Technical Papers
The SEI Digital Library houses thousands of technical papers and other documents, ranging from SEI Technical Reports on groundbreaking research to conference proceedings, survey results, and source code.
Filter by
-
Counter AI: What Is It and What Can You Do About It?
• White Paper
By Nathan M. VanHoudnos, Shing-hon Lau, Carol J. Smith, Matt Churilla, Lauren McIlvenny, Greg Touhill
This paper describes counter artificial intelligence (AI) and provides recommendations on what can be done about it.
DOWNLOAD -
Lessons Learned in Coordinated Disclosure for Artificial Intelligence and Machine Learning Systems
• White Paper
By Matt Churilla, Jeff Havrilla, Vijay S. Sarvepalli, Andrew Kompanek, Lauren McIlvenny, Nathan M. VanHoudnos, Shing-hon Lau, Lena Pons, Allen D. Householder
In this paper, the authors describe lessons learned from coordinating AI and ML vulnerabilities at the SEI's CERT/CC.
DOWNLOAD -
On the Design, Development, and Testing of Modern APIs
• White Paper
By Alejandro Gomez, Alex Vesey
This white paper discusses the design, desired qualities, development, testing, support, and security of modern application programming interfaces (APIs).
DOWNLOAD -
A Model Problem for Assurance Research: An Autonomous Humanitarian Mission Scenario
• Technical Note
By Anton Hristozov, John E. Robert, Mark H. Klein, Gabriel Moreno
This report describes a model problem to support research in large-scale assurance.
DOWNLOAD -
Application Programming Interface (API) Vulnerabilities and Risks
• Special Report
By McKinley Sconiers-Hasan
This report describes 11 common vulnerabilities and 3 risks related to application programming interfaces, providing suggestions about how to fix or reduce their impact.
DOWNLOAD -
Software Bill of Materials (SBOM) Considerations for Operational Test & Evaluation Activities
• White Paper
By Michael S. Bandor
This white paper looks at the background and history of SBOMs as well as the general questions and challenges for use with Operational Test & Evaluation activities.
DOWNLOAD -
Reachability of System Operation Modes in AADL
• Technical Report
By Lutz Wrage
This report presents an algorithm that constructs the set of reachable SOMs for a given AADL model and the transitions between them.
DOWNLOAD -
Explainable Verification: Survey, Situations, and New Ideas
• White Paper
By Bjorn Andersson, Dionisio de Niz, Mark H. Klein
This report focuses on potential changes in software development practice and research that would help tools used for formal methods explain their output, making software practitioners more likely to trust …
DOWNLOAD -
Zero Trust Industry Days 2024: Request for Information (RFI)
• White Paper
By The Software Engineering Institute
This request for information (RFI) was created for Zero Trust Industry Days 2024, where developers presented zero trust solutions, shared information, and discussed alternatives.
DOWNLOAD -
Zero Trust Industry Days 2024 Scenario: Secluded Semiconductors, Inc.
• White Paper
By Rhonda Brown
This scenario guides discussions of solutions submitted to address the challenges of implementing zero trust.
DOWNLOAD -
Considerations for Evaluating Large Language Models for Cybersecurity Tasks
• White Paper
By Girish Sastry (OpenAI), Samuel J. Perl, Joel Parish (OpenAI), Jeff Gennari, Shing-hon Lau
In this paper, researchers from the SEI and OpenAI explore the opportunities and risks associated with using large language models (LLMs) for cybersecurity tasks.
DOWNLOAD -
Navigating Capability-Based Planning: The Benefits, Challenges, and Implementation Essentials
• White Paper
By William Nichols, Anandi Hira
Based on industry and government sources, this paper summarizes the benefits and challenges of implementing Capability-Based Planning (CBP).
DOWNLOAD -
Encoding Verification Arguments to Analyze High-Level Design Certification Claims: Experiment Zero (E0)
• White Paper
By Floyd Fazi (Lockheed Martin Corporation), Ronald Koontz (Boeing Company), Gordon Putsche (The Boeing Company), David Tate (Institute of Defense Analysis), Douglas Schmidt (Vanderbilt University), Daniel Shapiro (Institute of Defense Analysis), Jonathan Preston (Lockheed Martin Corporation), George Romanski (Federal Aviation Administration), Hyoseung Kim (University of California, Riverside), John Lehoczky (Carnegie Mellon University), Mark H. Klein, Bjorn Andersson, Dionisio de Niz
This paper discusses whether automation of certification arguments can identify problems that occur in real systems.
DOWNLOAD -
The Measurement Challenges in Software Assurance and Supply Chain Risk Management
• White Paper
By Scott Hissam, Carol Woody, Nancy R. Mead
This paper recommends an approach for developing and evaluating cybersecurity metrics for open source and other software in the supply chain.
DOWNLOAD -
Report to the Congressional Defense Committees on National Defense Authorization Act (NDAA) for Fiscal Year 2022 Section 835 Independent Study on Technical Debt in Software-Intensive Systems
• Technical Report
By Brigid O'Hearn, Julie B. Cohen, Forrest Shull, Ipek Ozkaya
This independent study of technical debt in software-intensive systems was sent to Congress in December 2023 to satisfy the requirements of NDAA Section 835.
DOWNLOAD -
Assessing Opportunities for LLMs in Software Engineering and Acquisition
• White Paper
By James Ivers, Ipek Ozkaya, Julie B. Cohen, Shen Zhang, Stephany Bellomo
This white paper examines how decision makers, such as technical leads and program managers, can assess the fitness of large language models (LLMs) to address software engineering and acquisition needs.
DOWNLOAD -
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices)
• Technical Note
By Christopher J. Alberts, Charles M. Wallen, Carol Woody, Michael S. Bandor
This framework of practices helps programs coordinate their management of engineering and supply chain risks across the systems lifecycle.
DOWNLOAD -
Simulating Realistic Human Activity Using Large Language Model Directives
• Technical Report
By Dustin D. Updyke, Sean Huff, Thomas G. Podnar
The authors explore how activities generated from the GHOSTS Framework’s NPC client compare to activities produced by GHOSTS’ default behavior and LLMs.
DOWNLOAD -
Why Your Software Cost Estimates Change Over Time and How DevSecOps Data Can Help Reduce Cost Risk
• White Paper
By Julie B. Cohen
Early software cost estimates are often off by over 40%; this paper discusses how programs must continually update estimates as more information becomes available.
DOWNLOAD -
A Retrospective in Engineering Large Language Models for National Security
• White Paper
By Angelique McDowell, Shannon Gallagher, Andrew O. Mellinger, Jasmine Ratchford, Nick Winski, Eric Heim, Nathan M. VanHoudnos, Hollen Barmer, Swati Rallapalli, William Nichols, Bryan Brown, Tyler Brooks
This document discusses the findings, recommendations, and lessons learned from engineering a large language model for national security use cases.
DOWNLOAD -
U.S. Leadership in Software Engineering and AI Engineering
• White Paper
By Anita Carleton, Forrest Shull, Douglas Schmidt (Vanderbilt University), Erin Harper, Ipek Ozkaya, John E. Robert
A joint SEI/NITRD workshop will advance U.S. national interests through software and AI engineering and accelerate progress across virtually all scientific domains.
DOWNLOAD -
A Holistic View of Architecture Definition, Evolution, and Analysis
• Technical Report
By Sebastián Echeverría, James Ivers, Rick Kazman
This report focuses on performing architectural decisions and architectural analysis, spanning multiple quality attributes, in a sustainable and ongoing way.
DOWNLOAD -
Emerging Technologies: Seven Themes Changing the Future of Software in the DoD
• White Paper
By Shen Zhang, Michael Abad-Santos, Scott Hissam
This report summarizes the SEI's Emerging Technologies Study (ETS) and identifies seven emerging technologies to watch in software engineering practices and technology.
DOWNLOAD -
Demonstrating the Practical Utility and Limitations of ChatGPT Through Case Studies
• White Paper
By Alejandro Gomez, Dominic A. Ross, Matthew Walsh, Clarence Worrell
In this study, SEI researchers conducted four case studies using GPT-3.5 to assess the practical utility of large language models such as ChatGPT.
DOWNLOAD -
Software Excellence Through the Agile High Velocity Development℠ Process
• Technical Report
By Stephen Shook (Ishpi Information Technologies, Inc.), Barti K. Perini (Ishpi Information Technologies, Inc.)
The High Velocity Development℠ process earned Ishpi Information Technologies, Inc. the 2023 Watts Humphrey Software Quality Award.
