search menu icon-carat-right cmu-wordmark

Archive: 2020

Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

• SEI Blog
Lori Flynn

Static analysis tools analyze code without executing it to identify potential flaws in source code. Since alerts may be false positives, engineers must painstakingly examine them to adjudicate if they are legitimate flaws. Automation is needed to reduce the significant manual effort that would be required to adjudicate all (or significantly more of) the alerts. Many tools produce a large number of alerts with high false-positive rates. Other tools produce alerts for only a limited...

Read More
The Latest Work from the SEI: Microservices, Ransomware, and Agile in Government

The Latest Work from the SEI: Microservices, Ransomware, and Agile in Government

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in cybersecurity, the future of cybersecurity education, microservices, ransomware, Cybersecurity Maturity Model Certification (CMMC), and Agile in government. We have also included a webcast of a recent discussion on Department of Defense (DoD) software advances and future SEI work. These publications highlight the latest...

Read More
Is Your Organization Using Cybersecurity Analysis Effectively?

Is Your Organization Using Cybersecurity Analysis Effectively?

• SEI Blog
Angela Horneman

Cybersecurity analysis techniques and practices are key components of maintaining situational awareness (SA) for cybersecurity. In this blog post in our series on cyber SA in the enterprise, I define the term analysis, describe what constitutes a security problem that analysts seek to identify, and survey analysis methods. Organizations and analysts can ensure that they are covering the full range of analytical methods by reviewing the matrix of six methods that I present below (see...

Read More
Follow the CUI: 4 Steps to Starting Your CMMC Assessment

Follow the CUI: 4 Steps to Starting Your CMMC Assessment

• SEI Blog
Matthew Trevors

One of the primary drivers of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is the congressional mandate to reduce the risk of accidental disclosure of controlled unclassified information (CUI). However, a full CMMC assessment can seem daunting to organizations in the Defense Industrial Base (DIB), and many might not know where to start. This blog post gives DIB organizations four steps for identifying their CUI exposure in terms of their critical services...

Read More
Managing the Risks of Adopting AI Engineering

Managing the Risks of Adopting AI Engineering

• SEI Blog
Brett Tucker

Adopting artificial intelligence (AI) technology in an organization introduces significant change. The organization will likely incur risk, a fact that has been recognized by both public-sector organizations, such as the United States Department of Defense (DoD), and private-sector organizations, such as McKinsey. Fortunately, risk can be controlled to limit the consequences to the organization. In this blog post, a summary of the SEI white paper, A Risk Management Perspective for AI Engineering, I focus on...

Read More
Migrating Applications to Kubernetes

Migrating Applications to Kubernetes

• SEI Blog
Richard Laughlin

Kubernetes is a popular, cloud-native container orchestration system. Adoption of Kubernetes in production environments has rapidly increased over the last several years. As Kubernetes adoption increases, there is often pressure to migrate applications that are currently deployed via other means onto Kubernetes. Performing an effective migration of these applications to Kubernetes may help organizations adopt DevOps practices, and it will allow organizations to unify their operations onto a single set of cloud tooling and expertise....

Read More
Verifying Timing in Undocumented Multicore Processors

Verifying Timing in Undocumented Multicore Processors

• SEI Blog
Bjorn Andersson

Many Department of Defense (DoD) systems rely on multicore processors--computers with many processor cores running programs simultaneously. These processors share resources and perform complex operations that depend on accurate timing and sequencing. Timing is crucial to ensure proper and safe operation of the overall system. Verifying multicore-processor timing can be hard, however, due to lack of documentation for key details, such as processor resource sharing. The inability to verify timing is an obstacle for using...

Read More
3 Metrics to Incentivize the Right Behavior in Agile Development

3 Metrics to Incentivize the Right Behavior in Agile Development

• SEI Blog
Pat Place

Will Hayes co-authored this blog post. The use of incentives to elicit certain behaviors in agile software development can often result in unintended consequences. One trap that we have seen project managers fall into is introducing metrics simply because they are familiar. As we stated in our first post in this series, there are many examples where an incentive to solve a problem creates an unintended, undesirable behavior. Software project managers must instead consider the...

