search menu icon-carat-right cmu-wordmark

Archive: 2020

Shifting from Software Sustainment to Software Engineering in the DoD

Shifting from Software Sustainment to Software Engineering in the DoD

• SEI Blog
Thomas Evans

Mike Gagliardi, Joe Kostial, Nicholas Reimer, and Douglas C. Schmidt coauthored this blog post. In our work with government acquisition programs, we have observed a trend: organic software sustainment organizations are expanding beyond their traditional purview of software maintenance into software engineering and development. As a result, these organizations now also focus on designing and implementing new software architectures and code, rather than just repairing and maintaining legacy software. Software sustainment and maintenance organizations have...

Read More
Show Me Agility: Agile Strategy Execution

Show Me Agility: Agile Strategy Execution

• SEI Blog
Linda Parker Gates

The rapid pace of change in software development, in business, and in the world has many organizations struggling to execute daily operations, wrangle big projects, and feel confident that there is a long-term strategy at play. Wrestling with daily trials and being unable to see beyond immediate tasks can feel like working in the weeds. An agile strategy and execution environment, however, can enable us to win tactical battles while maintaining a focus on broader...

Read More
Cat and Mouse in the Age of .NET

Cat and Mouse in the Age of .NET

• SEI Blog
Brandon Marzik

Penetration testers have long exploited the PowerShell scripting language to gain a foothold in systems and execute an attack. PowerShell is installed on every Windows machine, has direct access to the Windows application programming interface (API), and is rarely disabled. Over the years, red teams have created extensive tool suites to leverage the language for offensive tradecraft. Blue teams have kept pace by developing defenses to stop these tools. Eventually, changes in the PowerShell landscape...

Read More
What Is Digital Engineering and How Is It Related to DevSecOps?

What Is Digital Engineering and How Is It Related to DevSecOps?

• SEI Blog
David Shepard

Julia Scherb coauthored this blog post. The Department of Defense's desire for faster delivery of new capabilities is transforming defense acquisitions. The emerging processes of digital thread and digital engineering aim to address the difficulties of managing complex and evolving technologies over their lifecycles. In the same way that DevSecOps has transformed the processes of software development, testing, and acquisition for the DoD, digital engineering has the potential to transform the way hardware-intensive systems are...

Read More
Mission-Based Prioritization: A New Method to Sequence Features, Capabilities, and Epics

Mission-Based Prioritization: A New Method to Sequence Features, Capabilities, and Epics

• SEI Blog
Keith Korzec

Prioritization identifies the sequence in which requirements should be addressed and allows end users and stakeholders to evaluate and provide feedback on the most valuable features of the evolving system. In Agile software development, requirements and desires are expressed as items in the product backlog. All development-related activities are drawn from the backlog. For small Agile products, there will typically be a single backlog. For large-scale Agile development efforts using the Scaled Agile Framework (SAFe),...

Read More
3 Ransomware Defense Strategies

3 Ransomware Defense Strategies

• SEI Blog
Marisa Midler

Ransomware is evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Backing up your data is the first action to take against ransomware. After you have established data backups, the next priority is defending against the top three ransomware attack vectors: Remote Desktop Protocol (RDP), email phishing,...

Read More
A Public Repository of Data for Static-Analysis Classification Research

A Public Repository of Data for Static-Analysis Classification Research

• SEI Blog
Lori Flynn

Static analysis (SA) tools are a widely used and routine part of testing by DoD and commercial organizations. Validating and repairing defects discovered by SA tools can require more human effort from auditors and coders than organizations have available. Since 2016, researchers in the SEI CERT Division have been developing a method to automatically classify and prioritize alerts (warnings) and meta-alerts (alerts about code flaws or conditions) to help auditors and coders address large volumes...

Read More
How to Protect Your High Value Assets

How to Protect Your High Value Assets

• SEI Blog
Brian Benestelli

This post was co-authored by Emily Shawgo. Every organization has mission-critical information and technology assets that require enhanced security. Private organizations may identify these assets informally or rely on community knowledge to decide how to prioritize security resources. Federal government departments and agencies, however, have official guidelines for identifying and securing their high value assets. These guidelines can provide lessons for all organizations protecting their most critical assets. This blog post will outline the background...

