Technical Papers
The SEI Digital Library houses thousands of technical papers and other documents, ranging from SEI Technical Reports on groundbreaking research to conference proceedings, survey results, and source code.
Filter by
-
Why Your Software Cost Estimates Change Over Time and How DevSecOps Data Can Help Reduce Cost Risk
• White Paper
By Julie B. Cohen
Early software cost estimates are often off by over 40%; this paper discusses how programs must continually update estimates as more information becomes available.
DOWNLOAD -
U.S. Leadership in Software Engineering & AI Engineering: Critical Needs & Priorities Workshop - Executive Summary
• White Paper
By Forrest Shull
A joint SEI/NITRD workshop will advance U.S. national interests through software and AI engineering and accelerate progress across virtually all scientific domains.
DOWNLOAD -
A Holistic View of Architecture Definition, Evolution, and Analysis
• Technical Report
By Rick Kazman , Sebastián Echeverría , James Ivers
This report focuses on performing architectural decisions and architectural analysis, spanning multiple quality attributes, in a sustainable and ongoing way.
DOWNLOAD -
Emerging Technologies: Seven Themes Changing the Future of Software in the DoD
• White Paper
By Scott Hissam , Shen Zhang , Michael Abad-Santos
This report summarizes the SEI's Emerging Technologies Study (ETS) and identifies seven emerging technologies to watch in software engineering practices and technology.
DOWNLOAD -
Demonstrating the Practical Utility and Limitations of ChatGPT Through Case Studies
• White Paper
By Clarence Worrell , Matthew Walsh , Dominic A. Ross , Alejandro Gomez
In this study, SEI researchers conducted four case studies using GPT-3.5 to assess the practical utility of large language models such as ChatGPT.
DOWNLOAD -
Software Excellence Through the Agile High Velocity Development℠ Process
• Technical Report
By Barti K. Perini (Ishpi Information Technologies, Inc.) , Stephen Shook (Ishpi Information Technologies, Inc.)
The High Velocity Development℠ process earned Ishpi Information Technologies, Inc. the 2023 Watts Humphrey Software Quality Award.
DOWNLOAD -
Coding the Future: Recommendations for Defense Software R&D
• White Paper
By None
This report outlines the key recommendations from the November 2022 workshop "Software as a Modernization Priority."
DOWNLOAD -
Engineering of Edge Software Systems: A Report from the November 2022 SEI Workshop on Software Systems at the Edge
• White Paper
By Grace Lewis , Ipek Ozkaya , Kevin A. Pitstick
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for engineering software systems at the edge.
DOWNLOAD -
Software Bill of Materials Framework: Leveraging SBOMs for Risk Reduction
• White Paper
By Carol Woody , Christopher J. Alberts , Michael S. Bandor , Charles M. Wallen
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems risk.
DOWNLOAD -
Generative AI: Key Opportunities and Research Challenges
• White Paper
By None
This 2023 workshop report identifies DoD use cases for generative AI and discusses meeting challenges and needs such as investing in guardrails and responsible AI amid a race to capability.
DOWNLOAD -
Securing UEFI: An Underpinning Technology for Computing
• White Paper
By Vijay S. Sarvepalli
This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.
DOWNLOAD -
Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure
• Technical Report
By Nataliya Shevchenko , Timothy A. Chick , Scott Pavetti
This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.
DOWNLOAD -
Program Managers—The DevSecOps Pipeline Can Provide Actionable Data
• White Paper
By Julie B. Cohen , Bill Nichols
This paper describes the Automated Continuous Estimation for a Pipeline of Pipelines research project, which automates data collection to track program progress.
DOWNLOAD -
Zero Trust Industry Day 2022: Areas of Future Research
• White Paper
By Timothy Morrow , Trista Polaski , Matthew Nicolai
This paper describes the future research discussed at the 2022 Zero Trust Industry Day event.
DOWNLOAD -
Industry Best Practices for Zero Trust Architecture
• White Paper
By Matthew Nicolai , Timothy Morrow , Nathaniel Richmond
This paper describes best practices identified during the SEI’s Zero Trust Industry Day 2022, and provides ways to help organizations shift to zero trust.
DOWNLOAD -
A Strategy for Component Product Lines: Report 1: Scoping, Objectives, and Rationale
• Special Report
By Alfred Schenker , John McGregor , John J. Hudak , Sholom G. Cohen , Gabriel Moreno
This report establishes a Component Product Line Strategy to address problems in systematically reusing and integrating components built to conform to component specification models.
DOWNLOAD -
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
• Technical Note
By Charles M. Wallen , Michael S. Bandor , Christopher J. Alberts , Carol Woody
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
DOWNLOAD -
Zero Trust Industry Day Experience Paper
• White Paper
By Timothy Morrow , Rhonda Brown , Mary Popeck
This paper describes the results of the 2022 Zero Trust Industry Day event.
DOWNLOAD -
Challenge Development Guidelines for Cybersecurity Competitions
• Technical Report
By Josh Hammerstein , Matt Kaar , Jarrett Booz , Joseph Vessella , Leena Arora , Dennis M. Allen
This paper draws on the SEI’s experience to provide general-purpose guidelines and best practices for developing effective cybersecurity challenges.
DOWNLOAD -
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
• White Paper
By Charles M. Wallen , Michael S. Bandor , Christopher J. Alberts , Carol Woody
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
DOWNLOAD -
Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
• Special Report
By Allen D. Householder
This report proposes a formal protocol specification for MPCVD to improve the interoperability of both CVD and MPCVD processes.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Seventh Edition
• White Paper
By None
The guide describes 22 best practices for mitigating insider threat based on the CERT Division's continued research and analysis of more than 3,000 insider threat cases.
DOWNLOAD -
Coordinated Vulnerability Disclosure User Stories
• White Paper
By Allen D. Householder , Art Manion , Jonathan Spring , Vijay S. Sarvepalli , Timur D. Snoke , Laurie Tyzenhaus , Eric Hatleback , Charles G. Yarbrough , Brad Runyon
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
DOWNLOAD -
LLVM Intermediate Representation for Code Weakness Identification
• White Paper
By Shannon Gallagher , David Svoboda , William Klieber
This paper examines whether intermediate representation used in Large Language Models can be useful to indicate the presence of software vulnerabilities.
DOWNLOAD -
Digital Engineering Effectiveness
• White Paper
By Bill Nichols , Alfred Schenker , Tyler Smith (Adventium Labs, Inc.)
This paper explores the reluctance of developers of cyber-physical systems to embrace digital engineering (DE), how DE methods should be tailored to achieve their stakeholders' goals, and how to measure …
DOWNLOAD -
A Brief Introduction to the Evaluation of Learned Models for Aerial Object Detection
• White Paper
By Eric Heim
The SEI AI Division assembled guidance on the design, production, and evaluation of machine-learning models for aerial object detection.
DOWNLOAD -
Guidance for Tailoring DoD Request for Proposals (RFPs) to Include Modeling
• Special Report
By Tom Merendino , Robert Wojcik , Julie B. Cohen
This report provides guidance for government program offices that are including digital engineering/modeling requirements into a request for proposal.
DOWNLOAD -
Modeling to Support DoD Acquisition Lifecycle Events (Version 1.4)
• White Paper
By Julie B. Cohen , Robert Wojcik , Tom Merendino
This document provides suggestions for producing requirement, system, and software models that will be used to support various DoD system acquisition lifecycle events.
DOWNLOAD -
Experiences with Deploying Mothra in Amazon Web Services (AWS)
• Technical Report
By John Stogoski , Daniel Ruef , Brad Powell
The authors describe development of an at-scale prototype of an on-premises system to test the performance of Mothra in the cloud and provide recommendations for similar deployments.
DOWNLOAD -
Extensibility
• Technical Report
By James Ivers , Sebastián Echeverría , Rick Kazman
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for extensibility.
DOWNLOAD -
TwinOps: Digital Twins Meets DevOps
• Technical Report
By Joe Yankel , Jerome Hugues , Anton Hristozov , John J. Hudak
This report describes ModDevOps, an approach that bridges model-based engineering and software engineering using DevOps concepts and code generation from models, and TwinOps, a specific ModDevOps pipeline.
DOWNLOAD -
Robustness
• Technical Report
By James Ivers , Philip Bianco , Sebastián Echeverría , Rick Kazman
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for robustness.
DOWNLOAD -
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
• White Paper
By Jonathan Spring
This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
DOWNLOAD -
Using XML to Exchange Floating Point Data
• White Paper
By John Klein
This paper explains issues of using XML to exchange floating point values, how to address them, and the limits of technology to enforce a correct implementation.
DOWNLOAD -
Using Machine Learning to Increase NPC Fidelity
• Technical Report
By Dustin D. Updyke , Thomas G. Podnar , Geoffrey B. Dobson , John Yarger
The authors describe how they used machine learning (ML) modeling to create decision-making preferences for non-player characters (NPCs).
