Read More
Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for...

Read More
Deep Learning and Satellite Imagery: DIUx Xview Challenge

Deep Learning and Satellite Imagery: DIUx Xview Challenge

• SEI Blog
Ritwik Gupta

In 2017 and 2018, the United States witnessed a milestone year of climate and weather-related disasters from droughts and wildfires to cyclones and hurricanes. Increasingly, satellites are playing an important role in helping emergency responders assess the damage of a weather event and find victims in its aftermath. Most recently satellites have tracked the devastation wrought by the California wildfires from space. The United States military, which is often the first on the scene of...

Read More
Improving Assessments for Cybersecurity Training

Improving Assessments for Cybersecurity Training

• SEI Blog
April Galyardt

The CERT Cyber Workforce Development Directorate conducts training in cyber operations for the DoD and other government customers as part of its commitment to strengthen the nation's cybersecurity workforce. A part of this work is to develop capabilities that better enable DoD cyber forces to "to train as you fight" such as setting up high-fidelity simulation environments for cyber forces to practice skills including network defense, incident response, digital forensics, etc. However, cybersecurity is a...

Read More
Governance of a Software Product Line: Complexities and Goals

Governance of a Software Product Line: Complexities and Goals

• SEI Blog
Robert Ferguson

My prior blog post on product lines in DoD sustainment described the complexity of contractual relationships in a DoD software product line. Recall that a software product line is a collection of related products with shared software artifacts and engineering services that has been developed by a single organization in support of multiple programs serving multiple missions and different customers. A product line can reduce cost of development and support. In exchange, it can be...

Read More
Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

• SEI Blog
Douglas C. Schmidt

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's top 10, which features posts published between January 1, 2018, and December 31, 2018, brought an ever-increasing number of visitors to the blog. 10. Why You Should Apply Agile-DevOps Earlier in the Lifecycle9. Best Practices and Considerations in Egress Filtering8. Deep Learning: Going Deeper toward Meaningful Patterns in Complex Data7. Why Does Software Cost So Much?6. Revealing...

Read More