Read More
Network Segmentation: Concepts and Practices

Network Segmentation: Concepts and Practices

• SEI Blog
Dan Kambic

This post was co-authored by Jason Fricke. Imagine a home with only a single large space containing all of your important things, arranged for your convenience. Now imagine someone breaking into it. How safe are your important things? Many organizations implement their networks the same way. By seeking easy and uncomplicated network management--or simply because they don't know better--many organizations can end up with hundreds or thousands of systems connected in a single, massive network....

Read More
Three Places to Start in Defending Against Ransomware

Three Places to Start in Defending Against Ransomware

• SEI Blog
Tim Shimeall

Ransomware is an active and growing threat, affecting many government agencies and private companies. Costs of a ransomware attack (including loss of capability, restoration of data, preventing further attacks, and cleaning up the damage due to the ransomware) frequently run from hundreds of thousands to millions of dollars, over and above any payment of ransom, which is not recommended and may open the organization up to sanctions. Organizations wanting to avoid this damage face a...

Read More
Ransomware as a Service (RaaS) Threats

Ransomware as a Service (RaaS) Threats

• SEI Blog
Marisa Midler

Ransomware continues to be a severe threat to organizations, and the threat is growing. Ransomware attacks are on the rise and a report from the Beazley Group shows ransomware attacks have increased by 25 percent from Q4 2019 to Q1 2020. The monetary value of the average ransom payment has also significantly increased. From Q3 2019 to Q4 2019 the average ransom payment increased from $41,198 to $84,116, a 104 percent increase according to a...

Read More
8 Steps for Migrating Existing Applications to Microservices

8 Steps for Migrating Existing Applications to Microservices

• SEI Blog
Brent Frye

A 2018 survey found that 63 percent of enterprises were adopting microservice architectures. This widespread adoption is driven by the promise of improvements in resilience, scalability, time to market, and maintenance, among other reasons. In this blog post, I describe a plan for how organizations that wish to migrate existing applications to microservices can do so safely and effectively....

Read More
Balancing Cyber Confidence and Privacy Concerns

Balancing Cyber Confidence and Privacy Concerns

• SEI Blog
William Reed

This post was co-written by Dustin Updyke. An important part of an organization's cybersecurity posture includes the monitoring of network traffic for proactive cyber defense. While enterprise network operators are focusing on how best to secure their networks, users are simultaneously demanding more privacy. The trend toward implementing network protocols designed to improve personal privacy is now making it harder for organizations to protect enterprise networks. This blog post briefly describes these protocols and the...

Read More
Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

• SEI Blog
Lori Flynn

Static analysis tools analyze code without executing it to identify potential flaws in source code. Since alerts may be false positives, engineers must painstakingly examine them to adjudicate if they are legitimate flaws. Automation is needed to reduce the significant manual effort that would be required to adjudicate all (or significantly more of) the alerts. Many tools produce a large number of alerts with high false-positive rates. Other tools produce alerts for only a limited...

Read More
The Latest Work from the SEI: Microservices, Ransomware, and Agile in Government

The Latest Work from the SEI: Microservices, Ransomware, and Agile in Government

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in cybersecurity, the future of cybersecurity education, microservices, ransomware, Cybersecurity Maturity Model Certification (CMMC), and Agile in government. We have also included a webcast of a recent discussion on Department of Defense (DoD) software advances and future SEI work. These publications highlight the latest...

Read More
Is Your Organization Using Cybersecurity Analysis Effectively?

Is Your Organization Using Cybersecurity Analysis Effectively?

• SEI Blog
Angela Horneman

Cybersecurity analysis techniques and practices are key components of maintaining situational awareness (SA) for cybersecurity. In this blog post in our series on cyber SA in the enterprise, I define the term analysis, describe what constitutes a security problem that analysts seek to identify, and survey analysis methods. Organizations and analysts can ensure that they are covering the full range of analytical methods by reviewing the matrix of six methods that I present below (see...

Read More
Follow the CUI: 4 Steps to Starting Your CMMC Assessment

Follow the CUI: 4 Steps to Starting Your CMMC Assessment

• SEI Blog
Matthew Trevors

One of the primary drivers of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is the congressional mandate to reduce the risk of accidental disclosure of controlled unclassified information (CUI). However, a full CMMC assessment can seem daunting to organizations in the Defense Industrial Base (DIB), and many might not know where to start. This blog post gives DIB organizations four steps for identifying their CUI exposure in terms of their critical services...