DOWNLOAD -
A Prototype Set of Cloud Adoption Risk Factors
• White Paper
By Christopher J. Alberts
Alberts discusses the results of a study to identify a prototype set of risk factors for adopting cloud technologies.
DOWNLOAD -
Cloud Security Best Practices Derived from Mission Thread Analysis
• Technical Report
By Angel Luis Hueca , Nathaniel Richmond , Donald Faatz , Timothy Morrow , Vincent LaPiana
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource businesses.
DOWNLOAD -
Accenture: An Automation Maturity Journey
• Technical Report
By Rajendra T. Prasad (Accenture)
This paper describes work in the area of automation that netted Accenture the 2020 Watts Humphrey Software Process Achievement Award.
DOWNLOAD -
Planning and Design Considerations for Data Centers
• Technical Note
By David Sweeney , Lyndsi A. Hughes , Mark Kasunic
This report shares important lessons learned from establishing small- to mid-size data centers.
DOWNLOAD -
Integrating Zero Trust and DevSecOps
• White Paper
By Timothy Morrow , Nathaniel Richmond , Geoff Sanders , Carol Woody
This paper discusses the interdependent strategies of zero trust and DevSecOps in the context of application development.
DOWNLOAD -
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
• Special Report
By Jonathan Spring , Allen D. Householder
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
DOWNLOAD -
Human-Centered AI
• White Paper
By Jay Palat , Rachel Dzombak , Matt Gaston , Hollen Barmer , Carol J. Smith , Tanisha Smith , Frank Redner
This white paper discusses Human-Centered AI: systems that are designed to work with, and for, people.
DOWNLOAD -
Robust and Secure AI
• White Paper
By Frank Redner , Tanisha Smith , Nathan M. VanHoudnos , Hollen Barmer , Eric Heim , Matt Gaston , Rachel Dzombak , Jay Palat
This white paper discusses Robust and Secure AI systems: AI systems that reliably operate at expected levels of performance, even when faced with uncertainty and in the presence of danger …
DOWNLOAD -
Scalable AI
• White Paper
By Jay Palat , Rachel Dzombak , Matt Gaston , Hollen Barmer , John Wohlbier , Tanisha Smith , Frank Redner
This white paper discusses Scalable AI: the ability of AI algorithms, data, models, and infrastructure to operate at the size, speed, and complexity required for the mission.
DOWNLOAD -
The Sector CSIRT Framework: Developing Sector-Based Incident Response Capabilities
• Technical Report
By Justin Novak , Sharon Mudd , David McIntire , Tracy Bills , Brittany Manley , Angel Luis Hueca
This framework guides the development and implementation of a sector CSIRT.
DOWNLOAD -
Foundation of Cyber Ranges
• Technical Report
By Bill Reed , Dustin D. Updyke , Thomas G. Podnar , Geoffrey B. Dobson
This report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.
DOWNLOAD -
Software Assurance Guidance and Evaluation (SAGE) Tool
• White Paper
By Robert Schiela , Ebonie McNeil , Luiz Antunes , Hasan Yasar
The Software Assurance Guidance and Evaluation (SAGE) tool helps an organization assess the security of its systems development and operations practices.
DOWNLOAD -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
• White Paper
By Vijay S. Sarvepalli , Allen D. Householder , Jonathan Spring , Art Manion , Charles G. Yarbrough , Madison Oliver , Eric Hatleback , Laurie Tyzenhaus
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System …
DOWNLOAD -
Modeling and Validating Security and Confidentiality in System Architectures
• Technical Report
By Aaron Greenhouse , Lutz Wrage , Jörgen Hansson (University of Skovde)
This report presents an approach for modeling and validating confidentiality using the Bell–LaPadula security model and the Architecture Analysis & Design Language.
DOWNLOAD -
Overview of Practices and Processes of the CMMC 1.0 Assessment Guides (CMMC 1.0)
• White Paper
By Douglas Gardner
This document is intended to help anyone unfamiliar with cybersecurity standards get started with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
DOWNLOAD -
Zero Trust: Risks and Research Opportunities
• White Paper
By Geoff Sanders , Timothy Morrow
This paper describes a zero trust vignette and three mission threads that highlight risks and research areas to consider for zero trust environments.
DOWNLOAD -
Artificial Intelligence (AI) and Machine Learning (ML) Acquisition and Policy Implications
• White Paper
By William E. Novak
This paper reports on a high-level survey of a set of both actual and potential acquisition and policy implications of the use of Artificial Intelligence (AI) and Machine Learning (ML) …
DOWNLOAD -
Security Engineering Risk Analysis (SERA) Threat Archetypes
• White Paper
By Christopher J. Alberts , Carol Woody
This report examines the concept of threat archetypes and how analysts can use them during scenario development.
DOWNLOAD -
Loss Magnitude Estimation in Support of Business Impact Analysis
• Technical Report
By David Tobar , Daniel J. Kambic , Brett Tucker , Andrew P. Moore
The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
DOWNLOAD -
Emerging Technologies 2020: Six Areas of Opportunity
• White Paper
By None
This study seeks to understand what the software engineering community perceives to be key emerging technologies. The six technologies described hold great promise and, in some cases, have already attracted …
DOWNLOAD -
Maintainability
• Technical Report
By Rick Kazman , John Klein , James Ivers , Philip Bianco
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for maintainability.
DOWNLOAD -
Advancing Risk Management Capability Using the OCTAVE FORTE Process
• Technical Note
By Brett Tucker
OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.
DOWNLOAD -
Analytic Capabilities for Improved Software Program Management
• White Paper
By David Zubrow , Christopher Miller
This white paper describes an update to the SEI Quantifying Uncertainty in Early Lifecycle Cost Estimation approach.
DOWNLOAD -
AI Engineering for Defense and National Security: A Report from the October 2019 Community of Interest Workshop
• Special Report
By None
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for AI Engineering for Defense and National Security.
DOWNLOAD -
NICE Framework Cybersecurity Evaluator
• White Paper
By Christopher Herr
This cybersecurity evaluator is designed to assess members of the cyber workforce within the scope of the NICE Cybersecurity Workforce Framework.
DOWNLOAD -
Current Ransomware Threats
• White Paper
By Marisa Midler , Kyle O'Meara
This report by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.
DOWNLOAD -
An Updated Framework of Defenses Against Ransomware
• White Paper
By Timothy J. Shimeall , Timur D. Snoke
This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.
DOWNLOAD -
Historical Analysis of Exploit Availability Timelines
• White Paper
By Allen D. Householder , Jonathan Spring , David Warren , Jeff Chrabaszcz (Govini) , Trent Novelly
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
DOWNLOAD -
Architecture Evaluation for Universal Command and Control
• White Paper
By Reed Little , Philip Bianco , Jason Popowski , Patrick Donohoe , John Klein , Harry L. Levinson
The SEI developed an analysis method to assess function allocations in existing C2 systems and reason about design choices and tradeoffs during the design of new C2 systems.
DOWNLOAD -
A Risk Management Perspective for AI Engineering
• White Paper
By Brett Tucker
This paper describes several steps of OCTAVE FORTE in the context of adopting AI technology.
DOWNLOAD -
Attack Surface Analysis - Reduce System and Organizational Risk
• White Paper
By Carol Woody , Robert J. Ellison
This paper offers system defenders an overview of how threat modeling can provide a systematic way to identify potential threats and prioritize mitigations.
DOWNLOAD -
Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments
• Technical Report
By David James Shepard , Richard Turner , Patrick R. Place , Jose A. Morales , Suzanne Miller , Peter Capell
This Technical Report provides guidance to projects interested in implementing DevSecOps (DSO) in defense or other highly regulated environments, including those involving systems of systems.
DOWNLOAD -
Integrability
• Technical Report
By John Klein , Rick Kazman , Philip Bianco , James Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for integrability.
DOWNLOAD -
Comments on NISTIR 8269 (A Taxonomy and Terminology of Adversarial Machine Learning)
• White Paper
By Nathan M. VanHoudnos , Jonathan Spring , April Galyardt
Feedback to the U.S. National Institute of Standards and Technology (NIST) about NIST IR 8269, a draft report detailing the proposed taxonomy and terminology of Adversarial Machine Learning (AML).
DOWNLOAD -
Penetration Tests Are The Check Engine Light On Your Security Operations
• White Paper
By Dan J. Klinedinst , Allen D. Householder
A penetration test serves as a lagging indicator of a network security operations problem. Organizations should implement and document several security controls before a penetration test can be useful.
DOWNLOAD -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
• White Paper
By Allen D. Householder , Jonathan Spring , Art Manion , Deana Shick , Eric Hatleback
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
DOWNLOAD -
AI Engineering: 11 Foundational Practices
• White Paper
By None
This initial set of recommendations can help organizations that are beginning to build, acquire, and integrate artificial intelligence capabilities into business and mission systems.
