Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Jeffrey Thieret
February 2018 - Video SEI Cyber Minute: Improving the State of Cyber Intelligence

Authors: Jared Ettinger

Good cyber intelligence practices—those that help you see the big picture—can prevent costly security breaches and help safeguard valuable assets and information.

February 2018 - Podcast Is Software Spoiling Us? Innovations in Daily Life from Software

Authors: Jeff Boleng

In this podcast, which was excerpted from the webinar Is Software Spoiling Us?, the panel discusses awesome innovations in daily life that are made possible because of software.

February 2018 - Video SEI Cyber Minute: SCALe

Topics: Secure Coding

Authors: David Svoboda

The SEI Source Code Analysis Lab (SCALe) gives analysts the ability to focus on the most critical alerts from static analysis.

February 2018 - Podcast How Risk Management Fits into Agile & DevOps in Government

Topics: Cyber Risk and Resilience Management

Authors: Timothy A. Chick, Will Hayes, Eileen Wrubel, Hasan Yasar

In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program leads a roundtable discussion into how Agile, DevOps, and the Risk Management Framework can work together.

January 2018 - Presentation CyGraph: Big-Data Graph Analysis For Cybersecurity and Mission Resilience

Topics: Network Situational Awareness

Authors: Steven Noel (MITRE)

In this presentation, the author discusses CyGrap, a methodology and tool for improving network security posture, maintaining situational awareness in the face of cyberattacks, and focusing on protection of mission-critical assets.

January 2018 - Presentation Automated Detection and Analysis of IoT Network Traffic Through Distributed Open Source Sensors and Citizen Scientists

Topics: Network Situational Awareness

Authors: Joe McManus (University of Colorado)

In this presentation, the author discusses securing the Internet of Things (IoT) through network based detection leveraging low cost distributed sensing, machine learning and citizen scientists.

January 2018 - Brochure CSIH Certification Renewal Activity Log

Authors: Randy Caldejon (CounterFlow AI), Andrew Fast, PhD (CounterFlow AI)

Use this form to log activity for CSIH Certification Renewal.

January 2018 - Presentation Eliminating Barriers to Automated Tensor Analysis for Large-scale Flows

Topics: Network Situational Awareness

Authors: James Ezick (Reservoir Labs)

In this presentation, the author gives an introduction to tensor decompositions as a tool for network flow analysis, incluing insight into tensor methods as a rapidly evolving technology.

January 2018 - Presentation Anomaly Detection in Bipartite Networks

Topics: Network Situational Awareness

Authors: Mohammed Eslami (Netrias, LLC)

In this presentation, the author discusses automated methods to identify anomalies in cyber networks with data collected at the edge of a network (or other bipartite network).

January 2018 - Presentation Threat Hunting for Lateral Movement

Topics: Network Situational Awareness

Authors: Adam Fuchs (Sqrrl), Ryan Nolette (Sqrrl)

In this presentation, the authors review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.

January 2018 - Presentation Identification of Malicious SSL Networks by Subgraph Anomaly Detection

Authors: Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS)

In this presentation, the authors will discuss current ways malicious operators use SSL to secure their command-and-control and IP infrastructure.

January 2018 - Presentation InSight2: An Interactive Web-Based Platform for Modeling and Analysis of Large-Scale Argus Network Flow Data

Topics: Network Situational Awareness

Authors: Angel Kodituwakku (The University of Tennessee Knoxville), Dr. Jens Gregor (The University of Tennessee Knoxville), J.T. Liso (The University of Tennessee Knoxville)

In this presentation, the authors discuss InSight2, an interactive web-based platform for modeling and analysis of large scale argus network flow data.

January 2018 - Presentation Detecting Malicious IPs and Domain Names by Fusing Threat Feeds and Passive DNS through Graph Inference

Topics: Network Situational Awareness

Authors: Emily Heath (Mitre), Eric Harley (Mitre)

In this presentation, the authors give security analysts a tool to connect the dots and uncover more malicious activity on their network faster and more accurately.