Read More
Don't Incentivize the Wrong Behaviors in Agile Development

Don't Incentivize the Wrong Behaviors in Agile Development

• SEI Blog
Pat Place

Will Hayes coauthored this blog post. All too often, organizations collect certain metrics just because those are the metrics that they've always collected. Ordinarily, if an organization finds the metrics useful, there is no issue. Indeed, the SEI has long advocated the use of metrics to support the business goals of the organization. However, consider an organization that has changed from waterfall to Agile development; all metrics related to development must be reconsidered to determine...

Read More
Situational Awareness for Cybersecurity Architecture: 5 Recommendations

Situational Awareness for Cybersecurity Architecture: 5 Recommendations

• SEI Blog
Phil Groce

In this post on situational awareness for cybersecurity, we present five recommendations for the practice of architecture in the service of cybersecurity situational awareness (SA). Cybersecurity architecture is fundamentally an economic exercise. Economics is the practice of allocating finite resources to meet requirements. The goal of a cybersecurity SA architecture is to deploy your finite resources, such as equipment, staffing, and time, to enforce your organization's cybersecurity policies and controls. The endpoints on your network...

Read More
Addressing Open Architecture in Software Cost Estimation

Addressing Open Architecture in Software Cost Estimation

• SEI Blog
Michael Gagliardi

Michael Konrad and Douglas C. Schmidt contributed to this blog post. Identifying, estimating, and containing the cost of software is critical to the effective deployment of government systems. Cost estimation has been cited by the Government Accountability Office (GAO) as one of the primary reasons for DoD programs' cost overruns. Planners typically estimate costs via modeling and simulation tools, such as the Constructive Cost Model (COCOMO II). While COCOMO II is primarily used to estimate...

Read More
Detecting Mismatches in Machine-Learning Systems

Detecting Mismatches in Machine-Learning Systems

• SEI Blog
Grace Lewis

The use of machine learning (ML) could improve many business functions and meet many needs for organizations. For example, ML capabilities can be used to suggest products to users based on purchase history; provide image recognition for video surveillance; identify spam email messages; and predict courses of action, routes, or diseases, among others. However, in most organizations today (with the exception of large high-tech companies, such as Google and Microsoft), development of ML capabilities is...

Read More
Beyond NIST SP 800-171: 20 Additional Practices in CMMC

Beyond NIST SP 800-171: 20 Additional Practices in CMMC

• SEI Blog
Andrew Hoover

Katie Stewart co-authored this blog post. In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC is NIST Special Publication 800-171, the CMMC also includes 20 additional practices beyond 800-171 at levels 1-3. These 20 practices are intended to make DoD contractors more security conscious. Supply chain attacks are increasing at...

Read More
KalKi: Solution for High Assurance Software-Defined IoT Security

KalKi: Solution for High Assurance Software-Defined IoT Security

• SEI Blog
Sebastian Echeverria

Commercial Internet of things (IoT) devices are evolving rapidly, providing new and potentially useful capabilities. These devices can be a valuable source of data for improved decision making, so organizations that want to remain competitive have powerful motivations to embrace them. However, given the increasing number of IoT vulnerability reports, there is a pressing need for organizations to integrate IoT devices with high assurance, especially for systems with high security and safety requirements. In this...

Read More
COVID-19 and Supply-Chain Risk

COVID-19 and Supply-Chain Risk

• SEI Blog
Nathaniel Richmond

Managing supply-chain risks from the new coronavirus outbreak is personally important to me. While my first concern--like everyone else's--is mitigating the direct public-health risk of the COVID-19 pandemic, I have a salient concern about the health-related risks that could be introduced if the global manufacturing supply chain for medical devices is disrupted: I'm a Type I diabetic who relies on a continuous glucose monitor (CGM) device to monitor my blood sugar and an insulin pump...