DOWNLOAD -
Machine Learning in Cybersecurity: A Guide
• Technical Report
By Leigh B. Metcalf , Jonathan Spring , Angela Horneman , April Galyardt , Joshua Fallon , Ed Stoner
This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems.
DOWNLOAD -
Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems
• White Paper
By Charles M. Wallen , John Klein , Christopher J. Alberts , Carol Woody
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud computing.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2018: U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate
• Technical Report
By Victor A. Elias (U.S. Army CCDC Armaments Center, Fire Control Systems and Technology Directorate)
This report presents a systemic approach to software development process improvement and its impact for the U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate …
DOWNLOAD -
Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud
• Technical Report
By Kelwyn Pender , Carrie Lee (U.S. Department of Veteran Affairs) , Timothy Morrow , Donald Faatz
This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud services.
DOWNLOAD -
Automatically Detecting Technical Debt Discussions
• White Paper
By Zachary Kurtz , Robert Nord , Ipek Ozkaya , Raghvinder Sangwan
This study introduces (1) a dataset of expert labels of technical debt in developer comments and (2) a classifier trained on those labels.
DOWNLOAD -
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
• White Paper
By Allen D. Householder , Andrew P. Moore
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
DOWNLOAD -
SCAIFE API Definition Beta Version 0.0.2 for Developers
• White Paper
By Ebonie McNeil , Lori Flynn
This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
DOWNLOAD -
Creating xBD: A Dataset for Assessing Building Damage from Satellite Imagery
• White Paper
By None
We present a preliminary report for xBD, a new large-scale dataset for the advancement of change detection and building damage assessment for humanitarian assistance and disaster recovery research.
DOWNLOAD -
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
• Technical Report
By Lori Flynn , David Svoboda , Ebonie McNeil , Zachary Kurtz , Derek Leung , Jiyeon Lee (Carnegie Mellon University)
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
DOWNLOAD -
Cybersecurity Career Paths and Progression
• White Paper
By Melissa Burns , Marie Baker , Nicholas Giruzzi , Dennis M. Allen
This paper explores the current state of cybersecurity careers, from the importance of early exposure, to methods of entry into the field, to career progression.
DOWNLOAD -
Cybersecurity Talent Identification and Assessment
• White Paper
By Dennis M. Allen , Christopher Herr , Marie Baker
To help fill cybersecurity roles, this paper explores how organizations identify talent, discusses assessment capabilities, and provides recommendations on recruitment and talent evaluations.
DOWNLOAD -
Cybersecurity Careers of the Future
• White Paper
By Dennis M. Allen
Using workforce data analysis, this paper identifies key cybersecurity skills the workforce needs to close the cybersecurity workforce gap.
DOWNLOAD -
A Targeted Improvement Plan for Service Continuity
• Technical Note
By Gavin Jurecko , Philip A. Scolieri , Andrew F. Hoover , Jeffrey Pinckard , Robert A. Vrtis
Describes how an organization can leverage the results of a Cyber Resilience Review to create a Targeted Improvement Plan for its service continuity management.
DOWNLOAD -
Exploring the Use of Metrics for Software Assurance
• Technical Note
By Carol Woody , Charlie Ryan , Robert J. Ellison
This report proposes measurements for each Software Assurance Framework (SAF) practice that a program can select to monitor and manage the progress it's making toward software assurance.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Sixth Edition
• Technical Report
By Daniel L. Costa , William R. Claycomb , Sarah Miller , Michael C. Theis , Tracy Cassidy , Andrew P. Moore , Randall F. Trzeciak
The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.
DOWNLOAD -
An Approach for Integrating the Security Engineering Risk Analysis (SERA) Method with Threat Modeling
• White Paper
By Christopher J. Alberts , Carol Woody
This report examines how cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
DOWNLOAD -
Infrastructure as Code: Final Report
• White Paper
By John Klein , Doug Reynolds
This project explored the feasibility of infrastructure as code, developed prototype tools, populated a model of the deployment architecture, and automatically generated IaC scripts from the model.
DOWNLOAD -
Incident Management Capability Assessment
• Technical Report
By Samuel J. Perl , Mark Zajicek , Robin Ruefle , Christopher J. Alberts , Pennie Walters , David McIntire , Audrey J. Dorofee , Carly L. Huth
The capabilities presented in this report provide a benchmark of incident management practices.
DOWNLOAD -
Program Manager's Guidebook for Software Assurance
• Special Report
By Kenneth Nidiffer , Timothy A. Chick , Carol Woody
This guidebook helps program managers address the software assurance responsibilities critical in defending software-intensive systems, including mission threads and cybersecurity.
DOWNLOAD -
DoD Developer’s Guidebook for Software Assurance
• Special Report
By Tom Scanlon , Bill Nichols
This guidebook helps software developers for DoD programs understand expectations for software assurance and standards and requirements that affect assurance.
DOWNLOAD -
Towards Improving CVSS
• White Paper
By Art Manion , Jonathan Spring , Allen D. Householder , Deana Shick , Eric Hatleback
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
DOWNLOAD -
GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation
• Technical Report
By Dustin D. Updyke , Thomas G. Podnar , Geoffrey B. Dobson , Luke J. Osterritter , Benjamin L. Earl , Adam D. Cerini
This report outlines how the GHOSTS (General HOSTS) framework helps create realism in cyber-warfare simulations and discusses how it was used in a case study.
DOWNLOAD -
Composing Effective Software Security Assurance Workflows
• Technical Report
By David Sweeney , William Snavely , Aaron Volkmann , Jim McHale , Bill Nichols
In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static …
DOWNLOAD -
FedCLASS: A Case Study of Agile and Lean Practices in the Federal Government
• Special Report
By Nanette Brown , Linda Parker Gates , Jeff Davenport , Tamara Marshall-Keim
This study reports the successes and challenges of using Agile and Lean methods and cloud-based technologies in a government software development environment.
DOWNLOAD -
Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation
• White Paper
By Brent Frye , Nataliya Shevchenko , Carol Woody
This paper compares threat modeling methods for cyber-physical systems and recommends which methods (and combinations of methods) to use.
DOWNLOAD -
Software Architecture Publications
• White Paper
By None
The SEI compiled this bibliography of publications about software architecture as a resource for information about system architecture throughout its lifecycle.
DOWNLOAD -
Practical Precise Taint-flow Static Analysis for Android App Sets
• White Paper
By William Klieber , Lori Flynn , William Snavely , Michael Zheng
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
DOWNLOAD -
Threat Modeling: A Summary of Available Methods
• White Paper
By Paige O'Riordan , Timothy A. Chick , Carol Woody , Nataliya Shevchenko , Tom Scanlon
This paper discusses twelve threat modeling methods from a variety of sources that target different parts of the development process.
DOWNLOAD -
Navigating the Insider Threat Tool Landscape: Low-Cost Technical Solutions to Jump-Start an Insider Threat Program
• White Paper
By Michael J. Albrethsen , Daniel L. Costa , Derrick Spooner , George Silowash
This paper explores low cost technical solutions that can help organizations prevent, detect, and respond to insider incidents.
DOWNLOAD -
Blacklist Ecosystem Analysis: July - December 2017
• White Paper
By Leigh B. Metcalf , Eric Hatleback
This short report provides a summary of the various analyses of the blacklist ecosystem performed from July 1, 2017, through December 31, 2017.
DOWNLOAD -
ROI Analysis of the System Architecture Virtual Integration Initiative
• Technical Report
By Jörgen Hansson (University of Skovde) , Peter H. Feiler , Steve Helton (The Boeing Company)
This report presents an analysis of the economic effects of the System Architecture Virtual Integration approach on the development of software-reliant systems for aircraft compared to existing development paradigms.
DOWNLOAD -
Implementing DevOps Practices in Highly Regulated Environments
• White Paper
By Aaron Volkmann , Hasan Yasar , Jose A. Morales
In this paper, the authors layout the process with insights on performing a DevOps assessment in a highly regulated environment.
DOWNLOAD -
A Mapping of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the Cyber Resilience Review (CRR)
• Technical Note
By Greg Porter (Heinz College at Carnegie Mellon University) , Robert A. Vrtis , Matthew Trevors
This technical note describes mapping of HIPAA Security Rule requirements to practice questions found in the CERT Cyber Resilience Review for organizations' use in HIPAA compliance.
DOWNLOAD -
A Hybrid Threat Modeling Method
• Technical Note
By Nancy R. Mead , Forrest Shull , Krishnamurthy Vemuru (University of Virginia) , Ole Villadsen (Carnegie Mellon University)
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
DOWNLOAD -
Cyber Mutual Assistance Workshop Report
• Special Report
By Katie C. Stewart , Jonathon Monken (PJM Interconnection) , Fernando Maymi, PhD (Army Cyber Institute) , Dan Bennett, PhD (Army Cyber Institute) , Dan Huynh (Army Cyber Institute) , Blake Rhoades (Army Cyber Institute) , Matt Hutchison (Army Cyber Institute) , Judy Esquibel (Army Cyber Institute) , Bill Lawrence (North American Electric Reliability Corporation)
The Army Cyber Institute hosted a Cyber Mutual Assistance Workshop to identify challenges in defining cyber requirements for Regional Mutual Assistance Groups.