January 2018 - Presentation Analysis of DNS Traffic on the Network EDGE, and In Motion

Topics: Network Situational Awareness

Authors: Fred Stringer (AT&T Chief Security Organization)

In this presentation, the author describes cyber analysis of DNS traffic at the Internet peering points using a streaming data analysis platform and algorithms to create actionable reports in minutes.

January 2018 - Presentation When Threat Hunting Fails: Identifying Malvertising Domains Using Lexical Clustering

Topics: Network Situational Awareness

Authors: Matt Foley (Cisco Systems, Inc.), David Rodriguez (Cisco Systems, Inc.), Dhia Mahjoub (OpenDNS)

In this presentation, the authors discuss the current malvertising threat landscape: ad networks, exchanges, exploits, and popular infection points.

January 2018 - Presentation Anomaly Detection in Cyber Networks using Graph-node Role-dynamics and NetFlow Bayesian Normalcy Modeling

Topics: Network Situational Awareness

Authors: Anthony Palladino (Boston Fusion Corporation), Andrew Spisak (Boston Fusion Corporation), Christopher Thissen (Boston Fusion Corporation)

In the presentation, the author describes a novel approach to cyber-anomaly detection. The method includes multi-modal data fusion, advanced graph-based analytics, and Bayesian normalcy modeling.

January 2018 - Webinar Is Software Spoiling Us?

Authors: Jeff Boleng, Grace Lewis, Eliezer Kanal, Satya Venneti, Joseph D. Yankel

Have software’s repeated successes, and the assumption that they will continue endlessly, discounted perceptions of its importance among leadership in civilian government, national defense, and national security organizations?

January 2018 - Presentation Optimal Machine Learning Algorithms

Topics: Network Situational Awareness

Authors: Hafiz Farooq (Saudi Aramco)

This research paper allows SOC individuals to understand how to use machine learning algorithms optimally in order to complement existing conventional threat hunting capabilities.

January 2018 - Presentation Creating & Sharing Value with Network Activity &Threat Correlation

Topics: Network Situational Awareness

Authors: Dr. Jamison Day (Looking Glass)

In this presentation, the author examines the key impediments to effective information sharing and explore how network activity and threat correlation can alter cyber economics to diminish threat actor return on investment.

January 2018 - Article System-of-Systems Viewpoint for System Architecture Documentation

Topics: Software Architecture

Authors: John Klein, Hans van Vliet (VU University)

We evaluated an architecture documentation viewpoint to address the concerns of a SoS architect about a constituent system, to support SoS design and analysis involving that constituent system.

January 2018 - Video SEI Cyber Minute: Safely Using IoT at the Edge

Authors: Grace Lewis

This research will help ensure the security and effectiveness of IoT devices in tactical environments.

December 2017 - Podcast 5 Best Practices for Preventing and Responding to Insider Threat

Topics: Insider Threat

Authors: Randall F. Trzeciak

Randy Trzeciak, technical manager of the CERT National Insider Threat Center, discusses five best practices for preventing and responding to insider threat.

December 2017 - Conference Paper Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking

Authors: Leigh B. Metcalf, Daniel Ruef, Jonathan Spring

In this paper, domain parking is the practice of assign- ing a nonsense location to an unused fully-qualified domain name (FQDN) to keep it ready for “live” use.

December 2017 - Video SEI Cyber Minute: Obsidian: A Safer Blockchain Language

Authors: Eliezer Kanal

By creating a secure-by-design language that renders certain types of bugs impossible to create, we aim to significantly reduce the risk inherent in the adoption of blockchain technology.

December 2017 - Podcast Pharos Binary Static Analysis: An Update

Topics: Malware Analysis

Authors: Jeff Gennari

Jeff Gennari discusses updates to the Pharos framework, which automates reverse engineering of malware analysis, including new tools, improvements, and bug fixes.

December 2017 - Video SEI Cyber Minute: Preventing the Next Heartbleed

Authors: William Klieber

Watch Will Klieber in this SEI Cyber Minute as he discusses "Inference of Memory Bounds: Preventing the Next Heartbleed".

December 2017 - White Paper Embedded Device Vulnerability Analysis Case Study Using Trommel

Topics: Vulnerability Analysis

Authors: Madison Oliver, Kyle O'Meara

This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities.