DOWNLOAD -
Coding the Future: Recommendations for Defense Software R&D
• White Paper
By Software Engineering Institute
This report outlines the key recommendations from the November 2022 workshop "Software as a Modernization Priority."
DOWNLOAD -
Engineering of Edge Software Systems: A Report from the November 2022 SEI Workshop on Software Systems at the Edge
• White Paper
By Ipek Ozkaya, Kevin A. Pitstick, Grace Lewis
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for engineering software systems at the edge.
DOWNLOAD -
Software Bill of Materials Framework: Leveraging SBOMs for Risk Reduction
• White Paper
By Charles M. Wallen, Carol Woody, Michael S. Bandor, Christopher J. Alberts
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems risk.
DOWNLOAD -
Generative AI: Key Opportunities and Research Challenges
• White Paper
By Software Engineering Institute
This 2023 workshop report identifies DoD use cases for generative AI and discusses meeting challenges and needs such as investing in guardrails and responsible AI amid a race to capability.
DOWNLOAD -
Securing UEFI: An Underpinning Technology for Computing
• White Paper
By Vijay S. Sarvepalli
This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.
DOWNLOAD -
Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure
• Technical Report
By Timothy A. Chick, Nataliya Shevchenko, Scott Pavetti
This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.
DOWNLOAD -
A Strategy for Component Product Lines: Report 2: Specification Modeling for Components in a Component Product Line
• Special Report
By Sholom G. Cohen, John J. Hudak, John McGregor
This report introduces the “model chain” concept for specifying a component product line and realizing architecture requirements through the creation–evolution process.
DOWNLOAD -
A Strategy for Component Product Lines: Report 3: Component Product Line Governance
• Special Report
By Sholom G. Cohen, Alfred Schenker
This report provides guidance for the community involved with developing and sustaining product lines of components used by the U.S. government.
DOWNLOAD -
Program Managers—The DevSecOps Pipeline Can Provide Actionable Data
• White Paper
By Bill Nichols, Julie B. Cohen
This paper describes the Automated Continuous Estimation for a Pipeline of Pipelines research project, which automates data collection to track program progress.
DOWNLOAD -
Zero Trust Industry Day 2022: Areas of Future Research
• White Paper
By Trista Polaski, Timothy Morrow, Matthew Nicolai
This paper describes the future research discussed at the 2022 Zero Trust Industry Day event.
DOWNLOAD -
Industry Best Practices for Zero Trust Architecture
• White Paper
By Matthew Nicolai, Timothy Morrow, Nathaniel Richmond
This paper describes best practices identified during the SEI’s Zero Trust Industry Day 2022, and provides ways to help organizations shift to zero trust.
DOWNLOAD -
A Strategy for Component Product Lines: Report 1: Scoping, Objectives, and Rationale
• Special Report
By Gabriel Moreno, Alfred Schenker, Sholom G. Cohen, John J. Hudak, John McGregor
This report establishes a Component Product Line Strategy to address problems in systematically reusing and integrating components built to conform to component specification models.
DOWNLOAD -
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
• Technical Note
By Michael S. Bandor, Christopher J. Alberts, Charles M. Wallen, Carol Woody
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
DOWNLOAD -
Zero Trust Industry Day Experience Paper
• White Paper
By Rhonda Brown, Timothy Morrow, Mary Popeck
This paper describes the results of the 2022 Zero Trust Industry Day event.
DOWNLOAD -
Challenge Development Guidelines for Cybersecurity Competitions
• Technical Report
By Dennis M. Allen, Jarrett Booz, Leena Arora, Joseph Vessella, Josh Hammerstein, Matt Kaar
This paper draws on the SEI’s experience to provide general-purpose guidelines and best practices for developing effective cybersecurity challenges.
DOWNLOAD -
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
• White Paper
By Christopher J. Alberts, Carol Woody, Charles M. Wallen, Michael S. Bandor
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
DOWNLOAD -
Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
• Special Report
By Allen D. Householder
This report proposes a formal protocol specification for MPCVD to improve the interoperability of both CVD and MPCVD processes.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Seventh Edition
• Technical Report
By Software Engineering Institute
The guide describes 22 best practices for mitigating insider threat based on the CERT Division's continued research and analysis of more than 3,000 insider threat cases.
DOWNLOAD -
Coordinated Vulnerability Disclosure User Stories
• White Paper
By Timur D. Snoke, Vijay S. Sarvepalli, Art Manion, Laurie Tyzenhaus, Eric Hatleback, Allen D. Householder, Brad Runyon, Charles G. Yarbrough, Jonathan Spring
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
DOWNLOAD -
LLVM Intermediate Representation for Code Weakness Identification
• White Paper
By David Svoboda, Shannon Gallagher, William Klieber
This paper examines whether intermediate representation used in Large Language Models can be useful to indicate the presence of software vulnerabilities.
DOWNLOAD -
Digital Engineering Effectiveness
• White Paper
By Bill Nichols, Alfred Schenker, Tyler Smith (Adventium Labs, Inc.)
This paper explores the reluctance of developers of cyber-physical systems to embrace digital engineering (DE), how DE methods should be tailored to achieve their stakeholders' goals, and how to measure …
DOWNLOAD -
A Brief Introduction to the Evaluation of Learned Models for Aerial Object Detection
• White Paper
By Eric Heim
The SEI AI Division assembled guidance on the design, production, and evaluation of machine-learning models for aerial object detection.
DOWNLOAD -
Guidance for Tailoring DoD Request for Proposals (RFPs) to Include Modeling
• Special Report
By Julie B. Cohen, Robert Wojcik, Tom Merendino
This report provides guidance for government program offices that are including digital engineering/modeling requirements into a request for proposal.
DOWNLOAD -
Modeling to Support DoD Acquisition Lifecycle Events (Version 1.4)
• White Paper
By Robert Wojcik, Tom Merendino, Julie B. Cohen
This document provides suggestions for producing requirement, system, and software models that will be used to support various DoD system acquisition lifecycle events.
DOWNLOAD -
Extensibility
• Technical Report
By Rick Kazman, Sebastián Echeverría, James Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for extensibility.
DOWNLOAD -
TwinOps: Digital Twins Meets DevOps
• Technical Report
By John J. Hudak, Anton Hristozov, Joe Yankel, Jerome Hugues
This report describes ModDevOps, an approach that bridges model-based engineering and software engineering using DevOps concepts and code generation from models, and TwinOps, a specific ModDevOps pipeline.
DOWNLOAD -
Robustness
• Technical Report
By Rick Kazman, James Ivers, Sebastián Echeverría, Philip Bianco
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for robustness.
DOWNLOAD -
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
• White Paper
By Jonathan Spring
This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
DOWNLOAD -
Using XML to Exchange Floating Point Data
• White Paper
By John Klein
This paper explains issues of using XML to exchange floating point values, how to address them, and the limits of technology to enforce a correct implementation.
DOWNLOAD -
Using Machine Learning to Increase NPC Fidelity
• Technical Report
By Thomas G. Podnar, Dustin D. Updyke, Geoffrey B. Dobson, John Yarger
The authors describe how they used machine learning (ML) modeling to create decision-making preferences for non-player characters (NPCs).
DOWNLOAD -
A Prototype Set of Cloud Adoption Risk Factors
• White Paper
By Christopher J. Alberts
Alberts discusses the results of a study to identify a prototype set of risk factors for adopting cloud technologies.
DOWNLOAD -
Cloud Security Best Practices Derived from Mission Thread Analysis
• Technical Report
By Timothy Morrow, Donald Faatz, Angel Luis Hueca, Vincent LaPiana, Nathaniel Richmond
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource businesses.
DOWNLOAD -
Accenture: An Automation Maturity Journey
• Technical Report
By Rajendra T. Prasad (Accenture)
This paper describes work in the area of automation that netted Accenture the 2020 Watts Humphrey Software Process Achievement Award.
DOWNLOAD -
Experiences with Deploying Mothra in Amazon Web Services (AWS)
• Technical Report
By Brad Powell, John Stogoski, Daniel Ruef
The authors describe development of an at-scale prototype of an on-premises system to test the performance of Mothra in the cloud and provide recommendations for similar deployments.
DOWNLOAD -
Planning and Design Considerations for Data Centers
• Technical Note
By Lyndsi A. Hughes, Mark Kasunic, David Sweeney
This report shares important lessons learned from establishing small- to mid-size data centers.