DOWNLOAD -
Embedded Device Vulnerability Analysis Case Study Using Trommel
• White Paper
By Madison Oliver , Kyle O'Meara
This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities.
DOWNLOAD -
2017 Emerging Technology Domains Risk Survey
• Technical Report
By Dan J. Klinedinst , Joel Land , Kyle O'Meara
This report describes our understanding of future technologies and helps US-CERT identify vulnerabilities, promote security practices, and understand vulnerability risk.
DOWNLOAD -
R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises
• Technical Report
By Thomas G. Podnar , Geoffrey B. Dobson , Luke J. Osterritter , Adam D. Cerini
R-EACTR is a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience.
DOWNLOAD -
Architecture Practices for Complex Contexts
• White Paper
By John Klein
This doctoral thesis, completed at Vrije Universiteit Amsterdam, focuses on software architecture practices for systems of systems, including data-intensive systems.
DOWNLOAD -
Defining a Progress Metric for CERT-RMM Improvement
• Technical Note
By David Tobar , Nader Mehravari , Gregory Crabb (United States Postal Service)
Describes the Cybersecurity Program Progress Metric and how its implementation in a large, diverse U.S. national organization can serve to indicate progress toward improving cybersecurity and resilience capabilities.
DOWNLOAD -
Blacklist Ecosystem Analysis: January - June, 2017
• White Paper
By Eric Hatleback , Leigh B. Metcalf
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data …
DOWNLOAD -
The CERT Guide to Coordinated Vulnerability Disclosure
• Special Report
By Art Manion , Allen D. Householder , Garret Wassermann , Christopher King
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go …
DOWNLOAD -
Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers
• Special Report
By Joel Land
This report describes a test framework that the CERT/CC developed to identify systemic and other vulnerabilities in CPE routers.
DOWNLOAD -
Department of Defense Software Factbook
• Technical Report
By Christopher Miller , Rhonda Brown , James McCurley , David Zubrow , Mike Zuccher (No Affiliation) , Brad Clark
In this report, the Software Engineering Institute has analyzed data related to DoD software projects and translated it into information that is frequently sought-after across the DoD.
DOWNLOAD -
DidFail: Coverage and Precision Enhancement
• Technical Report
By Karan Dwivedi (No Affiliation) , Hongli Yin (No Affiliation) , Pranav Bagree (No Affiliation) , Xiaoxiao Tang (No Affiliation) , William Klieber , Lori Flynn , William Snavely
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
DOWNLOAD -
The Hard Choices Game Explained
• White Paper
By Philippe Kruchten , Robert Nord , Ipek Ozkaya , Nanette Brown , Erin Lim
The Hard Choices game is a simulation of the software development cycle meant to communicate the concepts of uncertainty, risk, and technical debt.
DOWNLOAD -
Federal Virtual Training Environment (FedVTE)
• White Paper
By April Galyardt , Marie Baker , Dominic A. Ross
The Federal Virtual Training Environment (FedVTE) is an online, on‐demand training system containing cybersecurity and certification prep courses, at no cost to federal, state, and local government employees.
DOWNLOAD -
Blacklist Ecosystem Analysis: July – December 2016
• White Paper
By Eric Hatleback , Leigh B. Metcalf
This report provides a summary of various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this …
DOWNLOAD -
Guide to Software Architecture Tools
• White Paper
By None
This document discusses tools and methods for analyzing the architecture, establishing requirements, evaluating the architecture, and defining the architecture.
DOWNLOAD -
System-of-Systems Software Architecture Evaluation
• White Paper
By None
System-of-Systems Software Architecture Evaluation
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
• White Paper
By None
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
DOWNLOAD -
SEI-Certified PSP Developer Examination: Sample Questions
• White Paper
By None
This page contains sample questions similar to those found on the PSP Developer examination.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2016: Raytheon Integrated Defense Systems
• Technical Report
By Neal Mackertich (Raytheon) , Peter Kraus (Raytheon) , Kurt Mittelstaedt (Raytheon) , Brian Foley (Raytheon) , Dan Bardsley (Raytheon) , Kelli Grimes (Raytheon) , Mike Nolan (Raytheon)
The Raytheon Integrated Defense Systems DFSS team has been recognized with the 2016 Watts Humphrey Software Process Achievement Award.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement (SPA) Award 2016: Nationwide
• Technical Report
By Will J.M. Pohlman (Nationwide IT)
This report describes the 10-year history of Nationwide's software process improvement journey. Nationwide received the 2016 Watts Humphrey Software Process Achievement Award from the SEI and IEEE.
DOWNLOAD -
Prototype Software Assurance Framework (SAF): Introduction and Overview
• Technical Note
By Christopher J. Alberts , Carol Woody
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
DOWNLOAD -
15 Tips for Preparing and Delivering a Great Presentation at SATURN
• White Paper
By None
You submitted a proposal to SATURN, and it got accepted. Congratulations! Here are 15 tips for creating and giving a great presentation at SATURN.
DOWNLOAD -
The CISO Academy
• White Paper
By David Tobar , Summer C. Fowler , Pamela D. Curtis , David Ulicne
In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.
DOWNLOAD -
Agile Acquisition and Milestone Reviews
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 4
DOWNLOAD -
Management and Contracting Practices for Agile Programs
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 3
DOWNLOAD -
Estimating in Agile Acquisition
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 5
DOWNLOAD -
Agile Development and DoD Acquisitions
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 1
DOWNLOAD -
Agile Culture in the DoD
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 2
DOWNLOAD -
Adopting Agile in DoD IT Acquisitions
• White Paper
By None
Acquisition & Management Concerns for Agile Use in Government Series - 6
DOWNLOAD -
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
• White Paper
By None
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
DOWNLOAD -
COTS-Based Systems
• White Paper
By None
This paper presents a summary of SEI commercial off-the-shelf (COTS) software documents and COTS tools.
DOWNLOAD -
Create a CSIRT
• White Paper
By None
This white paper discusses the issues and decisions organizations should address when planning, implementing, and building a CSIRT.
DOWNLOAD -
Skills Needed When Staffing Your CSIRT
• White Paper
By None
This white paper describes a set of skills that CSIRT staff members should have to provide basic incident-handling services.
DOWNLOAD -
CSIRT Frequently Asked Questions (FAQ)
• White Paper
By None
This FAQ addresses CSIRTS, organizations responsible for receiving, reviewing, and responding to computer security incident reports and activity.
DOWNLOAD -
CERT-RMM Capability Appraisals
• White Paper
By None
The white paper describe CERT-RMM appraisals and the benefits they offer organizations.
DOWNLOAD -
A Technical History of the SEI
• Special Report
By Larry Druffel
This report chronicles the technical accomplishments of the Software Engineering Institute and its impact on the Department of Defense software community, as well as on the broader software engineering community.
DOWNLOAD -
SQUARE Frequently Asked Questions (FAQ)
• White Paper
By None
This paper contains information about SQUARE, a process that helps organizations build security into the early stages of the software production lifecycle.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Fifth Edition
• Technical Report
By Randall F. Trzeciak , Andrew P. Moore , Michael J. Albrethsen , Michael C. Theis , Tracy Cassidy , Daniel L. Costa , Jason W. Clark , Matthew L. Collins , Jeremy R. Strozer
Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.
DOWNLOAD -
Architecture-Led Safety Process
• Technical Report
By John McGregor , David P. Gluch , Julien Delange , Peter H. Feiler
Architecture-Led Safety Analysis (ALSA) is a safety analysis method that uses early architecture knowledge to supplement traditional safety analysis techniques to identify faults as early as possible.
DOWNLOAD -
The Critical Role of Positive Incentives for Reducing Insider Threats
• Technical Report
By Tracy Cassidy , Samuel J. Perl , Andrew P. Moore , Allison Parshall , Nathan M. VanHoudnos , Jennifer Cowley , Daniel Bauer , Jeff Savinda , Palma Buttles-Valdez , Matthew L. Collins , Elizabeth A. Monaco , Jamie L. Moyes , Denise M. Rousseau (Carnegie Mellon University)
This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.
DOWNLOAD -
Update 2016: Considerations for Using Agile in DoD Acquisition
• Technical Note
By Dan Ward (Dan Ward Consulting) , Daniel Burton , Ray C. Williams , Charles (Bud) Hammons , Alfred Schenker , Mary Ann Lapham , Suzanne Miller
This report updates a 2010 technical note, addressing developments in commercial Agile practices as well as the Department of Defense (DoD) acquisition environment.
DOWNLOAD -
Scaling Agile Methods for Department of Defense Programs
• Technical Note
By Suzanne Miller , Peter Capell , Will Hayes , Eileen Wrubel , Mary Ann Lapham
This report discusses methods for scaling Agile processes to larger software development programs in the Department of Defense.