December 2017 - Presentation Model-Driven Insider Threat Control Selection and Deployment

Topics: Insider Threat

Authors: Randall F. Trzeciak, Daniel L. Costa

This presentation discusses how organizations can identify, prioritize, and select appropriate security controls.

December 2017 - Webinar Four Valuable Data Sources for Network Security Analytics

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall

This webinar focused on the development and application of combined data analytics and offered several examples of analytics that combine domain resolution data, network device inventory and configuration data, and intrusion detection.

November 2017 - Podcast Positive Incentives for Reducing Insider Threat

Topics: Insider Threat

Authors: Andrew P. Moore, Daniel Bauer

Andrew Moore and Daniel Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat.

November 2017 - Webinar Weaving a Fabric of Trust: Ensured Security, Privacy, Resilience, and Accountability

Topics: Cybersecurity Engineering, Science of Cybersecurity

Authors: Greg Shannon

During this webinar, Dr. Shannon examined the questions, science, and technology that builds trust with customers, other organizations, and society to ensure their security and privacy, and our own resilience and accountability.

November 2017 - Brochure CERT Insider Threat Center

Topics: Insider Threat

Authors: CERT Insider Threat Center

This booklet describes the CERT Insider Threat Center's purpose, products, and services, including assessments, workshops, courses, and certificate programs.

November 2017 - Podcast Mission-Practical Biometrics

Authors: Satya Venneti

Satya Venneti presents exploratory research undertaken by the SEI's Emerging Technology Center to design algorithms to extract heart rate from video capture of non-stationary subjects in real-time.

November 2017 - Presentation Cyber Hygiene: A Baseline Set of Practices

Topics: Cyber Risk and Resilience Management

Authors: Matthew Trevors, Charles M. Wallen

The CERT Division's Cybersecurity Hygiene is a set of 11 practice areas for managing the most common and pervasive cybersecurity risks faced by organizations.

November 2017 - Video SEI Cyber Minute: Cybersecurity in the Defense Acquisition System

Topics: Acquisition Support, Secure Coding

Authors: Mark Sherman

Unfortunately, where there is software, there are risks from vulnerabilities. In response, the Department of Defense has recently expanded the key document governing acquisition, 5000.02.

November 2017 - Webinar Three Secrets to Successful Agile Metrics

Topics: Measurement and Analysis

Authors: Will Hayes

Watch this webcast to gain insights into effective metrics programs in government settings.

November 2017 - Presentation FFRDCs A Primer: Federally Funded Research and Development Centers in the 21st Century

Authors: Software Engineering Institute

Throughout this Primer, we explain what FFRDCs are, how they have secured their long-term place in our national research and development (R&D) landscape, and what they offer for the future.

November 2017 - Video SEI Cyber Minute: Predictable, Scalable Artificial Intelligence

Authors: James Edmondson

At the SEI, we are developing tools, techniques, and tutorials to help developers make autonomous systems that are dependable and predictable while preserving core system features and functionality that extend and complement human operators.

October 2017 - Presentation Why does Software Cost so Much? Towards a Causal Model

Topics: Acquisition Support

Authors: Robert W. Stoddard, Michael D. Konrad

Presentation on research to build an actionable, full causal model of software cost factors that is immediately useful to DoD programs and contract negotiators

October 2017 - Presentation What will the Robot do Next?

Authors: Jonathan Chu

Presentation on research to build algorithms that allow robots to explain their behaviors to users and adapt their behavior during execution to enable users to accurately predict what they will do next

October 2017 - Presentation Technical Detection of Intended Violence against Self or Others

Topics: Insider Threat

Authors: Tracy Cassidy

Presentation on research to use insider threat tools to detect indicators of employees who are may be on a path to harm themselves and/or others within the workplace

October 2017 - Presentation Technical Debt Analysis through Software Analytics

Authors: Ipek Ozkaya

Presentation on research to develop tools that pinpoint problematic design decisions and quantify their consequences for uncovering technical debt

October 2017 - Presentation Rapid Expansion of Classification Models to Prioritize Static Analysis Alerts for C