DOWNLOAD -
Integrating Zero Trust and DevSecOps
• White Paper
By Carol Woody, Timothy Morrow, Geoff Sanders, Nathaniel Richmond
This paper discusses the interdependent strategies of zero trust and DevSecOps in the context of application development.
DOWNLOAD -
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
• Special Report
By Jonathan Spring, Allen D. Householder
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
DOWNLOAD -
Human-Centered AI
• White Paper
By Matt Gaston, Rachel Dzombak, Hollen Barmer, Tanisha Smith, Carol J. Smith, Jay Palat, Frank Redner
This white paper discusses Human-Centered AI: systems that are designed to work with, and for, people.
DOWNLOAD -
Robust and Secure AI
• White Paper
By Eric Heim, Rachel Dzombak, Hollen Barmer, Frank Redner, Tanisha Smith, Nathan M. VanHoudnos, Matt Gaston, Jay Palat
This white paper discusses Robust and Secure AI systems: AI systems that reliably operate at expected levels of performance, even when faced with uncertainty and in the presence of danger …
DOWNLOAD -
Scalable AI
• White Paper
By John Wohlbier, Hollen Barmer, Rachel Dzombak, Matt Gaston, Jay Palat, Frank Redner, Tanisha Smith
This white paper discusses Scalable AI: the ability of AI algorithms, data, models, and infrastructure to operate at the size, speed, and complexity required for the mission.
DOWNLOAD -
The Sector CSIRT Framework: Developing Sector-Based Incident Response Capabilities
• Technical Report
By Tracy Bills, Brittany Manley, David McIntire, Sharon Mudd, Angel Luis Hueca, Justin Novak
This framework guides the development and implementation of a sector CSIRT.
DOWNLOAD -
Foundation of Cyber Ranges
• Technical Report
By Dustin D. Updyke, Thomas G. Podnar, Geoffrey B. Dobson, Bill Reed
This report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.
DOWNLOAD -
Software Assurance Guidance and Evaluation (SAGE) Tool
• White Paper
By Hasan Yasar, Robert Schiela, Luiz Antunes, Ebonie McNeil
The Software Assurance Guidance and Evaluation (SAGE) tool helps an organization assess the security of its systems development and operations practices.
DOWNLOAD -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
• White Paper
By Jonathan Spring, Laurie Tyzenhaus, Vijay S. Sarvepalli, Charles G. Yarbrough, Madison Oliver, Art Manion, Eric Hatleback, Allen D. Householder
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System …
DOWNLOAD -
Modeling and Validating Security and Confidentiality in System Architectures
• Technical Report
By Lutz Wrage, Aaron Greenhouse, Jörgen Hansson (University of Skovde)
This report presents an approach for modeling and validating confidentiality using the Bell–LaPadula security model and the Architecture Analysis & Design Language.
DOWNLOAD -
Overview of Practices and Processes of the CMMC 1.0 Assessment Guides (CMMC 1.0)
• White Paper
By Douglas Gardner
This document is intended to help anyone unfamiliar with cybersecurity standards get started with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
DOWNLOAD -
Zero Trust: Risks and Research Opportunities
• White Paper
By Timothy Morrow, Geoff Sanders
This paper describes a zero trust vignette and three mission threads that highlight risks and research areas to consider for zero trust environments.
DOWNLOAD -
Artificial Intelligence (AI) and Machine Learning (ML) Acquisition and Policy Implications
• White Paper
By William E. Novak
This paper reports on a high-level survey of a set of both actual and potential acquisition and policy implications of the use of Artificial Intelligence (AI) and Machine Learning (ML) …
DOWNLOAD -
Security Engineering Risk Analysis (SERA) Threat Archetypes
• White Paper
By Christopher J. Alberts, Carol Woody
This report examines the concept of threat archetypes and how analysts can use them during scenario development.
DOWNLOAD -
Loss Magnitude Estimation in Support of Business Impact Analysis
• Technical Report
By Brett Tucker, Andrew P. Moore, David Tobar, Daniel J. Kambic
The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
DOWNLOAD -
Emerging Technologies 2020: Six Areas of Opportunity
• White Paper
By Software Engineering Institute
This study seeks to understand what the software engineering community perceives to be key emerging technologies. The six technologies described hold great promise and, in some cases, have already attracted …
DOWNLOAD -
Maintainability
• Technical Report
By John Klein, James Ivers, Philip Bianco, Rick Kazman
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for maintainability.
DOWNLOAD -
Advancing Risk Management Capability Using the OCTAVE FORTE Process
• Technical Note
By Brett Tucker
OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.
DOWNLOAD -
Analytic Capabilities for Improved Software Program Management
• White Paper
By Christopher Miller, David Zubrow
This white paper describes an update to the SEI Quantifying Uncertainty in Early Lifecycle Cost Estimation approach.
DOWNLOAD -
AI Engineering for Defense and National Security: A Report from the October 2019 Community of Interest Workshop
• Special Report
By Software Engineering Institute
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for AI Engineering for Defense and National Security.
DOWNLOAD -
NICE Framework Cybersecurity Evaluator
• White Paper
By Christopher Herr
This cybersecurity evaluator is designed to assess members of the cyber workforce within the scope of the NICE Cybersecurity Workforce Framework.
DOWNLOAD -
Current Ransomware Threats
• White Paper
By Marisa Midler, Kyle O'Meara
This report by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.
DOWNLOAD -
An Updated Framework of Defenses Against Ransomware
• White Paper
By Timothy J. Shimeall, Timur D. Snoke
This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.
DOWNLOAD -
Historical Analysis of Exploit Availability Timelines
• White Paper
By Trent Novelly, Jeff Chrabaszcz (Govini), Allen D. Householder, David Warren, Jonathan Spring
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
DOWNLOAD -
Architecture Evaluation for Universal Command and Control
• White Paper
By Harry L. Levinson, Jason Popowski, Reed Little, Philip Bianco, Patrick Donohoe, John Klein
The SEI developed an analysis method to assess function allocations in existing C2 systems and reason about design choices and tradeoffs during the design of new C2 systems.
DOWNLOAD -
A Risk Management Perspective for AI Engineering
• White Paper
By Brett Tucker
This paper describes several steps of OCTAVE FORTE in the context of adopting AI technology.
DOWNLOAD -
Attack Surface Analysis - Reduce System and Organizational Risk
• White Paper
By Carol Woody, Robert J. Ellison
This paper offers system defenders an overview of how threat modeling can provide a systematic way to identify potential threats and prioritize mitigations.
DOWNLOAD -
Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments
• Technical Report
By Suzanne Miller, Peter Capell, Jose A. Morales, Richard Turner, Patrick R. Place, David James Shepard
This Technical Report provides guidance to projects interested in implementing DevSecOps (DSO) in defense or other highly regulated environments, including those involving systems of systems.
DOWNLOAD -
Integrability
• Technical Report
By John Klein, Rick Kazman, Philip Bianco, James Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for integrability.
DOWNLOAD -
Comments on NISTIR 8269 (A Taxonomy and Terminology of Adversarial Machine Learning)
• White Paper
By Nathan M. VanHoudnos, Jonathan Spring, April Galyardt
Feedback to the U.S. National Institute of Standards and Technology (NIST) about NIST IR 8269, a draft report detailing the proposed taxonomy and terminology of Adversarial Machine Learning (AML).
DOWNLOAD -
Penetration Tests Are The Check Engine Light On Your Security Operations
• White Paper
By Allen D. Householder, Dan J. Klinedinst
A penetration test serves as a lagging indicator of a network security operations problem. Organizations should implement and document several security controls before a penetration test can be useful.
DOWNLOAD -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
• White Paper
By Art Manion, Deana Shick, Allen D. Householder, Eric Hatleback, Jonathan Spring
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
DOWNLOAD -
Architecture Centric Virtual Integration Process (ACVIP): A Key Component of the DoD Digital Engineering Strategy
• White Paper
By Peter H. Feiler, Bruce Lewis (U.S. Army AMCOM), Alex Boydston (U.S. Army ADD/JMR), Steve Vestal (Honeywell Technology Center)
ACVIP is a compositional, architecture-centric, model-based approach enabling virtual integration analysis in the early phases and throughout the lifecycle to detect and remove defects that currently are not found until …
DOWNLOAD -
AI Engineering: 11 Foundational Practices
• White Paper
By Software Engineering Institute
These recommendations help organizations that are beginning to build, acquire, and integrate artificial intelligence capabilities into business and mission systems.