DOWNLOAD -
Low Cost Technical Solutions to Jump Start an Insider Threat Program
• Technical Note
By George Silowash , Michael J. Albrethsen , Derrick Spooner , Daniel L. Costa
This technical note explores free and low cost technical solutions to help organizations prevent, detect, and respond to malicious insiders.
DOWNLOAD -
RFP Patterns and Techniques for Successful Agile Contracting
• Special Report
By Peter Capell , Mary Ann Lapham , Keith Korzec , Larri Ann Rosser (Raytheon Intelligence Information and Services) , Steven Martin (Space and Missile Systems Center) , Thomas E. Friend (Agile On Target) , Greg Howard (MITRE) , Michael Ryan (BTAS) , John H. Norton III (Raytheon Integrated Defense Systems)
This report discusses request-for-proposal patterns and techniques for successfully contracting a federal Agile project.
DOWNLOAD -
Ultra-Large-Scale Systems: Socio-adaptive Systems
• White Paper
By Scott Hissam , Mark H. Klein , Lutz Wrage , Linda M. Northrop , Gabriel Moreno
Ultra-large-scale systems are interdependent webs of software, people, policies, and economics. In socio-adaptive systems, human and software interact as peers.
DOWNLOAD -
Cyber-Physical Systems
• White Paper
By Gabriel Moreno , Mark H. Klein , Scott Hissam , Bjorn Andersson , Jeffrey Hansen , John J. Hudak , David Kyle , Dionisio de Niz , Sagar Chaki
Cyber-physical systems (CPS) integrate computational algorithms and physical components. SEI promotes efficient development of high-confidence, distributed CPS.
DOWNLOAD -
Pervasive Mobile Computing
• White Paper
By Edwin J. Morris , Grace Lewis , Marc Novakouski , Jeff Boleng , James Edmondson , William Anderson , James Root , Ben W. Bradshaw
Pervasive mobile computing focuses on how soldiers and first responders can use smartphones, tablets, and other mobile/wearable devices at the tactical edge.
DOWNLOAD -
Predictability by Construction
• White Paper
By Scott Hissam , Gabriel Moreno , Linda M. Northrop , Kurt C. Wallnau , Sagar Chaki
Predictability by construction (PBC) makes the behavior of a component-based system predictable before implementation, based on known properties of components.
DOWNLOAD -
Blacklist Ecosystem Analysis: January – June, 2016
• White Paper
By Leigh B. Metcalf , Eric Hatleback
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data …
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Testing the Identified Metrics
• White Paper
By Charles Weinstock , Bill Nichols , Sarah Sheard , Michael D. Konrad
This report describes a test of an algorithm for estimating the complexity of a safety argument.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Estimating Complexity of a Safety Argument
• White Paper
By Michael D. Konrad , Sarah Sheard , Bill Nichols , Charles Weinstock
This report presents a formula for estimating the complexity of an avionics system and directly connects that complexity to the size of its safety argument.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Identifying the Impact of Complexity on Safety
• White Paper
By Charles Weinstock , Donald Firesmith , Sarah Sheard , Michael D. Konrad
This report organizes our work on the impact of software complexity on aircraft safety by asking, “How can complexity complicate safety and, thus, certification?”
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Candidate Complexity Metrics
• White Paper
By Sarah Sheard , Bill Nichols
This special report identifies candidate measures of complexity for systems with embedded software that relate to safety, assurability, or both.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Literature Search to Define Complexity for Avionics Systems
• White Paper
By Sarah Sheard , Michael D. Konrad
This special report describes the results of a literature review sampling what is known about complexity for application in the context of safety and assurance.
DOWNLOAD -
Seven Proposal-Writing Tips That Make Conference Program Committees Smile
• White Paper
By Mike Petock , Bill Pollak
Writing a great session proposal for a conference is difficult. Here are seven tips for writing a session proposal that will make reviewers go from frown to smile.
DOWNLOAD -
Definition and Measurement of Complexity in the Context of Safety Assurance
• Technical Report
By Sarah Sheard , Michael D. Konrad , Bill Nichols , Charles Weinstock
This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.
DOWNLOAD -
Establishing Trusted Identities in Disconnected Edge Environments
• White Paper
By Keegan M. Williams , Sebastián Echeverría , Dan J. Klinedinst
he goal of this paper is to present a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field.
DOWNLOAD -
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
• Technical Note
By Jeffrey Pinckard , Robert A. Vrtis , Michael Rattigan
To help financial organizations assess cyber resilience, we map FFIEC Cybersecurity Assessment Tool (CAT) statements to Cyber Resilience Review (CRR) questions.
DOWNLOAD -
Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
• White Paper
By Charles M. Wallen , John Haller
A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.
DOWNLOAD -
Agile Development in Government: Myths, Monsters, and Fables
• White Paper
By Suzanne Miller , Mary Ann Lapham , David J. Carney
This volume is a reflection on attitudes toward Agile software development now current in the government workplace.
DOWNLOAD -
Striving for Effective Cyber Workforce Development
• White Paper
By Marie Baker
This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.
DOWNLOAD -
Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks
• Technical Report
By Bjorn Andersson , Ragunathan (Raj) Rajkumar , Dionisio de Niz , Junsung Kim , Jian-Jia Chen , Wen-Hung Huang , Geoffrey Nelissen
This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks.
DOWNLOAD -
Creating Centralized Reporting for Microsoft Host Protection Technologies: The Enhanced Mitigation Experience Toolkit (EMET)
• Technical Note
By Joseph Tammariello , Craig Lewis
This report describes how to set up a centralized reporting console for the Windows Enhanced Mitigation Experience Toolkit.
DOWNLOAD -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
• Technical Note
By Sarah Sheard
This technical note introduces Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), a method for estimating program costs early in development.
DOWNLOAD -
Blacklist Ecosystem Analysis: 2016 Update
• White Paper
By Leigh B. Metcalf , Jonathan Spring , Eric Hatleback
This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.
DOWNLOAD -
Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2
• Technical Report
By John J. Hudak , David P. Gluch , Peter H. Feiler , Julien Delange
This report describes the Error Model Annex, Version 2 (EMV2), notation for architecture fault modeling, which supports safety, reliability, and security analyses.
DOWNLOAD -
A Requirement Specification Language for AADL
• Technical Report
By Julien Delange , Peter H. Feiler , Lutz Wrage
This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.
DOWNLOAD -
DMPL: Programming and Verifying Distributed Mixed-Synchrony and Mixed-Critical Software
• Technical Report
By David Kyle , Sagar Chaki
DMPL is a language for programming distributed real-time, mixed-criticality software. It supports distributed systems in which each node executes a set of periodic real-time threads that are scheduled by priority …
DOWNLOAD -
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
• Special Report
By Christopher J. Alberts , Carol Woody , Audrey J. Dorofee
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element …
DOWNLOAD -
Report Writer and Security Requirements Finder: User and Admin Manuals
• Special Report
By Anand Sankalp (Carnegie Mellon University) , Gupta Anurag (Carnegie Mellon) , Priyam Swati (Carnegie Mellon University) , Yaobin Wen (Carnegie Mellon University) , Walid El Baroni (Carnegie Mellon University) , Nancy R. Mead
This report presents instructions for using the Malware-driven Overlooked Requirements (MORE) website applications.
DOWNLOAD -
Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis
• Technical Note
By Douglas Gray
This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).
DOWNLOAD -
An Insider Threat Indicator Ontology
• Technical Report
By Matthew L. Collins , Michael J. Albrethsen , Samuel J. Perl , Derrick Spooner , Daniel L. Costa , George Silowash
This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.
DOWNLOAD -
Using Honeynets and the Diamond Model for ICS Threat Analysis
• Technical Report
By Deana Shick , Kyle O'Meara , John Kotheimer
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure …
DOWNLOAD -
2016 State of Cybercrime Survey
• White Paper
By None
This paper examines the current state of cybercrime and explores how organizations and individuals respond to cybercrime threats.
DOWNLOAD -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
• White Paper
By Sarah Sheard
This report introduces the Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method for estimating program costs early in a development lifecycle.
DOWNLOAD -
A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology
• Technical Report
By Deana Shick , Kyle O'Meara
As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with …
DOWNLOAD -
On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle
• White Paper
By Dan J. Klinedinst , Christopher King
This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.
DOWNLOAD -
2016 Emerging Technology Domains Risk Survey
• Technical Report
By Christopher King , Dan J. Klinedinst , Todd Lewellen , Garret Wassermann
This 2016 report provides a snapshot of our current understanding of future technologies.
DOWNLOAD -
Malware Capability Development Patterns Respond to Defenses: Two Case Studies
• White Paper
By Kyle O'Meara , Deana Shick , Jonathan Spring , Ed Stoner
In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
DOWNLOAD -
Cyber-Foraging for Improving Survivability of Mobile Systems
• Technical Report
By Ben W. Bradshaw , James Root , Sebastián Echeverría , Grace Lewis
This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.