Read More
Managing the Risks of Adopting AI Engineering

Managing the Risks of Adopting AI Engineering

• SEI Blog
Brett Tucker

Adopting artificial intelligence (AI) technology in an organization introduces significant change. The organization will likely incur risk, a fact that has been recognized by both public-sector organizations, such as the United States Department of Defense (DoD), and private-sector organizations, such as McKinsey. Fortunately, risk can be controlled to limit the consequences to the organization. In this blog post, a summary of the SEI white paper, A Risk Management Perspective for AI Engineering, I focus on...

Read More
Migrating Applications to Kubernetes

Migrating Applications to Kubernetes

• SEI Blog
Richard Laughlin

Kubernetes is a popular, cloud-native container orchestration system. Adoption of Kubernetes in production environments has rapidly increased over the last several years. As Kubernetes adoption increases, there is often pressure to migrate applications that are currently deployed via other means onto Kubernetes. Performing an effective migration of these applications to Kubernetes may help organizations adopt DevOps practices, and it will allow organizations to unify their operations onto a single set of cloud tooling and expertise....

Read More
Verifying Timing in Undocumented Multicore Processors

Verifying Timing in Undocumented Multicore Processors

• SEI Blog
Bjorn Andersson

Many Department of Defense (DoD) systems rely on multicore processors--computers with many processor cores running programs simultaneously. These processors share resources and perform complex operations that depend on accurate timing and sequencing. Timing is crucial to ensure proper and safe operation of the overall system. Verifying multicore-processor timing can be hard, however, due to lack of documentation for key details, such as processor resource sharing. The inability to verify timing is an obstacle for using...

Read More
3 Metrics to Incentivize the Right Behavior in Agile Development

3 Metrics to Incentivize the Right Behavior in Agile Development

• SEI Blog
Pat Place

Will Hayes co-authored this blog post. The use of incentives to elicit certain behaviors in agile software development can often result in unintended consequences. One trap that we have seen project managers fall into is introducing metrics simply because they are familiar. As we stated in our first post in this series, there are many examples where an incentive to solve a problem creates an unintended, undesirable behavior. Software project managers must instead consider the...

Read More
Don't Incentivize the Wrong Behaviors in Agile Development

Don't Incentivize the Wrong Behaviors in Agile Development

• SEI Blog
Pat Place

Will Hayes coauthored this blog post. All too often, organizations collect certain metrics just because those are the metrics that they've always collected. Ordinarily, if an organization finds the metrics useful, there is no issue. Indeed, the SEI has long advocated the use of metrics to support the business goals of the organization. However, consider an organization that has changed from waterfall to Agile development; all metrics related to development must be reconsidered to determine...

Read More
Situational Awareness for Cybersecurity Architecture: 5 Recommendations

Situational Awareness for Cybersecurity Architecture: 5 Recommendations

• SEI Blog
Phil Groce

In this post on situational awareness for cybersecurity, we present five recommendations for the practice of architecture in the service of cybersecurity situational awareness (SA). Cybersecurity architecture is fundamentally an economic exercise. Economics is the practice of allocating finite resources to meet requirements. The goal of a cybersecurity SA architecture is to deploy your finite resources, such as equipment, staffing, and time, to enforce your organization's cybersecurity policies and controls. The endpoints on your network...

Read More
Addressing Open Architecture in Software Cost Estimation

Addressing Open Architecture in Software Cost Estimation

• SEI Blog
Michael Gagliardi

Michael Konrad and Douglas C. Schmidt contributed to this blog post. Identifying, estimating, and containing the cost of software is critical to the effective deployment of government systems. Cost estimation has been cited by the Government Accountability Office (GAO) as one of the primary reasons for DoD programs' cost overruns. Planners typically estimate costs via modeling and simulation tools, such as the Constructive Cost Model (COCOMO II). While COCOMO II is primarily used to estimate...

Read More
Detecting Mismatches in Machine-Learning Systems

Detecting Mismatches in Machine-Learning Systems

• SEI Blog
Grace Lewis

The use of machine learning (ML) could improve many business functions and meet many needs for organizations. For example, ML capabilities can be used to suggest products to users based on purchase history; provide image recognition for video surveillance; identify spam email messages; and predict courses of action, routes, or diseases, among others. However, in most organizations today (with the exception of large high-tech companies, such as Google and Microsoft), development of ML capabilities is...