DOWNLOAD -
Machine Learning in Cybersecurity: A Guide
• Technical Report
By Jonathan Spring, April Galyardt, Ed Stoner, Angela Horneman, Leigh B. Metcalf, Joshua Fallon
This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems.
DOWNLOAD -
Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems
• White Paper
By Charles M. Wallen, Carol Woody, Christopher J. Alberts, John Klein
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud computing.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2018: U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate
• Technical Report
By Victor A. Elias (U.S. Army CCDC Armaments Center, Fire Control Systems and Technology Directorate)
This report presents a systemic approach to software development process improvement and its impact for the U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate …
DOWNLOAD -
Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud
• Technical Report
By Carrie Lee (U.S. Department of Veteran Affairs), Donald Faatz, Kelwyn Pender, Timothy Morrow
This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud services.
DOWNLOAD -
Automatically Detecting Technical Debt Discussions
• White Paper
By Raghvinder Sangwan, Robert Nord, Zachary Kurtz, Ipek Ozkaya
This study introduces (1) a dataset of expert labels of technical debt in developer comments and (2) a classifier trained on those labels.
DOWNLOAD -
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
• White Paper
By Allen D. Householder, Andrew P. Moore
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
DOWNLOAD -
SCAIFE API Definition Beta Version 0.0.2 for Developers
• White Paper
By Lori Flynn, Ebonie McNeil
This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
DOWNLOAD -
Creating xBD: A Dataset for Assessing Building Damage from Satellite Imagery
• White Paper
By Software Engineering Institute
We present a preliminary report for xBD, a new large-scale dataset for the advancement of change detection and building damage assessment for humanitarian assistance and disaster recovery research.
DOWNLOAD -
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
• Technical Report
By David Svoboda, Ebonie McNeil, Lori Flynn, Jiyeon Lee (Carnegie Mellon University), Zachary Kurtz, Derek Leung
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
DOWNLOAD -
Cybersecurity Career Paths and Progression
• White Paper
By Marie Baker, Dennis M. Allen, Melissa Burns, Nicholas Giruzzi
This paper explores the current state of cybersecurity careers, from the importance of early exposure, to methods of entry into the field, to career progression.
DOWNLOAD -
Cybersecurity Talent Identification and Assessment
• White Paper
By Dennis M. Allen, Marie Baker, Christopher Herr
To help fill cybersecurity roles, this paper explores how organizations identify talent, discusses assessment capabilities, and provides recommendations on recruitment and talent evaluations.
DOWNLOAD -
Cybersecurity Careers of the Future
• White Paper
By Dennis M. Allen
Using workforce data analysis, this paper identifies key cybersecurity skills the workforce needs to close the cybersecurity workforce gap.
DOWNLOAD -
A Targeted Improvement Plan for Service Continuity
• Technical Note
By Andrew F. Hoover, Robert A. Vrtis, Philip A. Scolieri, Jeffrey Pinckard, Gavin Jurecko
Describes how an organization can leverage the results of a Cyber Resilience Review to create a Targeted Improvement Plan for its service continuity management.
DOWNLOAD -
Exploring the Use of Metrics for Software Assurance
• Technical Note
By Charlie Ryan, Robert J. Ellison, Carol Woody
This report proposes measurements for each Software Assurance Framework (SAF) practice that a program can select to monitor and manage the progress it's making toward software assurance.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Sixth Edition
• Technical Report
By Sarah Miller, Randall F. Trzeciak, Michael C. Theis, Daniel L. Costa, Andrew P. Moore, William R. Claycomb, Tracy Cassidy
The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.
DOWNLOAD -
An Approach for Integrating the Security Engineering Risk Analysis (SERA) Method with Threat Modeling
• White Paper
By Christopher J. Alberts, Carol Woody
This report examines how cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
DOWNLOAD -
Infrastructure as Code: Final Report
• White Paper
By John Klein, Doug Reynolds
This project explored the feasibility of infrastructure as code, developed prototype tools, populated a model of the deployment architecture, and automatically generated IaC scripts from the model.
DOWNLOAD -
Incident Management Capability Assessment
• Technical Report
By Pennie Walters, Christopher J. Alberts, Samuel J. Perl, David McIntire, Mark Zajicek, Robin Ruefle, Audrey J. Dorofee, Carly L. Huth
The capabilities presented in this report provide a benchmark of incident management practices.
DOWNLOAD -
Program Manager's Guidebook for Software Assurance
• Special Report
By Timothy A. Chick, Carol Woody, Kenneth Nidiffer
This guidebook helps program managers address the software assurance responsibilities critical in defending software-intensive systems, including mission threads and cybersecurity.
DOWNLOAD -
DoD Developer’s Guidebook for Software Assurance
• Special Report
By Tom Scanlon, Bill Nichols
This guidebook helps software developers for DoD programs understand expectations for software assurance and standards and requirements that affect assurance.
DOWNLOAD -
Towards Improving CVSS
• White Paper
By Allen D. Householder, Art Manion, Deana Shick, Eric Hatleback, Jonathan Spring
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
DOWNLOAD -
GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation
• Technical Report
By Dustin D. Updyke, Geoffrey B. Dobson, Adam D. Cerini, Luke J. Osterritter, Thomas G. Podnar, Benjamin L. Earl
This report outlines how the GHOSTS (General HOSTS) framework helps create realism in cyber-warfare simulations and discusses how it was used in a case study.
DOWNLOAD -
Composing Effective Software Security Assurance Workflows
• Technical Report
By Aaron Volkmann, Jim McHale, David Sweeney, William Snavely, Bill Nichols
In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static …
DOWNLOAD -
FedCLASS: A Case Study of Agile and Lean Practices in the Federal Government
• Special Report
By Linda Parker Gates, Nanette Brown, Jeff Davenport, Tamara Marshall-Keim
This study reports the successes and challenges of using Agile and Lean methods and cloud-based technologies in a government software development environment.
DOWNLOAD -
Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation
• White Paper
By Nataliya Shevchenko, Brent Frye, Carol Woody
This paper compares threat modeling methods for cyber-physical systems and recommends which methods (and combinations of methods) to use.
DOWNLOAD -
Software Architecture Publications
• White Paper
By Software Engineering Institute
The SEI compiled this bibliography of publications about software architecture as a resource for information about system architecture throughout its lifecycle.
DOWNLOAD -
Practical Precise Taint-flow Static Analysis for Android App Sets
• White Paper
By Michael Zheng, William Klieber, Lori Flynn, William Snavely
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
DOWNLOAD -
Threat Modeling: A Summary of Available Methods
• White Paper
By Tom Scanlon, Carol Woody, Paige O'Riordan, Timothy A. Chick, Nataliya Shevchenko
This paper discusses twelve threat modeling methods from a variety of sources that target different parts of the development process.
DOWNLOAD -
Navigating the Insider Threat Tool Landscape: Low-Cost Technical Solutions to Jump-Start an Insider Threat Program
• White Paper
By Michael J. Albrethsen, Derrick Spooner, George Silowash, Daniel L. Costa
This paper explores low cost technical solutions that can help organizations prevent, detect, and respond to insider incidents.
DOWNLOAD -
Blacklist Ecosystem Analysis: July - December 2017
• White Paper
By Eric Hatleback, Leigh B. Metcalf
This short report provides a summary of the various analyses of the blacklist ecosystem performed from July 1, 2017, through December 31, 2017.
DOWNLOAD -
ROI Analysis of the System Architecture Virtual Integration Initiative
• Technical Report
By Peter H. Feiler, Jörgen Hansson (University of Skovde), Steve Helton (The Boeing Company)
This report presents an analysis of the economic effects of the System Architecture Virtual Integration approach on the development of software-reliant systems for aircraft compared to existing development paradigms.
DOWNLOAD -
Implementing DevOps Practices in Highly Regulated Environments
• White Paper
By Hasan Yasar, Aaron Volkmann, Jose A. Morales
In this paper, the authors layout the process with insights on performing a DevOps assessment in a highly regulated environment.
DOWNLOAD -
A Mapping of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the Cyber Resilience Review (CRR)
• Technical Note
By Greg Porter (Heinz College at Carnegie Mellon University), Matthew Trevors, Robert A. Vrtis
This technical note describes mapping of HIPAA Security Rule requirements to practice questions found in the CERT Cyber Resilience Review for organizations' use in HIPAA compliance.