DOWNLOAD -
CERT-RMM Version 1.2 Release Notes
• White Paper
By None
This document contains the release notes for CERT-RMM Version 1.2, released February 2014.
DOWNLOAD -
DoD Software Factbook
• White Paper
By David Zubrow , James McCurley , Brad Clark
This DoD Factbook is an initial analysis of software engineering data from the perspective of policy and management questions about software projects.
DOWNLOAD -
Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By Peter H. Feiler
This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.
DOWNLOAD -
Requirements and Architecture Specification of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By Peter H. Feiler
This report describes a method for capturing information from requirements documents in AADL and the draft Requirement Definition & Analysis Language Annex.
DOWNLOAD -
Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By Peter H. Feiler , John J. Hudak
This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.
DOWNLOAD -
Extending AADL for Security Design Assurance of Cyber-Physical Systems
• Technical Report
By John J. Hudak , Robert J. Ellison , Carol Woody , Allen D. Householder , Rick Kazman
This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of …
DOWNLOAD -
Cybersecurity Considerations for Vehicles
• White Paper
By Mark Sherman , Jens Palluch (Method Park)
In this paper the authors discuss the number of ECUs and software in modern vehicles and the need for cybersecurity to include vehicles.
DOWNLOAD -
Analytic Approaches to Detect Insider Threats
• White Paper
By None
This paper identifies steps that organizations can use to enhance their security posture to detect potential insider threats.
DOWNLOAD -
Intelligence Preparation for Operational Resilience (IPOR)
• Special Report
By Douglas Gray
The author describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
DOWNLOAD -
Evaluating and Mitigating the Impact of Complexity in Software Models
• Technical Report
By John J. Hudak , Bill Nichols , Jim McHale , Julien Delange , Min-Young Nam
This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.
DOWNLOAD -
Cyber + Culture Early Warning Study
• Special Report
By Char Sample
This study was designed to profile cyber actors, and to examine the time interval between cyber and kinetic events in order to gain greater insights into nation-state cyber responses to …
DOWNLOAD -
Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
• White Paper
By Matthew L. Collins , Michael C. Theis , Andrew P. Moore , Randall F. Trzeciak , William E. Novak
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.
DOWNLOAD -
Structuring the Chief Information Security Officer Organization
• Technical Note
By Julia H. Allen , David Tobar , Nader Mehravari , Gregory Crabb (United States Postal Service) , Pamela D. Curtis , Brendan Fitzpatrick
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
DOWNLOAD -
Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution
• Technical Report
By Douglas Gray , Michael Riley (Veris Group) , Anne Connell , C. Aaron Cois , Robert W. Stoddard , Julia H. Allen , Brian D. Wisniewski , Erik Ebel (Veris Group) , William Gulley (Veris Group) , Marie Vaughn (Veris Group)
This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to …
DOWNLOAD -
Secure Coding Analysis of an AADL Code Generator's Runtime System
• White Paper
By David Keaton
This paper describes a secure coding analysis of the PolyORB-HI-C runtime system used by C language code output from the Ocarina AADL code generator.
DOWNLOAD -
Contracting for Agile Software Development in the Department of Defense: An Introduction
• Technical Note
By Eileen Wrubel , Jon Gross
This technical note addresses effective contracting for Agile software development and offers a primer on Agile based on a contracting officer's goals.
DOWNLOAD -
CND Equities Strategy
• White Paper
By Ed Stoner , Jonathan Spring
In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.
DOWNLOAD -
Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items
• White Paper
By Art Manion , Allen D. Householder
In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.
DOWNLOAD -
Enabling Incremental Iterative Development at Scale: Quality Attribute Refinement and Allocation in Practice
• Technical Report
By Stephany Bellomo , Ipek Ozkaya , Robert Nord , Neil Ernst
This report describes industry practices used to develop business capabilities and suggests approaches to enable large-scale iterative development, or agile at scale.
DOWNLOAD -
State of Practice Report: Essential Technical and Nontechnical Issues Related to Designing SoS Platform Architectures
• Technical Report
By John Klein , Sholom G. Cohen
This report analyzes the state of the practice in system-of-systems (SoS) development, based on 12 interviews of leading SoS developers in the DoD and industry.
DOWNLOAD -
Emerging Technology Domains Risk Survey
• Technical Note
By Christopher King , Andrew O. Mellinger , Jonathan Chu
This report provides a snapshot in time of our current understanding of future technologies.
DOWNLOAD -
SCALe Analysis of JasPer Codebase
• White Paper
By David Svoboda
In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.
DOWNLOAD -
Model-Driven Engineering: Automatic Code Generation and Beyond
• Technical Note
By John Klein , Harry L. Levinson , Jay Marchetti
This report offers guidance on selecting, analyzing, and evaluating model-driven engineering tools for automatic code generation in acquired systems.
DOWNLOAD -
Defining a Maturity Scale for Governing Operational Resilience
• Technical Note
By Audrey J. Dorofee , Michelle A. Valdez , Lisa R. Young , Katie C. Stewart , Julia H. Allen
Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
DOWNLOAD -
SEI SPRUCE Project: Curating Recommended Practices for Software Producibility
• White Paper
By Mike Petock , Michael D. Konrad , Bill Pollak , B. Craig Meyers , Tamara Marshall-Keim , Gerald W. Miller
This paper describes the Systems and Software Producibility Collaboration Environment (SPRUCE) project and the resulting recommended practices on five software topics.
DOWNLOAD -
Improving Quality Using Architecture Fault Analysis with Confidence Arguments
• Technical Report
By Charles Weinstock , John B. Goodenough , Ari Z. Klein , Julien Delange , Peter H. Feiler , Neil Ernst
The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design …
DOWNLOAD -
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets
• Technical Report
By William Klieber , Lori Flynn , William Snavely , Jonathan Burket , Jonathan Lim , Wei Shen
In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
DOWNLOAD -
Eliminative Argumentation: A Basis for Arguing Confidence in System Properties
• Technical Report
By Ari Z. Klein , John B. Goodenough , Charles Weinstock
This report defines the concept of eliminative argumentation and provides a basis for assessing how much confidence one should have in an assurance case argument.
DOWNLOAD -
A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
• Technical Note
By Pamela D. Curtis , Gregory Crabb (United States Postal Service) , Nader Mehravari , Julia H. Allen
This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.
DOWNLOAD -
Measuring What Matters Workshop Report
• Technical Note
By Julia H. Allen , Katie C. Stewart , Michelle A. Valdez , Lisa R. Young
This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
DOWNLOAD -
A Dynamic Model of Sustainment Investment
• Technical Report
By Sarah Sheard , Mike Phillips , Andrew P. Moore , Robert Ferguson
This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.
DOWNLOAD -
Cybersecurity Assurance
• White Paper
By None
This paper describes the SEI research and solutions that help organizations gain justified confidence in their cybersecurity posture.
DOWNLOAD -
Blacklist Ecosystem Analysis Update: 2014
• White Paper
By Jonathan Spring , Leigh B. Metcalf
This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.
DOWNLOAD -
Predicting Software Assurance Using Quality and Reliability Measures
• Technical Note
By Bill Nichols , Carol Woody , Robert J. Ellison
In this report, the authors discuss how a combination of software development and quality techniques can improve software security.
DOWNLOAD -
Regional Use of Social Networking Tools
• Technical Report
By Kate Meeuf
This paper explores the regional use of social networking services (SNSs) to determine if participation with a subset of SNSs can be applied to identify a user's country of origin.
DOWNLOAD -
Domain Parking: Not as Malicious as Expected
• White Paper
By Leigh B. Metcalf , Jonathan Spring
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be …
DOWNLOAD -
Pattern-Based Design of Insider Threat Programs
• Technical Note
By Andrew P. Moore , Robin Ruefle , Dave Mundie , David McIntire , Matthew L. Collins
In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
DOWNLOAD -
Introduction to the Security Engineering Risk Analysis (SERA) Framework
• Technical Note
By Audrey J. Dorofee , Carol Woody , Christopher J. Alberts
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
DOWNLOAD -
Using Malware Analysis to Tailor SQUARE for Mobile Platforms
• Technical Note
By Nancy R. Mead , Gregory Paul Alice
This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.
DOWNLOAD -
A Method for Aligning Acquisition Strategies and Software Architectures
• Technical Note
By Patrick R. Place , David J. Carney , Cecilia Albert , Lisa Brownsword
This report describes the third year of the SEI's research into aligning acquisition strategies and software architecture.