Topics: Secure Coding

Authors: Lori Flynn

Presentation on research a method to automatically classify and prioritize alerts that minimizes manual effort to address the large volume of alerts

October 2017 - Presentation Obsidian - A Safer Blockchain Programming Language

Topics: Secure Coding

Authors: Eliezer Kanal, Michael Coblenz (Carnegie Mellon School of Computer Science)

Presentation on research by CMU and SEI to develop a novel programming language for secure blockchain software development

October 2017 - Poster Micro-Expressions: More than Meets the Eye

Authors: Satya Venneti, Oren Wright

Poster on research to build an accurate, automatic micro-expression analysis prototype that outperforms humans in spotting and recognizing facial micro-expressions in near real time

October 2017 - Presentation Micro-Expressions: More than Meets the Eye

Authors: Satya Venneti, Oren Wright

Presentation on research to build an accurate, automatic micro-expression analysis prototype that outperforms humans in spotting and recognizing facial micro-expressions in near real time

October 2017 - Presentation Measuring Performance of Big Learning Workloads

Authors: Scott McMillan

Presentation on research to build a performance measurement workbench with tools to measure and report performance of large-scale ML platforms

October 2017 - Presentation Inference of Memory Bounds

Topics: Secure Coding

Authors: William Klieber

Presentation on research to develop an algorithm to automatically infer the bounds of memory regions

October 2017 - Presentation Guided Architecture Trade Space Exploration for Safety-Critical Software Systems

Topics: Software Architecture

Authors: Samuel Procter

Presentation on research to create new tool prototype that automatically explores a system's trade space

October 2017 - Presentation Foundations for Summarizing and Learning Latent Structure in Video

Authors: Kevin A. Pitstick

Presentation on using machine learning to develop automated and semantically meaningful video summarization

October 2017 - Presentation Events, Relationships, and Script Learning for Situational Awareness

Authors: Edwin J. Morris

Presentation on research to use machine learning to extract patterns from high volumes of textual data

October 2017 - Presentation Dynamic Design Analysis

Topics: Software Architecture

Authors: Rick Kazman

Presentation on research to identify dynamic dependencies that result from the way modern systems are composed

October 2017 - Presentation Cyber Affordance Visualization in Augmented Reality

Topics: Workforce Development

Authors: Josh Hammerstein, Jeff Mattson

Presentation on research to integrate cyber effects into tactical decision-making for soldiers

October 2017 - Presentation Certifiable Distributed Runtime Assurance

Authors: Dionisio de Niz

Presentation on research on the use of enforcers for runtime assurance in distributed systems

October 2017 - Presentation Automated Code Generation for High-Performance Graph Libraries

Authors: Scott McMillan

Presentation on research into graph analytics

October 2017 - Presentation Authentication and Authorization for Internet of Things (IoT) Devices in Edge Environments

Topics: Pervasive Mobile Computing

Authors: Grace Lewis

Presentation on research to assure use of IoT devices in edge computing environments

October 2017 - Presentation Automated Assurance of Security Policy Enforcement (2017)

Topics: Software Architecture

Authors: Peter H. Feiler, Samuel Procter

Presentation on research to detect vulnerabilities early in the lifecycle in architecture models

October 2017 - Presentation A Game-Theoretic Approach to Optimizing Behaviors in Acquisition

Topics: Acquisition Support

Authors: William E. Novak

Presentation on research into using game theory in acquisition

October 2017 - Poster Why does Software Cost so Much? Towards a Causal Model

Topics: Acquisition Support

Authors: Robert W. Stoddard, Michael D. Konrad

Poster on research to build an actionable, full causal model of software cost factors

October 2017 - Poster What will the Robot do Next?