DOWNLOAD -
A Hybrid Threat Modeling Method
• Technical Note
By Ole Villadsen (Carnegie Mellon University), Krishnamurthy Vemuru (University of Virginia), Forrest Shull, Nancy R. Mead
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
DOWNLOAD -
Cyber Mutual Assistance Workshop Report
• Special Report
By Dan Bennett, PhD (Army Cyber Institute), Blake Rhoades (Army Cyber Institute), Dan Huynh (Army Cyber Institute), Bill Lawrence (North American Electric Reliability Corporation), Judy Esquibel (Army Cyber Institute), Matt Hutchison (Army Cyber Institute), Fernando Maymi, PhD (Army Cyber Institute), Jonathon Monken (PJM Interconnection), Katie C. Stewart
The Army Cyber Institute hosted a Cyber Mutual Assistance Workshop to identify challenges in defining cyber requirements for Regional Mutual Assistance Groups.
DOWNLOAD -
Embedded Device Vulnerability Analysis Case Study Using Trommel
• White Paper
By Madison Oliver, Kyle O'Meara
This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities.
DOWNLOAD -
2017 Emerging Technology Domains Risk Survey
• Technical Report
By Dan J. Klinedinst, Kyle O'Meara, Joel Land
This report describes our understanding of future technologies and helps US-CERT identify vulnerabilities, promote security practices, and understand vulnerability risk.
DOWNLOAD -
R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises
• Technical Report
By Luke J. Osterritter, Geoffrey B. Dobson, Thomas G. Podnar, Adam D. Cerini
R-EACTR is a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience.
DOWNLOAD -
Architecture Practices for Complex Contexts
• White Paper
By John Klein
This doctoral thesis, completed at Vrije Universiteit Amsterdam, focuses on software architecture practices for systems of systems, including data-intensive systems.
DOWNLOAD -
Defining a Progress Metric for CERT-RMM Improvement
• Technical Note
By Gregory Crabb (United States Postal Service), Nader Mehravari, David Tobar
Describes the Cybersecurity Program Progress Metric and how its implementation in a large, diverse U.S. national organization can serve to indicate progress toward improving cybersecurity and resilience capabilities.
DOWNLOAD -
Blacklist Ecosystem Analysis: January - June, 2017
• White Paper
By Eric Hatleback, Leigh B. Metcalf
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data …
DOWNLOAD -
The CERT Guide to Coordinated Vulnerability Disclosure
• Special Report
By Art Manion, Allen D. Householder, Garret Wassermann, Christopher King
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go …
DOWNLOAD -
Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers
• Special Report
By Joel Land
This report describes a test framework that the CERT/CC developed to identify systemic and other vulnerabilities in CPE routers.
DOWNLOAD -
Department of Defense Software Factbook
• Technical Report
By David Zubrow, Christopher Miller, James McCurley, Rhonda Brown, Mike Zuccher (No Affiliation), Brad Clark
In this report, the Software Engineering Institute has analyzed data related to DoD software projects and translated it into information that is frequently sought-after across the DoD.
DOWNLOAD -
DidFail: Coverage and Precision Enhancement
• Technical Report
By William Snavely, William Klieber, Lori Flynn, Xiaoxiao Tang (No Affiliation), Pranav Bagree (No Affiliation), Hongli Yin (No Affiliation), Karan Dwivedi (No Affiliation)
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
DOWNLOAD -
The Hard Choices Game Explained
• White Paper
By Erin Lim, Philippe Kruchten, Nanette Brown, Ipek Ozkaya, Robert Nord
The Hard Choices game is a simulation of the software development cycle meant to communicate the concepts of uncertainty, risk, and technical debt.
DOWNLOAD -
Federal Virtual Training Environment (FedVTE)
• White Paper
By Dominic A. Ross, April Galyardt, Marie Baker
The Federal Virtual Training Environment (FedVTE) is an online, on‐demand training system containing cybersecurity and certification prep courses, at no cost to federal, state, and local government employees.
DOWNLOAD -
Blacklist Ecosystem Analysis: July – December 2016
• White Paper
By Leigh B. Metcalf, Eric Hatleback
This report provides a summary of various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this …
DOWNLOAD -
Guide to Software Architecture Tools
• White Paper
By Software Engineering Institute
This document discusses tools and methods for analyzing the architecture, establishing requirements, evaluating the architecture, and defining the architecture.
DOWNLOAD -
System-of-Systems Software Architecture Evaluation
• White Paper
By Software Engineering Institute
The SoS Architecture Evaluation Method provides an initial identification of SoS architectural risks and quality attribute inconsistencies across the constituent systems.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
• White Paper
By Software Engineering Institute
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
DOWNLOAD -
SEI-Certified PSP Developer Examination: Sample Questions
• White Paper
By Software Engineering Institute
This page contains sample questions similar to those found on the PSP Developer examination.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2016: Raytheon Integrated Defense Systems
• Technical Report
By Peter Kraus (Raytheon), Brian Foley (Raytheon), Kurt Mittelstaedt (Raytheon), Neal Mackertich (Raytheon), Dan Bardsley (Raytheon), Kelli Grimes (Raytheon), Mike Nolan (Raytheon)
The Raytheon Integrated Defense Systems DFSS team has been recognized with the 2016 Watts Humphrey Software Process Achievement Award.
DOWNLOAD -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement (SPA) Award 2016: Nationwide
• Technical Report
By Will J.M. Pohlman (Nationwide IT)
This report describes the 10-year history of Nationwide's software process improvement journey. Nationwide received the 2016 Watts Humphrey Software Process Achievement Award from the SEI and IEEE.
DOWNLOAD -
Prototype Software Assurance Framework (SAF): Introduction and Overview
• Technical Note
By Christopher J. Alberts, Carol Woody
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
DOWNLOAD -
15 Tips for Preparing and Delivering a Great Presentation at SATURN
• White Paper
By Software Engineering Institute
You submitted a proposal to SATURN, and it got accepted. Congratulations! Here are 15 tips for creating and giving a great presentation at SATURN.
DOWNLOAD -
The CISO Academy
• White Paper
By Pamela D. Curtis, David Ulicne, David Tobar, Summer C. Fowler
In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.
DOWNLOAD -
Agile Acquisition and Milestone Reviews
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 4
DOWNLOAD -
Management and Contracting Practices for Agile Programs
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 3
DOWNLOAD -
Estimating in Agile Acquisition
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 5
DOWNLOAD -
Agile Development and DoD Acquisitions
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 1
DOWNLOAD -
Agile Culture in the DoD
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 2
DOWNLOAD -
Adopting Agile in DoD IT Acquisitions
• White Paper
By Software Engineering Institute
Acquisition & Management Concerns for Agile Use in Government Series - 6
DOWNLOAD -
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
• White Paper
By Software Engineering Institute
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
DOWNLOAD -
COTS-Based Systems
• White Paper
By Software Engineering Institute
This paper presents a summary of SEI commercial off-the-shelf (COTS) software documents and COTS tools.
DOWNLOAD -
Create a CSIRT
• White Paper
By Software Engineering Institute
This white paper discusses the issues and decisions organizations should address when planning, implementing, and building a CSIRT.
DOWNLOAD -
Skills Needed When Staffing Your CSIRT
• White Paper
By Software Engineering Institute
This white paper describes a set of skills that CSIRT staff members should have to provide basic incident-handling services.
DOWNLOAD -
CSIRT Frequently Asked Questions (FAQ)
• White Paper
By Software Engineering Institute
This FAQ addresses CSIRTS, organizations responsible for receiving, reviewing, and responding to computer security incident reports and activity.
DOWNLOAD -
CERT-RMM Capability Appraisals
• White Paper
By Software Engineering Institute
The white paper describe CERT-RMM appraisals and the benefits they offer organizations.
DOWNLOAD -
A Technical History of the SEI
• Special Report
By Larry Druffel
This report chronicles the technical accomplishments of the Software Engineering Institute and its impact on the Department of Defense software community, as well as on the broader software engineering community.
DOWNLOAD -
SQUARE Frequently Asked Questions (FAQ)
• White Paper
By Software Engineering Institute
This paper contains information about SQUARE, a process that helps organizations build security into the early stages of the software production lifecycle.
DOWNLOAD -
Common Sense Guide to Mitigating Insider Threats, Fifth Edition
• Technical Report
By Tracy Cassidy, Andrew P. Moore, Michael J. Albrethsen, Daniel L. Costa, Jason W. Clark, Jeremy R. Strozer, Randall F. Trzeciak, Michael C. Theis, Matthew L. Collins
Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.
