The Latest Research from the SEI in DevSecOps, Threat Modeling, and Insider Threat
As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in DevSecOps, insider threat, cyber risk and resilience, software assurance, infrastructure as code, software architecture, and threat modeling. These publications highlight the latest work of SEI technologists in these areas. This blog post also presents the latest episode in our podcast series highlighting the work of women in software and cybersecurity. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.
DevSecOps Implementation in the DoD: Barriers and Enablers
By Hasan Yasar, Eileen Wrubel, Jeff Boleng
In this webcast, panelists discuss potential enablers of and barriers to using modern software development techniques and processes in the DoD or similar segregated environments. These software development techniques and processes are as commonly known as DevSecOps.
View the webinar.
This sixth edition of the Common Sense Guide to Mitigating Insider Threats provides the current recommendations of the CERT Division (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded corpus of more than 1,500 insider threat cases and continued research and analysis. It introduces the topic of insider threats, describes its intended audience, outlines changes for this edition, defines insider threats, and outlines current trends. The guide then describes 21 practices that organizations should implement to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes challenges to implementation, quick wins, and high-impact solutions for small and large organizations. This edition also focuses on six groups within an organization--Human Resources, Legal Counsel, Physical Security, Data Owners, Information Technology, and Software Engineering--and maps relevant groups to each practice. The appendices provide a list of information security best practices, a mapping of the guide's practices to established security standards, a breakdown of the practices by organizational group, and checklists of activities for each practice.
Read the report.
This technical note describes how an organization can leverage the results of a Cyber Resilience Review to create a Targeted Improvement Plan for its service continuity management (SCM). An organization can use the Cyber Resilience Review (CRR) results and prioritize SCM-specific and supporting practices using a SCM improvement profile to develop a long-term plan. The suggested Targeted Improvement Plan (TIP) approach engages the organization's business continuity professionals, information technology operations management staff, and security management team (physical and cyber) to create a resilient organization. (In some organizations, it will be appropriate to engage the operational technology team as well.) The technical note includes an SCM improvement template that prioritizes all the CRR practices; it places a higher priority on those practices that enable service continuity. It describes how an organization can integrate the results of a recent CRR to create a prioritized list of practices the organization should consider implementing. This list informs decisions that take into account the organization's unique risk environment to develop a plan. This approach to developing and implementing an SCM program supports organization-specific, mission-focused objectives to protect and sustain a critical, cyber-dependent service during times of stress.
Read the report.
The Software Assurance Framework (SAF) is a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program's current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems.
This report proposes measurements for each SAF practice that a program can select to monitor and manage the progress it's making toward software assurance. Metrics are needed to determine how effectively a practice is performed and how well software assurance is addressed. This report presents an approach for determining which SAF practices should be measured and how. It provides acquirers, program managers, and contractors with an approach for using metrics to establish confidence that the systems they plan to field will have sufficient software assurance.
Read the report.
This project explored the feasibility of infrastructure as code (IaC), developed prototype tools, populated a model of the deployment architecture, and automatically generated IaC scripts from the model.
This report concludes work on a research project to explore the feasibility of infrastructure as code, summarizing the problem addressed by the research, the research solution approach, and results. Infrastructure as code is a set of practices that use code to set up virtual machines and networks, install packages, and configure environments. Successful IaC adoption by software sustainers requires a broad set of skills and knowledge. This project addresses the problem of accelerating IaC adoption among software sustainment organizations. Our goal was to answer this question:
What are the challenges and limitations to automatically generate the IaC scripts needed to instantiate a deployment that is identical to an original system deployment, including measures of the amount of manual intervention needed to perform the tasks, and the amount and type of specialized knowledge needed about the system and IaC technology?
Our approach included developing prototype tools to inventory the system computing nodes, applying heuristic rules to make sense of the inventory, populating a model of the deployment architecture, and automatically generating IaC scripts from that model.
Read the report.
In this report, the authors explore the link between the SERA Method and threat modeling, which has become a popular engineering practice across industry and government organizations in the past decade. A threat modeling method defines an approach for identifying countermeasures that can be engineered into a software system. In this report, Alberts and Woody specifically examine how the system-focused cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
Read the report.
At the SEI, Eileen Wrubel, co-lead of the SEI's Agile/DevOps Transformation directorate, works to helps the federal government produce and acquire software for military capability and strategic advantage and, just as importantly, trust the software that they are using. In this SEI Podcast, which highlights the work of Women in Software and Cybersecurity, Wrubel discusses her career journey that led to this work.
Watch the podcast.
In 2017, the Software Engineering Institute (SEI) Webcast What Makes a Good Software Architect? explored the skills and knowledge needed by successful software architects. The architect's role continues to evolve; in this webcast we revisited the question in the context of today's role and responsibilities. We explored the challenges of working in an environment with rapidly evolving technology options, such as the serverless architecture style, and the role of the architect in Agile organizations using DevSecOps and Agile architecture practices to shorten iterations and deliver software faster.
Watch the webcast.