DOWNLOAD -
Agile Methods in Air Force Sustainment: Status and Outlook
• Technical Note
By Eileen Wrubel , Mary Ann Lapham , Colleen Regan , Stephen Beck , Michael S. Bandor
This paper examines using Agile techniques in the software sustainment arena—specifically Air Force programs. The intended audience is the staff of DoD programs and related personnel who intend to use …
DOWNLOAD -
Development of an Intellectual Property Strategy: Research Notes to Support Department of Defense Programs
• Special Report
By Charlene Gross
This report is intended to help program managers understand categories of intellectual property, various intellectual property challenges, and approaches to assessing the license rights that the program needs for long-term …
DOWNLOAD -
AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment
• Technical Report
By John J. Hudak , David P. Gluch , Julien Delange , Peter H. Feiler
This report describes how the Architecture Analysis and Design Language (AADL) Error Model Annex supports the safety-assessment methods in SAE Standard ARP4761.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)
• Technical Note
By Nader Mehravari , Julia H. Allen , Sam Lin , Dawn Wilkes , Gregory Crabb (United States Postal Service) , Pamela D. Curtis
This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)
• Technical Note
By Pamela D. Curtis , Gregory Crabb (United States Postal Service) , Julia H. Allen , David W. White , Nader Mehravari
This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)
• Technical Note
By Nader Mehravari , David W. White , Julia H. Allen , Pamela D. Curtis , Gregory Crabb (United States Postal Service)
This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.
DOWNLOAD -
Smart Collection and Storage Method for Network Traffic Data
• Technical Report
By Angela Horneman , Nathan Dell
This report discusses considerations and decisions to be made when designing a tiered network data storage solution.
DOWNLOAD -
A Systematic Approach for Assessing Workforce Readiness
• Technical Report
By Christopher J. Alberts , David McIntire
In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.
DOWNLOAD -
Assuring Software Reliability
• Special Report
By Robert J. Ellison
This report describes ways to incorporate the analysis of the potential impact of software failures--regardless of their cause--into development and acquisition practices through the use of software assurance.
DOWNLOAD -
Patterns and Practices for Future Architectures
• Technical Note
By Eric Werner , Scott McMillan , Jonathan Chu
This report discusses best practices and patterns that will make high-performance graph analytics on new and emerging architectures more accessible to users.
DOWNLOAD -
Abuse of Customer Premise Equipment and Recommended Actions
• White Paper
By Jonathan Spring , Paul Vixie , Chris Hallenbeck
In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
DOWNLOAD -
Performance of Compiler-Assisted Memory Safety Checking
• Technical Note
By David Keaton , Robert C. Seacord
This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely …
DOWNLOAD -
Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector
• Technical Note
By CERT Insider Threat Team
This report analyzes unintentional insider threat cases of phishing and other social engineering attacks involving malware.
DOWNLOAD -
Evaluation of the Applicability of HTML5 for Mobile Applications in Resource-Constrained Edge Environments
• Technical Note
By Bryan Yan (Carnegie Mellon University – Institute for Software Research) , Grace Lewis
This technical note presents an analysis of the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in battlefield or …
DOWNLOAD -
Agile Software Teams: How They Engage with Systems Engineering on DoD Acquisition Programs
• Technical Note
By Mary Ann Lapham , Suzanne Miller , Eileen Wrubel , Timothy A. Chick
This technical note addresses issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.
DOWNLOAD -
Improving the Automated Detection and Analysis of Secure Coding Violations
• Technical Note
By Daniel Plakosh , Robert W. Stoddard , Robert C. Seacord , David Zubrow , David Svoboda
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
DOWNLOAD -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2
• Technical Note
By Mary Popeck , Lisa R. Young , Kevin G. Partridge
This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.
DOWNLOAD -
The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects
• Special Report
By Dennis Goldenson , Joseph P. Elm
This report analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.
DOWNLOAD -
Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
• Technical Report
By Jennifer Cowley
This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.
DOWNLOAD -
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
• Technical Note
By Audrey J. Dorofee , Christopher J. Alberts , Robin Ruefle , Mark Zajicek
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
DOWNLOAD -
A Taxonomy of Operational Cyber Security Risks Version 2
• Technical Note
By James J. Cebula , Mary Popeck , Lisa R. Young
This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.
DOWNLOAD -
An Evaluation of A-SQUARE for COTS Acquisition
• Technical Note
By Sidhartha Mani , Nancy R. Mead
An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.
DOWNLOAD -
Investigating Advanced Persistent Threat 1 (APT1)
• Technical Report
By Deana Shick , Angela Horneman
This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.
DOWNLOAD -
Precise Static Analysis of Taint Flow for Android Application Sets
• White Paper
By Amar S. Bhosale (No Affiliation)
This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.
DOWNLOAD -
Data-Driven Software Assurance: A Research Study
• Technical Report
By Julia L. Mullaney , Erin Harper , Michael D. Konrad , Art Manion , Bill Nichols , Andrew P. Moore , Michael F. Orlando
In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
DOWNLOAD -
ALTernatives to Signatures (ALTS)
• White Paper
By George Jones , John Stogoski
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.
DOWNLOAD -
Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management
• Technical Note
By Kenneth Nidiffer , David J. Carney , Suzanne Miller
This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.
DOWNLOAD -
The Readiness & Fit Analysis: Is Your Organization Ready for Agile?
• White Paper
By Suzanne Miller
This paper summarizes the Readiness & Fit Analysis and describes its extension to support risk identification for organizations that are adopting agile methods.
DOWNLOAD -
International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany
• Technical Report
By Lori Flynn , Tracy Cassidy , Michael C. Theis , Randall F. Trzeciak , George Silowash , Carly L. Huth , Palma Buttles-Valdez , Travis Wright (Carnegie Mellon University, Master of Science in Information Security Policy and Management Program)
This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All …
DOWNLOAD -
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
• Special Report
By The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance …
DOWNLOAD -
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service
• Special Report
By Robert J. Ellison , Carol Woody
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert …
DOWNLOAD -
Wireless Emergency Alerts: Trust Model Simulations
• Special Report
By Timothy Morrow , Joseph P. Elm , Robert W. Stoddard
This report presents four types of simulations run on the public trust model and the alert originator trust model developed for the Wireless Emergency Alerts (WEA) service, focusing on how …
DOWNLOAD -
Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy
• Technical Report
By The WEA Project Team
This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about …
DOWNLOAD -
Best Practices in Wireless Emergency Alerts
• Special Report
By Elizabeth Trocki Stark (SRA International, Inc.) , Jennifer Lavan (SRA International, Inc.) , Tamara Marshall-Keim , Robert J. Ellison , John McGregor , Rita C. Creel , Joseph P. Elm , Carol Woody , Christopher J. Alberts
This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, …
DOWNLOAD -
Study of Integration Strategy Considerations for Wireless Emergency Alerts
• Special Report
By The WEA Project Team
This report identifies key challenges and offers recommendations for alert originators navigating the process of adopting and integrating the Wireless Emergency Alerts (WEA) service into their emergency management systems.
DOWNLOAD -
Results in Relating Quality Attributes to Acquisition Strategies
• Technical Note
By David J. Carney , Patrick R. Place , Cecilia Albert , Lisa Brownsword
This technical note describes the second phase of a study that focuses on the relationships between software architecture and acquisition strategy -- more specifically, their alignment or misalignment.
DOWNLOAD -
Agile Metrics: Progress Monitoring of Agile Contractors
• Technical Note
By Suzanne Miller , Will Hayes , Eileen Wrubel , Mary Ann Lapham , Timothy A. Chick
This technical note offers a reference for those working to oversee software development on the acquisition of major systems from developers using Agile methods.
DOWNLOAD -
Agile Methods and Request for Change (RFC): Observations from DoD Acquisition Programs
• Technical Note
By Michael S. Bandor , Mary Ann Lapham , Eileen Wrubel
This technical note looks at the evaluation and negotiation of technical proposals that reflect iterative development approaches that in turn leverage Agile methods.
DOWNLOAD -
Unintentional Insider Threats: Social Engineering
• Technical Note
By CERT Insider Threat Center
In this report, the authors explore the unintentional insider threat (UIT) that derives from social engineering.
DOWNLOAD -
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using the CERT® Resilience Management Model
• Technical Note
By Julia H. Allen , Nader Mehravari , Pamela D. Curtis , Gregory Crabb (United States Postal Service)
In this report, the authors describe how to improve the resilience of U.S. Postal Service products and services
DOWNLOAD -
A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure
• Technical Note
By Pamela D. Curtis , Gregory Crabb (United States Postal Service) , Nader Mehravari , Julia H. Allen
In this report, the authors describe a method of identifying physical security gaps in international mail processing centers and similar facilities.
DOWNLOAD -
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations
• Technical Note
By Lori Flynn , Chas DiFatta (No Affiliation) , Greg Porter (Heinz College at Carnegie Mellon University)
In this report, the authors discuss the countermeasures that cloud service providers use and how they understand the risks posed by insiders.