Authors: Jonathan Chu

Poster on research to develop algorithms for robots to explain their behaviors and adapt their behavior to enable users to accurately predict their actions

October 2017 - Poster Technical Detection of Intended Violence Against Self or Others

Topics: Insider Threat

Authors: Tracy Cassidy

Poster on research into determining the extent to which it is possible to technically detect indicators of employees who may be on a path to harm themselves and/or others within the workplace via insider threat detection tools

October 2017 - Poster Technical Debt Analysis through Software Analytics

Authors: Ipek Ozkaya

Poster on research to develop tools that integrate data from multiple, commonly available sources to pinpoint problematic design decisions and quantify their consequences in a repeatable and reliable way

October 2017 - Poster Rapid Expansion of Classification Models to Prioritize Static Analysis Alerts for C

Topics: Vulnerability Analysis

Authors: Lori Flynn

Poster on research to create a method to automatically classify and prioritize alterts

October 2017 - Poster Obsidian - A Safer Blockchain Programming Language

Topics: Secure Coding

Authors: Eliezer Kanal, Michael Coblenz (Carnegie Mellon School of Computer Science)

Poster on research by CMU and SEI to create a novel programming language for safer blockchain software development

October 2017 - Poster Measuring Performance of Big Learning Workloads

Authors: Scott McMillan

Poster on research to build a performance measurement workbench with tools to measure and report performance of large-scale ML platforms

October 2017 - Poster Inference of Memory Bounds

Topics: Secure Coding

Authors: William Klieber

Poster on research to develop an algorithm to automatically infer the bounds of memory regions

October 2017 - Poster Guided Architecture Trade Space Exploration for Safety-Critical Software Systems

Topics: Software Architecture

Authors: Samuel Procter

Poster on research into tools to evaluate trade space for embedded systems

October 2017 - Poster Foundations for Summarizing and Learning Latent Structure in Video

Authors: Kevin A. Pitstick

Poster on use of machine learning to develop automated and semantically meaningful video summarization

October 2017 - Poster Events, Relationships, and Script Learning for Situational Awareness

Authors: Edwin J. Morris

Poster for research into using machine learning to extract patterns from high volumes of textual data

October 2017 - Poster Dynamic Design Analysis

Topics: Software Architecture

Authors: Rick Kazman

Poster on research into dynamic dependencies that arise from the way modern systems are composed

October 2017 - Poster Cyber Affordance Visualization in Augmented Reality

Topics: Workforce Development

Authors: Josh Hammerstein, Jeff Mattson

Poster on research to integrate cyber effects into tactical decision-making for soldiers

October 2017 - Poster Certifiable Distributed Runtime Assurance

Topics: Cyber-Physical Systems

Authors: Dionisio de Niz

Poster on research into the use of enforcers for runtime assurance of distributed systems

October 2017 - Poster Automated Code Generation for High-Performance, Future-Compatible Graph Libraries

Authors: Scott McMillan

Poster on research into graph analytics

October 2017 - Poster Automated Code Generation for High-Performance, Future-Compatible Graph Libraries (2017)

Authors: Scott McMillan

Poster for research project on graph analytics

October 2017 - Poster Automated Assurance of Security Policy Enforcement (2017)

Topics: Cyber-Physical Systems

Authors: Peter H. Feiler, Samuel Procter

Poster for a research project on saftey-critical system security policy enforcement

October 2017 - Poster Two Perspectives on IoT Security

Topics: Pervasive Mobile Computing

Authors: Grace Lewis

Poster on a project called Authentication and Authorization for IoT Devices in Edge Environments

October 2017 - Poster Getting Contractors to Cooperate

Topics: Acquisition Support

Authors: William E. Novak

A poster describing work on a project entitled A Game-Theoretic Approach to Optimizing Acquisition Behaviors

October 2017 - Podcast At Risk Emerging Technology Domains

Authors: Dan J. Klinedinst

In this podcast, CERT vulnerability analyst Dan Klinedinst discusses research aimed at helping the Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT) understand future technologies and their risks.

October 2017 - Video SEI Cyber Minute: Cadence in Agile Development

Authors: Will Hayes

Watch Will Hayes in this Cyber Minute as he discusses using practices like continuous integration and a common code base, which help teams focus on getting the work done.

October 2017 - Podcast DNS Blocking to Disrupt Malware

Authors: Vijay S. Sarvepalli

In this podcast, CERT researcher Vijay Sarvepalli explores Domain Name System or DNS Blocking, the idea of disrupting communications from malicious code such as ransomware that is used to lock up your digital assets.