Read More
Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

• SEI Blog
Andrew Hoover

Katie Stewart co-authored this blog post. Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed. Process maturity represents an organization's commitment to and consistency in performing these practices. A higher degree of process institutionalization contributes to more stable practices that are able to be retained during times of stress. In the case of cybersecurity, having mature...

Read More
The Latest Work from the SEI: DevSecOps, Artificial Intelligence, and Cybersecurity Maturity Model Certification

The Latest Work from the SEI: DevSecOps, Artificial Intelligence, and Cybersecurity Maturity Model Certification

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in DevSecOps, cybercrime and secure elections, software architecture, trustworthy artificial intelligence, and Cybersecurity Maturity Model Certification (CMMC). We have also included a webcast of a recent discussion on Department of Defense (DoD) software advances and future SEI work. These publications highlight the latest work...

Read More
Three Risks in Building Machine Learning Systems

Three Risks in Building Machine Learning Systems

• SEI Blog
Benjamin Cohen

Machine learning (ML) systems promise disruptive capabilities in multiple industries. Building ML systems can be complicated and challenging, however, especially since best practices in the nascent field of AI engineering are still coalescing. Consequently, a surprising fraction of ML projects fail or underwhelm. Behind the hype, there are three essential risks to analyze when building an ML system: 1) poor problem solution alignment, 2) excessive time or monetary cost, and 3) unexpected behavior once deployed....

Read More
Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

• SEI Blog
Tim Shimeall

Visibility into the activities within assets enables network security analysts to detect network compromises. Analysts monitor these activities directly on the device by means of endpoint visibility and in the communications going to and from the device on the network. In our earlier blog posts on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility and network visibility. However, endpoint and network visibility will do little good if analysts don't have tools to...

Read More
Stop Wasting Time: Manage Time as the Limiting Resource

Stop Wasting Time: Manage Time as the Limiting Resource

• SEI Blog
Bill Nichols

Lost time is never found. - Ben Franklin Driven by a competitive marketplace, software developers and programmers are often pressured to adhere to unrealistically aggressive schedules across multiple projects. This pressure encourages management to spread the staff across all the critical work, trying to make progress everywhere at once. This trend helped to spawn the myth of the "x10 programmers"--programmers who are so much more productive than others that they will exert an outsized influence...

Read More
System Resilience Part 7: 16 Guiding Principles for System Resilience

System Resilience Part 7: 16 Guiding Principles for System Resilience

• SEI Blog
Donald Firesmith

Adverse events and conditions can disrupt a system, causing it to fail to provide essential capabilities and services. As I outlined in previous posts in this series, resilience is an essential quality attribute of most systems because they provide critical capabilities and services that must continue despite the inevitable adversities. These adversities are often unavoidable and come in many forms. Typical examples include coding defects (robustness), hazards and accidents (safety), vulnerabilities and attacks (cybersecurity and...

Read More
System Resilience Part 6: Verification and Validation

System Resilience Part 6: Verification and Validation

• SEI Blog
Donald Firesmith

Adverse events and conditions can disrupt a system, causing it to fail to provide essential capabilities and services. As I outlined in previous posts in this series, resilience is an essential quality attribute of most systems because they provide critical capabilities and services that must continue despite the inevitable adversities. In the first post in this series, I defined system resilience as the degree to which a system rapidly and effectively protects its critical capabilities...

Read More
Automatically Detecting Technical Debt Discussions with Machine Learning

Automatically Detecting Technical Debt Discussions with Machine Learning

• SEI Blog
Robert Nord

Technical debt (TD) refers to choices made during software development that achieve short-term goals at the expense of long-term quality. Since developers use issue trackers to coordinate task priorities, issue trackers are a natural focal point for discussing TD. In addition, software developers use preset issue types, such as feature, bug, and vulnerability, to differentiate the nature of the task at hand. We have recently started seeing developers explicitly use the phrase "technical debt" or...