Read More
Beyond NIST SP 800-171: 20 Additional Practices in CMMC

Beyond NIST SP 800-171: 20 Additional Practices in CMMC

• SEI Blog
Andrew Hoover

Katie Stewart co-authored this blog post. In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC is NIST Special Publication 800-171, the CMMC also includes 20 additional practices beyond 800-171 at levels 1-3. These 20 practices are intended to make DoD contractors more security conscious. Supply chain attacks are increasing at...

Read More
KalKi: Solution for High Assurance Software-Defined IoT Security

KalKi: Solution for High Assurance Software-Defined IoT Security

• SEI Blog
Sebastian Echeverria

Commercial Internet of things (IoT) devices are evolving rapidly, providing new and potentially useful capabilities. These devices can be a valuable source of data for improved decision making, so organizations that want to remain competitive have powerful motivations to embrace them. However, given the increasing number of IoT vulnerability reports, there is a pressing need for organizations to integrate IoT devices with high assurance, especially for systems with high security and safety requirements. In this...

Read More
COVID-19 and Supply-Chain Risk

COVID-19 and Supply-Chain Risk

• SEI Blog
Nathaniel Richmond

Managing supply-chain risks from the new coronavirus outbreak is personally important to me. While my first concern--like everyone else's--is mitigating the direct public-health risk of the COVID-19 pandemic, I have a salient concern about the health-related risks that could be introduced if the global manufacturing supply chain for medical devices is disrupted: I'm a Type I diabetic who relies on a continuous glucose monitor (CGM) device to monitor my blood sugar and an insulin pump...

Read More
Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

• SEI Blog
Andrew Hoover

Katie Stewart co-authored this blog post. Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed. Process maturity represents an organization's commitment to and consistency in performing these practices. A higher degree of process institutionalization contributes to more stable practices that are able to be retained during times of stress. In the case of cybersecurity, having mature...

Read More
The Latest Work from the SEI: DevSecOps, Artificial Intelligence, and Cybersecurity Maturity Model Certification

The Latest Work from the SEI: DevSecOps, Artificial Intelligence, and Cybersecurity Maturity Model Certification

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in DevSecOps, cybercrime and secure elections, software architecture, trustworthy artificial intelligence, and Cybersecurity Maturity Model Certification (CMMC). We have also included a webcast of a recent discussion on Department of Defense (DoD) software advances and future SEI work. These publications highlight the latest work...

Read More
Three Risks in Building Machine Learning Systems

Three Risks in Building Machine Learning Systems

• SEI Blog
Benjamin Cohen

Machine learning (ML) systems promise disruptive capabilities in multiple industries. Building ML systems can be complicated and challenging, however, especially since best practices in the nascent field of AI engineering are still coalescing. Consequently, a surprising fraction of ML projects fail or underwhelm. Behind the hype, there are three essential risks to analyze when building an ML system: 1) poor problem solution alignment, 2) excessive time or monetary cost, and 3) unexpected behavior once deployed....

Read More
Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

• SEI Blog
Tim Shimeall

Visibility into the activities within assets enables network security analysts to detect network compromises. Analysts monitor these activities directly on the device by means of endpoint visibility and in the communications going to and from the device on the network. In our earlier blog posts on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility and network visibility. However, endpoint and network visibility will do little good if analysts don't have tools to...

Read More
Stop Wasting Time: Manage Time as the Limiting Resource

Stop Wasting Time: Manage Time as the Limiting Resource

• SEI Blog
Bill Nichols

Lost time is never found. - Ben Franklin Driven by a competitive marketplace, software developers and programmers are often pressured to adhere to unrealistically aggressive schedules across multiple projects. This pressure encourages management to spread the staff across all the critical work, trying to make progress everywhere at once. This trend helped to spawn the myth of the "x10 programmers"--programmers who are so much more productive than others that they will exert an outsized influence...

Read More
System Resilience Part 7: 16 Guiding Principles for System Resilience

System Resilience Part 7: 16 Guiding Principles for System Resilience

• SEI Blog
Donald Firesmith

Adverse events and conditions can disrupt a system, causing it to fail to provide essential capabilities and services. As I outlined in previous posts in this series, resilience is an essential quality attribute of most systems because they provide critical capabilities and services that must continue despite the inevitable adversities. These adversities are often unavoidable and come in many forms. Typical examples include coding defects (robustness), hazards and accidents (safety), vulnerabilities and attacks (cybersecurity and...