DOWNLOAD -
TSP Symposium 2013 Proceedings
• Special Report
By Sergio Cardona (Universidad del Quindío) , Leticia Pérez (Universidad de la República) , Rafael Rincón (Universidad EAFIT) , Mushtaq Raza (University of Porto) , Pedro C. Henriques (Strongstep – Innovation in Software Quality) , Fernanda Grazioli (Universidad de la República) , Silvana Moreno (Universidad de la República) , Diego Vallespir (Universidad de la República) , João Pascoal Faria (University of Porto) , Bill Nichols , Jim McHale
This special report contains proceedings of the 2013 TSP Symposium. The conference theme was “When Software Really Matters,” which explored the idea that when product quality is critical, high-quality practices …
DOWNLOAD -
Understanding Patterns for System-of-Systems Integration
• Technical Report
By Rick Kazman , Klaus Schmid , Claus Nielsen (No Affiliation)
This report discusses how a software architect can address the system-of-systems integration challenge from an architectural perspective.
DOWNLOAD -
Foundations for Software Assurance
• White Paper
By Dan Shoemaker (University of Detroit Mercy) , Carol Woody , Nancy R. Mead
In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.
DOWNLOAD -
The Topological Properties of the Local Clustering Coefficient
• White Paper
By Leigh B. Metcalf
In this paper, Leigh Metcalf examines the local clustering coefficient for and provides a new formula to generate the local clustering coefficient.
DOWNLOAD -
Using Software Development Tools and Practices in Acquisition
• Technical Note
By Harry L. Levinson , Richard Librizzi
This technical note provides an introduction to key automation and analysis techniques.
DOWNLOAD -
Spotlight On: Programmers as Malicious Insiders–Updated and Revised
• White Paper
By Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University) , Randall F. Trzeciak , Andrew P. Moore , Matthew L. Collins , Dawn Cappelli
In this paper, the authors describe the who, what, when, where, and how of attacks by insiders using programming techniques and includes case examples.
DOWNLOAD -
Software Assurance Measurement – State of the Practice
• Technical Note
By Dan Shoemaker (University of Detroit Mercy) , Nancy R. Mead
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
DOWNLOAD -
A Defect Prioritization Method Based on the Risk Priority Number
• White Paper
By Will Hayes , Julie B. Cohen , Robert Ferguson
This paper describes a technique that helps organizations address and resolve conflicting views and create a better value system for defining releases.
DOWNLOAD -
Agile Security - Review of Current Research and Pilot Usage
• White Paper
By Carol Woody
This white paper was produced to focus attention on the opportunities and challenges for embedding information assurance considerations into Agile development and acquisition.
DOWNLOAD -
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase I
• Technical Note
By Greg Porter (Heinz College at Carnegie Mellon University)
In this report, Greg Porter documents preliminary findings from interviews with cloud service providers on their insider threat controls.
DOWNLOAD -
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
• Technical Report
By Fred Long , Limin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering) , Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering) , William Klieber , Lori Flynn , David Svoboda , Dean Sutherland
In this report, the authors describe Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project.
DOWNLOAD -
Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale
• Technical Note
By Matthew J. Butkovic , Richard A. Caralli
In this report, the authors review the specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed.
DOWNLOAD -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk
• Technical Note
By Lisa R. Young , Ma-Nyahn Kromah (SunGard Availability Services)
In this report, the authors map CERT-RMM process areas to key activities in NIST Special Publication 800-66 Revision 1.
DOWNLOAD -
Passive Detection of Misbehaving Name Servers
• Technical Report
By Leigh B. Metcalf , Jonathan Spring
In this report, the authors explore name-server flux and two types of data that can reveal it.
DOWNLOAD -
Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time
• Technical Note
By George Silowash , Todd Lewellen , Daniel L. Costa
In this report, the authors describe how an insider threat control can monitor an organization's web request traffic for text-based data exfiltration.
DOWNLOAD -
Introduction to the Mission Thread Workshop
• Technical Report
By Timothy Morrow , William Wood , Michael J. Gagliardi
This report introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems. It describes the three phases of the workshop …
DOWNLOAD -
Parallel Worlds: Agile and Waterfall Differences and Similarities
• Technical Note
By Suzanne Miller , Ipek Ozkaya , Mary Ann Lapham , Steve Palmquist , Timothy A. Chick
This report helps readers understand Agile. The report assembles terms and concepts from both the traditional world of waterfall-based development and the Agile environment to show the many similarities and …
DOWNLOAD -
Everything You Wanted to Know About Blacklists But Were Afraid to Ask
• White Paper
By Leigh B. Metcalf , Jonathan Spring
This document compares the contents of 25 different common public-internet blacklists in order to discover any patterns in the shared entries.
DOWNLOAD -
Roadmap to Software Assurance Competency
• White Paper
By None
This white paper describes the Software Assurance (SwA) Core Body of Knowledge and SwA competency levels.
DOWNLOAD -
TSP Performance and Capability Evaluation (PACE): Customer Guide
• Special Report
By Mark Kasunic , Bill Nichols , Timothy A. Chick
This guide describes the evaluation process and lists the steps organizations and programs must complete to earn a TSP-PACE certification.
DOWNLOAD -
TSP Performance and Capability Evaluation (PACE): Team Preparedness Guide
• Special Report
By Timothy A. Chick , Bill Nichols , Mark Kasunic
This document describes the TSP team data that teams normally produce and that are required as input to the TSP-PACE process.
DOWNLOAD -
Best Practices Against Insider Threats in All Nations
• Technical Note
By Randall F. Trzeciak , Lori Flynn , Palma Buttles-Valdez , Carly L. Huth
In this report, the authors summarize best practices for mitigating insider threats in international contexts.
DOWNLOAD -
The Role of Computer Security Incident Response Teams in the Software Development Life Cycle
• White Paper
By Robin Ruefle
In this paper, Robin Ruefle describes how an incident management can provide input to the software development process.
DOWNLOAD -
State of Cyber Workforce Development
• White Paper
By Marie Baker
This paper summarizes the current posture of the cyber workforce and several initiatives designed to strengthen, grow, and retain cybersecurity professionals.
DOWNLOAD -
Training and Awareness
• White Paper
By Carol Sledge , Ken Van Wyk (No Affiliation)
In this paper, the authors provide guidance on training and awareness opportunities in the field of software security.
DOWNLOAD -
Evidence of Assurance: Laying the Foundation for a Credible Security Case
• White Paper
By Charles Weinstock , Howard F. Lipson
In this paper, the authors provide examples of several of the kinds of evidence that can contribute to a security case.
DOWNLOAD -
Security and Project Management
• White Paper
By Robert J. Ellison
In this paper, Robert Ellison explains what project managers should consider because they relate to security needs.
DOWNLOAD -
An Evaluation of Cost-Benefit Using Security Requirements Prioritization Methods
• White Paper
By Nancy R. Mead , Travis Christian
In this paper, the authors provide background information on penetration testing processes and practices.
DOWNLOAD -
Unintentional Insider Threats: A Foundational Study
• Technical Note
By CERT Insider Threat Team
In this report, the CERT Insider Threat team examines unintentional insider threat (UIT), a largely unrecognized problem.
DOWNLOAD -
Teaching Security Requirements Engineering Using SQUARE
• White Paper
By Nancy R. Mead , Dan Shoemaker (University of Detroit Mercy) , Jeff Ingalsbe (University of Detroit Mercy)
In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software.
DOWNLOAD -
Trustworthy Composition: The System Is Not Always the Sum of Its Parts
• White Paper
By Robert J. Ellison
In this paper, Robert Ellison surveys several profound technical problems faced by practitioners assembling and integrating secure and survivable systems.
DOWNLOAD -
Development of a Master of Software Assurance Reference Curriculum - 2013 IJSSE
• White Paper
By James McDonald (Monmouth University) , Mark A. Ardis (Stevens Institute of Technology) , Thomas B. Hilburn (Embry-Riddle Aeronautical University) , Andrew J. Kornecki (Embry-Riddle Aeronautical University) , Richard C. Linger (Oak Ridge National Laboratory) , Nancy R. Mead , Julia H. Allen
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes
DOWNLOAD -
Strengthening Ties Between Process and Security
• White Paper
By Carol Woody
In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases.
DOWNLOAD -
Estimating Benefits from Investing in Secure Software Development
• White Paper
By Ashish Arora , Rahul Telang , Steven Frank
In this paper, the authors discuss the costs and benefits of incorporating security in software development and presents formulas for calculating security costs and security benefits.
DOWNLOAD -
What Measures Do Vendors Use for Software Assurance?
• White Paper
By Jeremy Epstein
In this paper, Jeremy Epstein examines what real vendors do to ensure that their products are reasonably secure.
DOWNLOAD -
The Development of a Graduate Curriculum for Software Assurance
• White Paper
By Nancy R. Mead , Mark A. Ardis (Stevens Institute of Technology)
In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more.
DOWNLOAD -
Secure Software Development Life Cycle Processes
• White Paper
By Noopur Davis
In this paper, Noopur Davis presents information about processes, standards, and more that support or could support secure software development.
DOWNLOAD -