Read More
7 Quick Steps to Using Containers Securely

7 Quick Steps to Using Containers Securely

• SEI Blog
Thomas Scanlon

Richard Laughlin co-authored this blog post. The use of containers in software development and deployment continues to trend upwards. There is good reason for this climb in usage as containers offer many benefits, such as being lightweight, modular, portable, and scalable, all while enabling rapid and flexible deployments with application isolation. However, as use of this technology increases, so does the likelihood that adversaries will target it as a means to compromise systems. Such concerns...

Read More
An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

• SEI Blog
Katie C. Stewart

Andrew Hoover co-authored this blog post. A recent study predicted that business losses due to cybercrime will exceed $5 trillion by 2024. The threat to the defense industrial base (DIB)--the network of more than 300,000 businesses, organizations, and universities that research, engineer, develop, acquire, design, produce, deliver, sustain, and operate military weapons systems--is especially alarming due to current cyber warfare activities by cybercriminals and state-sponsored actors. A cyber attack within the DIB supply chain could...

Read More
Situational Awareness for Cybersecurity Architecture: Network Visibility

Situational Awareness for Cybersecurity Architecture: Network Visibility

• SEI Blog
Timur Snoke

Network compromises cannot be detected without visibility into the activities within assets. Network security analysts can view these activities in one of two places (or sometimes both): directly on the device by means of endpoint visibility and in the communications going to and from the device; in other words, on the network. In our earlier blog post on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility. In this post, we turn our...

Read More
Using Machine Learning to Detect Design Patterns

Using Machine Learning to Detect Design Patterns

• SEI Blog
Robert Nord

This post was co-written by Zachary Kurtz. Software increasingly serves core DoD functions, such as ship and plane navigation, supply logistics, and real-time situational awareness. The complexity of software, however, makes it hard to evaluate software quality. The ability to evaluate software is critical both for software developers and for DoD program managers who are responsible for software acquisitions. The quality of software can make or break a program budget. Quality attributes such as reliability,...

Read More
Five Reasons the Cybersecurity Field Needs Trusted Data Sets and Meaningful Metrics

Five Reasons the Cybersecurity Field Needs Trusted Data Sets and Meaningful Metrics

• SEI Blog
Bobbie Stempfley

Matthew Butkovic co-authored this blog post. Cybersecurity is a domain rich with data, but regrettably often only poor insights can be drawn from this richness. CISOs ask questions about how best to allocate resources to address threats, practitioners ask questions about how to measure the effectiveness of one solution over another, senior organizational leaders strive to identify and quantify organizational risks, and public officials work to inform organizational or national policy. Answers often involve anecdotes,...

Read More
Designing Trustworthy AI for Human-Machine Teaming

Designing Trustworthy AI for Human-Machine Teaming

• SEI Blog
Carol Smith

Artificially intelligent (AI) systems hold great promise to empower us with knowledge and enhance human effectiveness. As Department of Defense (DoD) warfighters partner with AI systems more frequently, we will identify more opportunities to clarify the limits of AI and to set realistic expectations for these types of systems. As a senior research scientist in human-machine interaction at the SEI's Emerging Technology Center, I am working to further understanding of how humans and machines can...

Read More
Summarizing and Searching Video with Machine Learning

Summarizing and Searching Video with Machine Learning

• SEI Blog
Edwin Morris

The U.S. relies on surveillance video to determine when activities of interest occur in a location that is under surveillance. Yet, because automated tools are not available to help analysts monitor real-time video or analyze archived video, analysts must dedicate full attention to video data streams to avoid missing important information about ongoing activities and patterns of life. In tactical settings, warfighters miss critical information that would improve situational awareness because dedicating full attention to...