October 2017 - Technical Report 2017 Emerging Technology Domains Risk Survey

Topics: Cyber-Physical Systems, Vulnerability Analysis

Authors: Dan J. Klinedinst, Joel Land, Kyle O'Meara

This report summarizes our understanding of future technologies. It helps US-CERT identify vulnerabilities, promote good security practices, and understand vulnerability risk.

October 2017 - Presentation Four Valuable Data Sources for Network Security Analytics

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall

This webinar will focus on the development and application of combined data analytics and will offer several examples of analytics that combine domain resolution data, network device inventory and configuration data.

September 2017 - Technical Report R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises

Topics: Cybersecurity Engineering

Authors: Geoffrey B. Dobson, Thomas G. Podnar, Adam D. Cerini, Luke J. Osterritter

Introduces a design framework for cyber warfare exercises. It ensures that in designing team-based exercises, realism is factored into every aspect of the participant experience.

September 2017 - Video SEI Cyber Minute: Cyber Investigator Certificate Program

Authors: Larry Rogers

With an ever increasing number of crimes with a cyber component, the need for investigators who have been trained the ways of the Internet, encryption, and social media, to name a few, is growing and will continue to grow.

September 2017 - White Paper Architecture Practices for Complex Contexts

Topics: Software Architecture

Authors: John Klein

This doctoral thesis, completed at Vrije Universiteit Amsterdam, focuses on software architecture practices for systems of systems, including data-intensive systems.

September 2017 - Presentation Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules

Topics: Secure Coding

Authors: Lori Flynn, David Svoboda, William Snavely

In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.

September 2017 - Podcast Best Practices: Network Border Protection

Topics: Network Situational Awareness

Authors: Rachel Kartch

In this podcast, the latest in a series on best practices for network security, Rachel Kartch explores best practices for network border protection at the Internet router and firewall.

September 2017 - Conference Paper "SHORT"er Reasoning About Larger Requirements Models

Topics: Software Architecture

Authors: George Mathew (North Carolina State University), Tim Menzies (North Carolina State University), Neil Ernst, John Klein

SHORT is a tool to simplify reasoning about requirements engineering (RE) models by exploiting key decisions within them, evaluated on eight complex RE models.

September 2017 - Technical Note Defining a Progress Metric for CERT-RMM Improvement

Topics: Cyber Risk and Resilience Management

Authors: Gregory Crabb (United States Postal Service), Nader Mehravari (Axio Global), David Tobar

Describes the Cybersecurity Program Progress Metric and how its implementation in a large, diverse U.S. national organization can serve to indicate progress toward improving cybersecurity and resilience capabilities.

September 2017 - Podcast Verifying Software Assurance with IBM’s Watson

Authors: Mark Sherman

In this podcast, Mark Sherman discusses research aimed at examining whether developers could build an IBM Watson application to support an assurance review.

September 2017 - Presentation Three Secrets to Successful Agile Metrics

Authors: Will Hayes

This webinar provides insights into effective metrics programs in government settings where an Agile approach is used for development and sustainment of software-reliant systems.

August 2017 - Podcast The CERT Software Assurance Framework

Authors: Carol Woody, PhD, Christopher J. Alberts

In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework, a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

August 2017 - Webinar Five Keys to Effective Agile Test Automation for Government Programs

Authors: Robert V. Binder, Suzanne Miller

In this discussion-focused webinar, Bob Binder and SuZ Miller will discuss 5 key questions that government organizations contemplating embarking on adopting automated test techniques and tools in an Agile environment are likely to have.

August 2017 - Webinar The Evolving Role of the Chief Risk Officer

Topics: Risk and Opportunity Management

Authors: Summer C. Fowler, Greg Porter (Heinz College at Carnegie Mellon University)

In this webinar we discussed the challenges facing the CRO role and about how CMU's new CRO program can help you address those challenges.

August 2017 - Video SEI Cyber Minute: Representing Your Technical Debt

Topics: Software Architecture

Authors: Ipek Ozkaya

Watch Ipek Ozkaya in this Cyber Minute, as she recommends developers adopt a simple practice of reporting technical debt, including its potential accumulating side effects, as they discover or accrue that debt.