Read More
System Resilience Part 6: Verification and Validation

System Resilience Part 6: Verification and Validation

• SEI Blog
Donald Firesmith

Adverse events and conditions can disrupt a system, causing it to fail to provide essential capabilities and services. As I outlined in previous posts in this series, resilience is an essential quality attribute of most systems because they provide critical capabilities and services that must continue despite the inevitable adversities. In the first post in this series, I defined system resilience as the degree to which a system rapidly and effectively protects its critical capabilities...

Read More
Automatically Detecting Technical Debt Discussions with Machine Learning

Automatically Detecting Technical Debt Discussions with Machine Learning

• SEI Blog
Robert Nord

Technical debt (TD) refers to choices made during software development that achieve short-term goals at the expense of long-term quality. Since developers use issue trackers to coordinate task priorities, issue trackers are a natural focal point for discussing TD. In addition, software developers use preset issue types, such as feature, bug, and vulnerability, to differentiate the nature of the task at hand. We have recently started seeing developers explicitly use the phrase "technical debt" or...

Read More
7 Quick Steps to Using Containers Securely

7 Quick Steps to Using Containers Securely

• SEI Blog
Thomas Scanlon

Richard Laughlin co-authored this blog post. The use of containers in software development and deployment continues to trend upwards. There is good reason for this climb in usage as containers offer many benefits, such as being lightweight, modular, portable, and scalable, all while enabling rapid and flexible deployments with application isolation. However, as use of this technology increases, so does the likelihood that adversaries will target it as a means to compromise systems. Such concerns...

Read More
An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

• SEI Blog
Katie C. Stewart

Andrew Hoover co-authored this blog post. A recent study predicted that business losses due to cybercrime will exceed $5 trillion by 2024. The threat to the defense industrial base (DIB)--the network of more than 300,000 businesses, organizations, and universities that research, engineer, develop, acquire, design, produce, deliver, sustain, and operate military weapons systems--is especially alarming due to current cyber warfare activities by cybercriminals and state-sponsored actors. A cyber attack within the DIB supply chain could...

Read More
Situational Awareness for Cybersecurity Architecture: Network Visibility

Situational Awareness for Cybersecurity Architecture: Network Visibility

• SEI Blog
Timur Snoke

Network compromises cannot be detected without visibility into the activities within assets. Network security analysts can view these activities in one of two places (or sometimes both): directly on the device by means of endpoint visibility and in the communications going to and from the device; in other words, on the network. In our earlier blog post on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility. In this post, we turn our...

Read More
Using Machine Learning to Detect Design Patterns

Using Machine Learning to Detect Design Patterns

• SEI Blog
Robert Nord

This post was co-written by Zachary Kurtz. Software increasingly serves core DoD functions, such as ship and plane navigation, supply logistics, and real-time situational awareness. The complexity of software, however, makes it hard to evaluate software quality. The ability to evaluate software is critical both for software developers and for DoD program managers who are responsible for software acquisitions. The quality of software can make or break a program budget. Quality attributes such as reliability,...

Read More
Five Reasons the Cybersecurity Field Needs Trusted Data Sets and Meaningful Metrics

Five Reasons the Cybersecurity Field Needs Trusted Data Sets and Meaningful Metrics

• SEI Blog
Bobbie Stempfley

Matthew Butkovic co-authored this blog post. Cybersecurity is a domain rich with data, but regrettably often only poor insights can be drawn from this richness. CISOs ask questions about how best to allocate resources to address threats, practitioners ask questions about how to measure the effectiveness of one solution over another, senior organizational leaders strive to identify and quantify organizational risks, and public officials work to inform organizational or national policy. Answers often involve anecdotes,...

Read More
Designing Trustworthy AI for Human-Machine Teaming

Designing Trustworthy AI for Human-Machine Teaming

• SEI Blog
Carol Smith

Artificially intelligent (AI) systems hold great promise to empower us with knowledge and enhance human effectiveness. As Department of Defense (DoD) warfighters partner with AI systems more frequently, we will identify more opportunities to clarify the limits of AI and to set realistic expectations for these types of systems. As a senior research scientist in human-machine interaction at the SEI's Emerging Technology Center, I am working to further understanding of how humans and machines can...