Read More
Automated Code Repair to Ensure Memory Safety

Automated Code Repair to Ensure Memory Safety

• SEI Blog
Will Klieber

Memory-safety vulnerabilities are among the most common and most severe types of software vulnerabilities. In early 2019, a memory vulnerability in the iPhone iOS, reportedly exploited by the Chinese government, allowed attackers to take control of a phone when the user visited a malicious website. A similar vulnerability discovered in the Android Stagefright library allowed an attacker to gain control simply by sending a Multimedia Messaging Service (MMS) message to a vulnerable phone. For each...

Read More
System Resilience Part 5: Commonly-Used System Resilience Techniques

System Resilience Part 5: Commonly-Used System Resilience Techniques

• SEI Blog
Donald Firesmith

If adverse events or conditions cause a system to fail to operate appropriately, they can cause all manner of harm to valuable assets. As I outlined in previous posts in this series, system resilience is important because no one wants a brittle system that cannot overcome the inevitable adversities. In the first post in this series, I addressed these questions by providing the following, more detailed, and nuanced definition of system resilience: A system is...

Read More
Engineering for Cyber Situational Awareness: Endpoint Visibility

Engineering for Cyber Situational Awareness: Endpoint Visibility

• SEI Blog
Phil Groce

This post was co-written by Timur Snoke. In this post, we aim to help network security analysts understand the components of a cybersecurity architecture, starting with how we can use endpoint information to enhance our cyber situational awareness. Endpoints collect a wealth of information valuable for situational awareness, but too often this information goes underutilized....

Read More
System Resilience Part 4: Classifying System Resilience Techniques

System Resilience Part 4: Classifying System Resilience Techniques

• SEI Blog
Donald Firesmith

A system resilience technique is any architectural, design, or implementation technique that increases a system's resilience. These techniques (e.g., mitigations, such as redundancy, safeguards, and cybersecurity countermeasures) either passively resist adversities, actively detect adversities, react to them, or recover from the harm they cause. System resilience techniques are the means by which a system implements its resilience requirements. Resilience techniques can also be viewed as architecture, design, or implementation patterns or idioms. This post begins...

Read More
Programmer Moneyball: Challenging the Myth of Individual Programmer Productivity

Programmer Moneyball: Challenging the Myth of Individual Programmer Productivity

• SEI Blog
Bill Nichols

A pervasive belief in the field of software engineering is that some programmers are much, much better than others (the times-10, or x10, programmer), and that the skills, abilities, and talents of these programmers exert an outsized influence on that organization's success or failure. This topic is the subject of my recent column in IEEE Software, The End to the Myth of Individual Programmer Productivity....

Read More
The Latest Work from the SEI: Penetration Testing, Artificial Intelligence, and Incident Management

The Latest Work from the SEI: Penetration Testing, Artificial Intelligence, and Incident Management

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in penetration testing, designing trustworthy AI, fielding AI-enabled systems in the public sector, incident management, machine learning in cybersecurity, and cyber hygiene. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and...

Read More
System Resilience Part 3: Engineering System Resilience Requirements

System Resilience Part 3: Engineering System Resilience Requirements

• SEI Blog
Donald Firesmith

At its most basic level, system resilience is the degree to which a system continues to perform its mission in the face of adversity. While critical to operational continuity, the system's services (capabilities) are only some of the assets the system must protect to continue to perform its mission. The system must detect adversities, react to them, and recover from the harm to critical assets that they cause. System resilience at a deeper level is...

Read More
The Top 10 Blog Posts of 2019

The Top 10 Blog Posts of 2019

• SEI Blog
Douglas C. Schmidt

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's list of top 10 is presented in reverse order and features posts published between January 1, 2019, and December 31, 2019. -->10. Evaluating Threat-Modeling Methods for Cyber-Physical Systems9. Managing the Consequences of Technical Debt: 5 Stories from the Field8. The Vectors of Code: On Machine Learning for Software 7. Business Email Compromise: Operation Wire Wire and New...

Read More