DOWNLOAD -
Architecture-Led Safety Process
• Technical Report
By Peter H. Feiler, John McGregor, Julien Delange, David P. Gluch
Architecture-Led Safety Analysis (ALSA) is a safety analysis method that uses early architecture knowledge to supplement traditional safety analysis techniques to identify faults as early as possible.
DOWNLOAD -
The Critical Role of Positive Incentives for Reducing Insider Threats
• Technical Report
By Jennifer Cowley, Elizabeth A. Monaco, Jeff Savinda, Andrew P. Moore, Jamie L. Moyes, Denise M. Rousseau (Carnegie Mellon University), Samuel J. Perl, Allison Parshall, Daniel Bauer, Palma Buttles-Valdez, Nathan M. VanHoudnos, Tracy Cassidy, Matthew L. Collins
This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.
DOWNLOAD -
Update 2016: Considerations for Using Agile in DoD Acquisition
• Technical Note
By Daniel Burton, Mary Ann Lapham, Alfred Schenker, Ray C. Williams, Charles (Bud) Hammons, Dan Ward (Dan Ward Consulting), Suzanne Miller
This report updates a 2010 technical note, addressing developments in commercial Agile practices as well as the Department of Defense (DoD) acquisition environment.
DOWNLOAD -
Scaling Agile Methods for Department of Defense Programs
• Technical Note
By Mary Ann Lapham, Peter Capell, Eileen Wrubel, Suzanne Miller, Will Hayes
This report discusses methods for scaling Agile processes to larger software development programs in the Department of Defense.
DOWNLOAD -
Low Cost Technical Solutions to Jump Start an Insider Threat Program
• Technical Note
By George Silowash, Derrick Spooner, Daniel L. Costa, Michael J. Albrethsen
This technical note explores free and low cost technical solutions to help organizations prevent, detect, and respond to malicious insiders.
DOWNLOAD -
RFP Patterns and Techniques for Successful Agile Contracting
• Special Report
By Keith Korzec, John H. Norton III (Raytheon Integrated Defense Systems), Michael Ryan (BTAS), Greg Howard (MITRE), Peter Capell, Thomas E. Friend (Agile On Target), Steven Martin (Space and Missile Systems Center), Larri Ann Rosser (Raytheon Intelligence Information and Services), Mary Ann Lapham
This report discusses request-for-proposal patterns and techniques for successfully contracting a federal Agile project.
DOWNLOAD -
Ultra-Large-Scale Systems: Socio-adaptive Systems
• White Paper
By Gabriel Moreno, Lutz Wrage, Linda M. Northrop, Mark H. Klein, Scott Hissam
Ultra-large-scale systems are interdependent webs of software, people, policies, and economics. In socio-adaptive systems, humans and software interact as peers.
DOWNLOAD -
Cyber-Physical Systems
• White Paper
By David Kyle, Dionisio de Niz, Sagar Chaki, Jeffrey Hansen, Bjorn Andersson, Scott Hissam, John J. Hudak, Mark H. Klein, Gabriel Moreno
Cyber-physical systems (CPS) integrate computational algorithms and physical components. SEI promotes the efficient development of high-confidence, distributed CPS.
DOWNLOAD -
Pervasive Mobile Computing
• White Paper
By William Anderson, Jeff Boleng, Ben W. Bradshaw, James Edmondson, Grace Lewis, Edwin J. Morris, Marc Novakouski, James Root
Pervasive mobile computing focuses on how soldiers and first responders can use smartphones, tablets, and other mobile/wearable devices at the tactical edge.
DOWNLOAD -
Predictability by Construction
• White Paper
By Linda M. Northrop, Gabriel Moreno, Kurt C. Wallnau, Sagar Chaki, Scott Hissam
Predictability by construction (PBC) makes the behavior of a component-based system predictable before implementation, based on known properties of components.
DOWNLOAD -
Blacklist Ecosystem Analysis: January – June, 2016
• White Paper
By Leigh B. Metcalf, Eric Hatleback
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data …
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Testing the Identified Metrics
• White Paper
By Bill Nichols, Charles Weinstock, Sarah Sheard, Michael D. Konrad
This report describes a test of an algorithm for estimating the complexity of a safety argument.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Estimating Complexity of a Safety Argument
• White Paper
By Charles Weinstock, Michael D. Konrad, Bill Nichols, Sarah Sheard
This report presents a formula for estimating the complexity of an avionics system and directly connects that complexity to the size of its safety argument.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Identifying the Impact of Complexity on Safety
• White Paper
By Michael D. Konrad, Sarah Sheard, Charles Weinstock, Donald Firesmith
This report organizes our work on the impact of software complexity on aircraft safety by asking, “How can complexity complicate safety and, thus, certification?”
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Candidate Complexity Metrics
• White Paper
By Sarah Sheard, Bill Nichols
This special report identifies candidate measures of complexity for systems with embedded software that relate to safety, assurance, or both.
DOWNLOAD -
FAA Research Project on System Complexity Effects on Aircraft Safety: Literature Search to Define Complexity for Avionics Systems
• White Paper
By Sarah Sheard, Michael D. Konrad
This special report describes the results of a literature review sampling what is known about complexity for application in the context of safety and assurance.
DOWNLOAD -
Seven Proposal-Writing Tips That Make Conference Program Committees Smile
• White Paper
By Bill Pollak, Mike Petock
Writing a great session proposal for a conference is difficult. Here are seven tips for writing a session proposal that will make reviewers go from frown to smile.
DOWNLOAD -
Definition and Measurement of Complexity in the Context of Safety Assurance
• Technical Report
By Bill Nichols, Sarah Sheard, Michael D. Konrad, Charles Weinstock
This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.
DOWNLOAD -
Establishing Trusted Identities in Disconnected Edge Environments
• White Paper
By Dan J. Klinedinst, Sebastián Echeverría, Keegan M. Williams
he goal of this paper is to present a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field.
DOWNLOAD -
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
• Technical Note
By Robert A. Vrtis, Jeffrey Pinckard, Michael Rattigan
To help financial organizations assess cyber resilience, we map FFIEC Cybersecurity Assessment Tool (CAT) statements to Cyber Resilience Review (CRR) questions.
DOWNLOAD -
Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
• White Paper
By Charles M. Wallen, John Haller
A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.
DOWNLOAD -
Agile Development in Government: Myths, Monsters, and Fables
• White Paper
By Suzanne Miller, Mary Ann Lapham, David J. Carney
This volume is a reflection on attitudes toward Agile software development now current in the government workplace.
DOWNLOAD -
Striving for Effective Cyber Workforce Development
• White Paper
By Marie Baker
This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.
DOWNLOAD -
Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks
• Technical Report
By Geoffrey Nelissen, Junsung Kim, Dionisio de Niz, Ragunathan (Raj) Rajkumar, Jian-Jia Chen, Bjorn Andersson, Wen-Hung Huang
This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks.
DOWNLOAD -
Creating Centralized Reporting for Microsoft Host Protection Technologies: The Enhanced Mitigation Experience Toolkit (EMET)
• Technical Note
By Craig Lewis, Joseph Tammariello
This report describes how to set up a centralized reporting console for the Windows Enhanced Mitigation Experience Toolkit.
DOWNLOAD -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
• Technical Note
By Sarah Sheard
This technical note introduces Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), a method for estimating program costs early in development.
DOWNLOAD -
Blacklist Ecosystem Analysis: 2016 Update
• White Paper
By Leigh B. Metcalf, Eric Hatleback, Jonathan Spring
This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.
DOWNLOAD -
Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2
• Technical Report
By Julien Delange, Peter H. Feiler, John J. Hudak, David P. Gluch
This report describes the Error Model Annex, Version 2 (EMV2), notation for architecture fault modeling, which supports safety, reliability, and security analyses.
DOWNLOAD -
A Requirement Specification Language for AADL
• Technical Report
By Lutz Wrage, Julien Delange, Peter H. Feiler
This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.
DOWNLOAD -
DMPL: Programming and Verifying Distributed Mixed-Synchrony and Mixed-Critical Software
• Technical Report
By David Kyle, Sagar Chaki
DMPL is a language for programming distributed real-time, mixed-criticality software. It supports distributed systems in which each node executes a set of periodic real-time threads that are scheduled by priority …
DOWNLOAD -
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
• Special Report
By Audrey J. Dorofee, Carol Woody, Christopher J. Alberts
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element …
DOWNLOAD -
Report Writer and Security Requirements Finder: User and Admin Manuals
• Special Report
By Walid El Baroni (Carnegie Mellon University), Gupta Anurag (Carnegie Mellon), Nancy R. Mead, Priyam Swati (Carnegie Mellon University), Yaobin Wen (Carnegie Mellon University), Anand Sankalp (Carnegie Mellon University)
This report presents instructions for using the Malware-driven Overlooked Requirements (MORE) website applications.