Read More
Summarizing and Searching Video with Machine Learning

Summarizing and Searching Video with Machine Learning

• SEI Blog
Edwin Morris

The U.S. relies on surveillance video to determine when activities of interest occur in a location that is under surveillance. Yet, because automated tools are not available to help analysts monitor real-time video or analyze archived video, analysts must dedicate full attention to video data streams to avoid missing important information about ongoing activities and patterns of life. In tactical settings, warfighters miss critical information that would improve situational awareness because dedicating full attention to...

Read More
Automated Code Repair to Ensure Memory Safety

Automated Code Repair to Ensure Memory Safety

• SEI Blog
Will Klieber

Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS, reportedly exploited by the Chinese government, allowed attackers to take control of a phone when the user visited a malicious website. A similar vulnerability discovered in the Android Stagefright library allowed an attacker to gain control simply by sending a Multimedia Messaging Service (MMS) message to a vulnerable phone. For each...

Read More
System Resilience Part 5: Commonly-Used System Resilience Techniques

System Resilience Part 5: Commonly-Used System Resilience Techniques

• SEI Blog
Donald Firesmith

If adverse events or conditions cause a system to fail to operate appropriately, they can cause all manner of harm to valuable assets. As I outlined in previous posts in this series, system resilience is important because no one wants a brittle system that cannot overcome the inevitable adversities. In the first post in this series, I addressed these questions by providing the following, more detailed, and nuanced definition of system resilience: A system is...

Read More
Engineering for Cyber Situational Awareness: Endpoint Visibility

Engineering for Cyber Situational Awareness: Endpoint Visibility

• SEI Blog
Phil Groce

This post was co-written by Timur Snoke. In this post, we aim to help network security analysts understand the components of a cybersecurity architecture, starting with how we can use endpoint information to enhance our cyber situational awareness. Endpoints collect a wealth of information valuable for situational awareness, but too often this information goes underutilized....

Read More
System Resilience Part 4: Classifying System Resilience Techniques

System Resilience Part 4: Classifying System Resilience Techniques

• SEI Blog
Donald Firesmith

A system resilience technique is any architectural, design, or implementation technique that increases a system's resilience. These techniques (e.g., mitigations, such as redundancy, safeguards, and cybersecurity countermeasures) either passively resist adversities, actively detect adversities, react to them, or recover from the harm they cause. System resilience techniques are the means by which a system implements its resilience requirements. Resilience techniques can also be viewed as architecture, design, or implementation patterns or idioms. This post begins...

Read More
Programmer Moneyball: Challenging the Myth of Individual Programmer Productivity

Programmer Moneyball: Challenging the Myth of Individual Programmer Productivity

• SEI Blog
Bill Nichols

A pervasive belief in the field of software engineering is that some programmers are much, much better than others (the times-10, or x10, programmer), and that the skills, abilities, and talents of these programmers exert an outsized influence on that organization's success or failure. This topic is the subject of my recent column in IEEE Software, The End to the Myth of Individual Programmer Productivity....

Read More
The Latest Work from the SEI: Penetration Testing, Artificial Intelligence, and Incident Management

The Latest Work from the SEI: Penetration Testing, Artificial Intelligence, and Incident Management

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in penetration testing, designing trustworthy AI, fielding AI-enabled systems in the public sector, incident management, machine learning in cybersecurity, and cyber hygiene. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and...

Read More
System Resilience Part 3: Engineering System Resilience Requirements

System Resilience Part 3: Engineering System Resilience Requirements

• SEI Blog
Donald Firesmith

At its most basic level, system resilience is the degree to which a system continues to perform its mission in the face of adversity. While critical to operational continuity, the system's services (capabilities) are only some of the assets the system must protect to continue to perform its mission. The system must detect adversities, react to them, and recover from the harm to critical assets that they cause. System resilience at a deeper level is...

Read More
The Top 10 Blog Posts of 2019

The Top 10 Blog Posts of 2019

• SEI Blog
Douglas C. Schmidt

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's list of top 10 is presented in reverse order and features posts published between January 1, 2019, and December 31, 2019. -->10. Evaluating Threat-Modeling Methods for Cyber-Physical Systems9. Managing the Consequences of Technical Debt: 5 Stories from the Field8. The Vectors of Code: On Machine Learning for Software 7. Business Email Compromise: Operation Wire Wire and New...

Read More