Software Engineering Institute

Dr. Carol Woody has been a senior member of the technical staff since 2001. Currently she is the technical manager for the Cyber Security Engineering (CSE) team, whose research focuses on meeting the challenges of cyber security in acquisition, system and software engineering.  CSE is building capabilities in defining, acquiring, developing, measuring, managing, and sustaining secure software for highly complex networked systems as well as systems of systems.

Woody is an experienced technical researcher whose work has focused on government agencies, higher education, and medical organizations. She has helped them identify effective security risk management solutions, develop approaches to improve their ability to identify security and survivability requirements, and field software and systems with greater assurance.

As a consultant for ImageWork Technologies Corp., Woody managed the user testing for CITYTIME, a timekeeping application being developed for New York City. She also consulted with the Queens County District Attorney's Office of New York City to design and implement an electronic document management system. New York City's Administration for Child Services chose her to integrate financial information among state, city, and agency financial systems and also to construct a financial data warehouse and implement web-enabled processes for managing social service payments. As project manager at Yale University, Woody served as architect and implementing project manager for an integrated ID card solution, developed technical specifications and assisted users in vendor review and selection for a procurement package, designed and implemented expert system technology for distributed data collection, and managed a team of technicians supporting the financial operations of the university.

Woody holds a PhD in information science from Nova Southeastern University, an MBA from Wake Forest University, and a BS in mathematics from William and Mary.

Contact: Carol Woody

Secure by design means performing more security and assurance activities earlier in the product and system lifecycles. A secure-by-design mindset addresses the security of systems during the requirements, design, and development phases of lifecycles rather than waiting until the system is ready for implementation. The need for a secure-by-design mindset is exacerbated by the amount of interconnectedness of today’s systems and the increasing amount of automation that characterizes system development. These trends have led to increased levels of risk and made implementation of security controls during test and patching systems after deployment increasingly unsustainable. In this SEI Podcast, Robert Schiela, technical manager of the Secure Coding group, and Carol Woody, a principal researcher in the SEI’s CERT Division, talk with Suzanne Miller about the importance of integrating the practices and mindset of secure by design into the acquisition and development of software-reliant systems.