search menu icon-carat-right cmu-wordmark

Archive: November 2020

Shifting from Software Sustainment to Software Engineering in the DoD

Shifting from Software Sustainment to Software Engineering in the DoD

• SEI Blog
Thomas Evans

Mike Gagliardi, Joe Kostial, Nicholas Reimer, and Douglas C. Schmidt coauthored this blog post. In our work with government acquisition programs, we have observed a trend: organic software sustainment organizations are expanding beyond their traditional purview of software maintenance into software engineering and development. As a result, these organizations now also focus on designing and implementing new software architectures and code, rather than just repairing and maintaining legacy software. Software sustainment and maintenance organizations have...

Read More
Show Me Agility: Agile Strategy Execution

Show Me Agility: Agile Strategy Execution

• SEI Blog
Linda Parker Gates

The rapid pace of change in software development, in business, and in the world has many organizations struggling to execute daily operations, wrangle big projects, and feel confident that there is a long-term strategy at play. Wrestling with daily trials and being unable to see beyond immediate tasks can feel like working in the weeds. An agile strategy and execution environment, however, can enable us to win tactical battles while maintaining a focus on broader...

Read More
Cat and Mouse in the Age of .NET

Cat and Mouse in the Age of .NET

• SEI Blog
Brandon Marzik

Penetration testers have long exploited the PowerShell scripting language to gain a foothold in systems and execute an attack. PowerShell is installed on every Windows machine, has direct access to the Windows application programming interface (API), and is rarely disabled. Over the years, red teams have created extensive tool suites to leverage the language for offensive tradecraft. Blue teams have kept pace by developing defenses to stop these tools. Eventually, changes in the PowerShell landscape...

Read More
What Is Digital Engineering and How Is It Related to DevSecOps?

What Is Digital Engineering and How Is It Related to DevSecOps?

• SEI Blog
David Shepard

Julia Scherb coauthored this blog post. The Department of Defense's desire for faster delivery of new capabilities is transforming defense acquisitions. The emerging processes of digital thread and digital engineering aim to address the difficulties of managing complex and evolving technologies over their lifecycles. In the same way that DevSecOps has transformed the processes of software development, testing, and acquisition for the DoD, digital engineering has the potential to transform the way hardware-intensive systems are...

Read More
Mission-Based Prioritization: A New Method to Sequence Features, Capabilities, and Epics

Mission-Based Prioritization: A New Method to Sequence Features, Capabilities, and Epics

• SEI Blog
Keith Korzec

Prioritization identifies the sequence in which requirements should be addressed and allows end users and stakeholders to evaluate and provide feedback on the most valuable features of the evolving system. In Agile software development, requirements and desires are expressed as items in the product backlog. All development-related activities are drawn from the backlog. For small Agile products, there will typically be a single backlog. For large-scale Agile development efforts using the Scaled Agile Framework (SAFe),...

Read More
3 Ransomware Defense Strategies

3 Ransomware Defense Strategies

• SEI Blog
Marisa Midler

Ransomware is evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Backing up your data is the first action to take against ransomware. After you have established data backups, the next priority is defending against the top three ransomware attack vectors: Remote Desktop Protocol (RDP), email phishing,...

Read More
A Public Repository of Data for Static-Analysis Classification Research

A Public Repository of Data for Static-Analysis Classification Research

• SEI Blog
Lori Flynn

Static analysis (SA) tools are a widely used and routine part of testing by DoD and commercial organizations. Validating and repairing defects discovered by SA tools can require more human effort from auditors and coders than organizations have available. Since 2016, researchers in the SEI CERT Division have been developing a method to automatically classify and prioritize alerts (warnings) and meta-alerts (alerts about code flaws or conditions) to help auditors and coders address large volumes...

Read More