DOWNLOAD -
Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis
• Technical Note
By Douglas Gray
This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).
DOWNLOAD -
An Insider Threat Indicator Ontology
• Technical Report
By George Silowash, Samuel J. Perl, Derrick Spooner, Matthew L. Collins, Daniel L. Costa, Michael J. Albrethsen
This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.
DOWNLOAD -
Using Honeynets and the Diamond Model for ICS Threat Analysis
• Technical Report
By John Kotheimer, Deana Shick, Kyle O'Meara
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure …
DOWNLOAD -
2016 State of Cybercrime Survey
• White Paper
By Software Engineering Institute
This paper examines the current state of cybercrime and explores how organizations and individuals respond to cybercrime threats.
DOWNLOAD -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
• White Paper
By Sarah Sheard
This report introduces the Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method for estimating program costs early in a development lifecycle.
DOWNLOAD -
A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology
• Technical Report
By Kyle O'Meara, Deana Shick
As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with …
DOWNLOAD -
On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle
• White Paper
By Dan J. Klinedinst, Christopher King
This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.
DOWNLOAD -
2016 Emerging Technology Domains Risk Survey
• Technical Report
By Todd Lewellen, Christopher King, Garret Wassermann, Dan J. Klinedinst
This 2016 report provides a snapshot of our current understanding of future technologies.
DOWNLOAD -
Malware Capability Development Patterns Respond to Defenses: Two Case Studies
• White Paper
By Jonathan Spring, Deana Shick, Ed Stoner, Kyle O'Meara
In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
DOWNLOAD -
Cyber-Foraging for Improving Survivability of Mobile Systems
• Technical Report
By James Root, Ben W. Bradshaw, Sebastián Echeverría, Grace Lewis
This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.
DOWNLOAD -
CERT-RMM Version 1.2 Release Notes
• White Paper
By Software Engineering Institute
This document contains the release notes for CERT-RMM Version 1.2, released February 2014.
DOWNLOAD -
DoD Software Factbook
• White Paper
By James McCurley, David Zubrow, Brad Clark
This DoD Factbook is an initial analysis of software engineering data from the perspective of policy and management questions about software projects.
DOWNLOAD -
Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By Peter H. Feiler
This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.
DOWNLOAD -
Requirements and Architecture Specification of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By Peter H. Feiler
This report describes a method for capturing information from requirements documents in AADL and the draft Requirement Definition & Analysis Language Annex.
DOWNLOAD -
Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
• Special Report
By John J. Hudak, Peter H. Feiler
This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.
DOWNLOAD -
Extending AADL for Security Design Assurance of Cyber-Physical Systems
• Technical Report
By Rick Kazman, Carol Woody, Robert J. Ellison, Allen D. Householder, John J. Hudak
This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of …
DOWNLOAD -
Cybersecurity Considerations for Vehicles
• White Paper
By Jens Palluch (Method Park), Mark Sherman
In this paper the authors discuss the number of ECUs and software in modern vehicles and the need for cybersecurity to include vehicles.
DOWNLOAD -
Analytic Approaches to Detect Insider Threats
• White Paper
By Software Engineering Institute
This paper identifies steps that organizations can use to enhance their security posture to detect potential insider threats.
DOWNLOAD -
Intelligence Preparation for Operational Resilience (IPOR)
• Special Report
By Douglas Gray
The author describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
DOWNLOAD -
Evaluating and Mitigating the Impact of Complexity in Software Models
• Technical Report
By Bill Nichols, Min-Young Nam, Julien Delange, Jim McHale, John J. Hudak
This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.
DOWNLOAD -
Cyber + Culture Early Warning Study
• Special Report
By Char Sample
This study was designed to profile cyber actors, and to examine the time interval between cyber and kinetic events in order to gain greater insights into nation-state cyber responses to …
DOWNLOAD -
Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
• White Paper
By William E. Novak, Matthew L. Collins, Michael C. Theis, Randall F. Trzeciak, Andrew P. Moore
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and engage the community to discuss its concerns.
DOWNLOAD -
Structuring the Chief Information Security Officer Organization
• Technical Note
By David Tobar, Brendan Fitzpatrick, Gregory Crabb (United States Postal Service), Julia H. Allen, Pamela D. Curtis, Nader Mehravari
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
DOWNLOAD -
Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution
• Technical Report
By Julia H. Allen, C. Aaron Cois, Anne Connell, Erik Ebel (Veris Group), William Gulley (Veris Group), Michael Riley (Veris Group), Robert W. Stoddard, Marie Vaughn (Veris Group), Douglas Gray, Brian D. Wisniewski
This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to …
DOWNLOAD -
Secure Coding Analysis of an AADL Code Generator's Runtime System
• White Paper
By David Keaton
This paper describes a secure coding analysis of the PolyORB-HI-C runtime system used by C language code output from the Ocarina AADL code generator.
DOWNLOAD -
Contracting for Agile Software Development in the Department of Defense: An Introduction
• Technical Note
By Jon Gross, Eileen Wrubel
This technical note addresses effective contracting for Agile software development and offers a primer on Agile based on a contracting officer's goals.
DOWNLOAD -
CND Equities Strategy
• White Paper
By Ed Stoner, Jonathan Spring
In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.
DOWNLOAD -
Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items
• White Paper
By Art Manion, Allen D. Householder
In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.
DOWNLOAD -
Enabling Incremental Iterative Development at Scale: Quality Attribute Refinement and Allocation in Practice
• Technical Report
By Neil Ernst, Stephany Bellomo, Robert Nord, Ipek Ozkaya
This report describes industry practices used to develop business capabilities and suggests approaches to enable large-scale iterative development, or agile at scale.
DOWNLOAD -
State of Practice Report: Essential Technical and Nontechnical Issues Related to Designing SoS Platform Architectures
• Technical Report
By Sholom G. Cohen, John Klein
This report analyzes the state of the practice in system-of-systems (SoS) development, based on 12 interviews of leading SoS developers in the DoD and industry.
DOWNLOAD -
Emerging Technology Domains Risk Survey
• Technical Note
By Jonathan Chu, Andrew O. Mellinger, Christopher King
This report provides a snapshot in time of our current understanding of future technologies.
DOWNLOAD -
SCALe Analysis of JasPer Codebase
• White Paper
By David Svoboda
In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.
DOWNLOAD -
Model-Driven Engineering: Automatic Code Generation and Beyond
• Technical Note
By John Klein, Jay Marchetti, Harry L. Levinson
This report offers guidance on selecting, analyzing, and evaluating model-driven engineering tools for automatic code generation in acquired systems.
DOWNLOAD -
Defining a Maturity Scale for Governing Operational Resilience
• Technical Note
By Julia H. Allen, Katie C. Stewart, Audrey J. Dorofee, Lisa R. Young, Michelle A. Valdez
Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
DOWNLOAD -
SEI SPRUCE Project: Curating Recommended Practices for Software Producibility
• White Paper
By B. Craig Meyers, Mike Petock, Bill Pollak, Michael D. Konrad, Gerald W. Miller, Tamara Marshall-Keim
This paper describes the Systems and Software Producibility Collaboration Environment (SPRUCE) project and the resulting recommended practices on five software topics.
DOWNLOAD -
Improving Quality Using Architecture Fault Analysis with Confidence Arguments
• Technical Report
By Neil Ernst, John B. Goodenough, Julien Delange, Charles Weinstock, Peter H. Feiler, Ari Z. Klein
The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design …
DOWNLOAD -
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets
• Technical Report
By William Klieber, Jonathan Burket, Lori Flynn, Jonathan Lim, Wei Shen, William Snavely
In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
DOWNLOAD -
Eliminative Argumentation: A Basis for Arguing Confidence in System Properties
• Technical Report
By Ari Z. Klein, John B. Goodenough, Charles Weinstock
This report defines the concept of eliminative argumentation and provides a basis for assessing how much confidence one should have in an assurance case argument.
DOWNLOAD -
A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
• Technical Note
By Nader Mehravari, Julia H. Allen, Pamela D. Curtis, Gregory Crabb (United States Postal Service)
This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.
DOWNLOAD -
Measuring What Matters Workshop Report
• Technical Note
By Michelle A. Valdez, Katie C. Stewart, Lisa R. Young, Julia H. Allen
This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
DOWNLOAD -
A Dynamic Model of Sustainment Investment
• Technical Report
By Mike Phillips, Sarah Sheard, Robert Ferguson, Andrew P. Moore
This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.
DOWNLOAD -
Cybersecurity Assurance
• White Paper
By Software Engineering Institute
This paper describes the SEI research and solutions that help organizations gain justified confidence in their cybersecurity posture.
DOWNLOAD -
Blacklist Ecosystem Analysis Update: 2014
• White Paper
By Leigh B. Metcalf, Jonathan Spring
This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.
DOWNLOAD -
Predicting Software Assurance Using Quality and Reliability Measures
• Technical Note
By Carol Woody, Bill Nichols, Robert J. Ellison
In this report, the authors discuss how a combination of software development and quality techniques can improve software security.
DOWNLOAD -
Regional Use of Social Networking Tools
• Technical Report
By Kate Meeuf
This paper explores the regional use of social networking services (SNSs) to determine if participation with a subset of SNSs can be applied to identify a user's country of origin.
DOWNLOAD -
Domain Parking: Not as Malicious as Expected
• White Paper
By Jonathan Spring, Leigh B. Metcalf
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be …
DOWNLOAD -
Pattern-Based Design of Insider Threat Programs
• Technical Note
By Andrew P. Moore, David McIntire, Robin Ruefle, Dave Mundie, Matthew L. Collins
In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
DOWNLOAD -
Introduction to the Security Engineering Risk Analysis (SERA) Framework
• Technical Note
By Carol Woody, Christopher J. Alberts, Audrey J. Dorofee
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
DOWNLOAD -
Using Malware Analysis to Tailor SQUARE for Mobile Platforms
• Technical Note
By Gregory Paul Alice, Nancy R. Mead
This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.
DOWNLOAD -
A Method for Aligning Acquisition Strategies and Software Architectures
• Technical Note
By Patrick R. Place, Cecilia Albert, Lisa Brownsword, David J. Carney
This report describes the third year of the SEI's research into aligning acquisition strategies and software architecture.
DOWNLOAD -
Agile Methods in Air Force Sustainment: Status and Outlook
• Technical Note
By Michael S. Bandor, Stephen Beck, Eileen Wrubel, Mary Ann Lapham, Colleen Regan
This paper examines using Agile techniques in the software sustainment arena—specifically Air Force programs. The intended audience is the staff of DoD programs and related personnel who intend to use …
DOWNLOAD -
Development of an Intellectual Property Strategy: Research Notes to Support Department of Defense Programs
• Special Report
By Charlene Gross
This report is intended to help program managers understand categories of intellectual property, various intellectual property challenges, and approaches to assessing the license rights that the program needs for long-term …
DOWNLOAD -
AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment
• Technical Report
By Julien Delange, John J. Hudak, David P. Gluch, Peter H. Feiler
This report describes how the Architecture Analysis and Design Language (AADL) Error Model Annex supports the safety-assessment methods in SAE Standard ARP4761.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)
• Technical Note
By Sam Lin, Nader Mehravari, Julia H. Allen, Gregory Crabb (United States Postal Service), Pamela D. Curtis, Dawn Wilkes
This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)
• Technical Note
By Pamela D. Curtis, Gregory Crabb (United States Postal Service), Julia H. Allen, David W. White, Nader Mehravari
This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.
DOWNLOAD -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)
• Technical Note
By Nader Mehravari, Julia H. Allen, Pamela D. Curtis, Gregory Crabb (United States Postal Service), David W. White
This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.
DOWNLOAD -
Smart Collection and Storage Method for Network Traffic Data
• Technical Report
By Nathan Dell, Angela Horneman
This report discusses considerations and decisions to be made when designing a tiered network data storage solution.
DOWNLOAD -
A Systematic Approach for Assessing Workforce Readiness
• Technical Report
By Christopher J. Alberts, David McIntire
In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.
DOWNLOAD -
Assuring Software Reliability
• Special Report
By Robert J. Ellison
This report describes ways to incorporate the analysis of the potential impact of software failures--regardless of their cause--into development and acquisition practices through the use of software assurance.
DOWNLOAD -
Patterns and Practices for Future Architectures
• Technical Note
By Eric Werner, Scott McMillan, Jonathan Chu
This report discusses best practices and patterns that will make high-performance graph analytics on new and emerging architectures more accessible to users.
DOWNLOAD -
Abuse of Customer Premise Equipment and Recommended Actions
• White Paper
By Chris Hallenbeck, Jonathan Spring, Paul Vixie
In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
DOWNLOAD -
Performance of Compiler-Assisted Memory Safety Checking
• Technical Note
By Robert C. Seacord, David Keaton
This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely …
DOWNLOAD -
Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector
• Technical Note
By CERT Insider Threat Team
This report analyzes unintentional insider threat cases of phishing and other social engineering attacks involving malware.
DOWNLOAD -
Evaluation of the Applicability of HTML5 for Mobile Applications in Resource-Constrained Edge Environments
• Technical Note
By Bryan Yan (Carnegie Mellon University – Institute for Software Research), Grace Lewis
This technical note presents an analysis of the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in battlefield or …
DOWNLOAD -
Agile Software Teams: How They Engage with Systems Engineering on DoD Acquisition Programs
• Technical Note
By Mary Ann Lapham, Timothy A. Chick, Eileen Wrubel, Suzanne Miller
This technical note addresses issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.
DOWNLOAD -
Improving the Automated Detection and Analysis of Secure Coding Violations
• Technical Note
By Robert C. Seacord, Daniel Plakosh, Robert W. Stoddard, David Svoboda, David Zubrow
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
DOWNLOAD -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2
• Technical Note
By Kevin G. Partridge, Lisa R. Young, Mary Popeck
This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.
DOWNLOAD -
The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects
• Special Report
By Dennis Goldenson, Joseph P. Elm
This report analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.
DOWNLOAD -
Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
• Technical Report
By Jennifer Cowley
This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.
DOWNLOAD -
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
• Technical Note
By Audrey J. Dorofee, Mark Zajicek, Robin Ruefle, Christopher J. Alberts
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
DOWNLOAD -
A Taxonomy of Operational Cyber Security Risks Version 2
• Technical Note
By James J. Cebula, Lisa R. Young, Mary Popeck
This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.
DOWNLOAD -
An Evaluation of A-SQUARE for COTS Acquisition
• Technical Note
By Sidhartha Mani, Nancy R. Mead
An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.
DOWNLOAD -
Investigating Advanced Persistent Threat 1 (APT1)
• Technical Report
By Angela Horneman, Deana Shick
This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.
DOWNLOAD -
Precise Static Analysis of Taint Flow for Android Application Sets
• White Paper
By Amar S. Bhosale (No Affiliation)
This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.
DOWNLOAD -
Data-Driven Software Assurance: A Research Study
• Technical Report
By Michael F. Orlando, Erin Harper, Andrew P. Moore, Julia L. Mullaney, Bill Nichols, Michael D. Konrad, Art Manion
In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
DOWNLOAD -
ALTernatives to Signatures (ALTS)
• White Paper
By George Jones, John Stogoski
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.
DOWNLOAD -
Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management
• Technical Note
By David J. Carney, Kenneth Nidiffer, Suzanne Miller
This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.
DOWNLOAD -
The Readiness & Fit Analysis: Is Your Organization Ready for Agile?
• White Paper
By Suzanne Miller
This paper summarizes the Readiness & Fit Analysis and describes its extension to support risk identification for organizations that are adopting agile methods.
DOWNLOAD -
International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany
• Technical Report
By Tracy Cassidy, Lori Flynn, Carly L. Huth, Palma Buttles-Valdez, Michael C. Theis, Randall F. Trzeciak, Travis Wright (Carnegie Mellon University, Master of Science in Information Security Policy and Management Program), George Silowash
This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All …
DOWNLOAD -
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
• Special Report
By The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance …
DOWNLOAD -
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service
• Special Report
By Robert J. Ellison, Carol Woody
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert …
DOWNLOAD -
Wireless Emergency Alerts: Trust Model Simulations
• Special Report
By Robert W. Stoddard, Timothy Morrow, Joseph P. Elm
This report presents four types of simulations run on the public trust model and the alert originator trust model developed for the Wireless Emergency Alerts (WEA) service, focusing on how …
DOWNLOAD -
Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy
• Technical Report
By The WEA Project Team
This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about …
DOWNLOAD -