August 2017 - White Paper Blacklist Ecosystem Analysis: January - June, 2017

Topics: Network Situational Awareness

Authors: Eric Hatleback, Leigh B. Metcalf

This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from January through June 2017.

August 2017 - Video SEI Cyber Minute: Software Defined World

Authors: Jeff Boleng

We live in a software defined world. More and more of the capability and value we derive from our connected devices is achieved by software.

August 2017 - Special Report The CERT Guide to Coordinated Vulnerability Disclosure

Topics: Vulnerability Analysis

Authors: Allen D. Householder, Garret Wassermann, Art Manion, Christopher King

This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.

August 2017 - Presentation Data Science Tutorial

Authors: Eliezer Kanal, Daniel DeCapria

This tutorial offers training on data science in cybersecurity principles and practices.

August 2017 - Presentation Applied Machine Learning in Software Security

Authors: Eliezer Kanal

In this presentation, Eliezer Kanal discusses how machine learning speeds prediction and classification in cybersecurity.

August 2017 - Video SEI Cyber Minute: Secure Coding Standards

Topics: Secure Coding

Authors: Robert Schiela

Watch Bob Schiela as he decribes how SEI Secure Coding Standards have codified best practices for properly using features of specific languages to avoid security flaws in your software, thus reducing vulnerabilities.

August 2017 - Podcast Scaling Agile Methods

Authors: Eileen Wrubel, Will Hayes

In this podcast, Will Hayes and Eileen Wrubel present five perspectives on scaling Agile from leading thinkers in the field, including Scott Ambler, Steve Messenger, Craig Larman, Jeff Sutherland, and Dean Leffingwell.

July 2017 - Brochure Real-Time Extraction of Heart Rate from Video

Authors: Satya Venneti

This technical sheet details our project to extract heart rate from commodity video in real time.

July 2017 - Video SEI Cyber Minute: Cyber Security Risk Oversight

Authors: Summer C. Fowler

Watch Summer Fowler as she discusses "Cyber Security Risk Oversight" in this SEI Cyber Minute.

July 2017 - Video SEI Cyber Minute: Cyber Analytics

Authors: Eliezer Kanal

Watch Elli Kanal in this SEI Cyber Minute as he discusses "Cyber Analytics".

July 2017 - Webinar Practical Considerations in Adopting Agile/Lean in Government Settings

Topics: Acquisition Support

Authors: Suzanne Miller, Eileen Wrubel

This webinar summarizes much of what the SEI has learned in its eight years of researching and facilitating adoption of Agile and Lean methods in software-reliant systems in government.

July 2017 - Podcast Ransomware: Best Practices for Prevention and Response

Authors: Alexander Volynkin, Angela Horneman

In this podcast, CERT researchers spell out several best practices for prevention and response to a ransomware attack.

July 2017 - Special Report Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers

Topics: Vulnerability Analysis

Authors: Joel Land

This report describes a test framework that the CERT/CC developed to identify systemic and other vulnerabilities in CPE routers.

July 2017 - Technical Report Department of Defense Software Factbook

Topics: Measurement and Analysis

Authors: Brad Clark, Christopher Miller, James McCurley, David Zubrow, Rhonda Brown, Mike Zuccher (No Affiliation)

In this report, the Software Engineering Institute has analyzed data related to DoD software projects and translated it into information that is frequently sought-after across the DoD.

July 2017 - Technical Report DidFail: Coverage and Precision Enhancement

Topics: Secure Coding

Authors: Karan Dwivedi (No Affiliation), Hongli Yin (No Affiliation), Pranav Bagree (No Affiliation), Xiaoxiao Tang (No Affiliation), Lori Flynn, William Klieber, William Snavely

This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.

June 2017 - Podcast Integrating Security in DevOps

Topics: Performance and Dependability

Authors: Hasan Yasar

In this podcast, Hasan Yasar discusses how Secure DevOps attempts to shift the paradigm for tough security problems from following rules to creatively determining solutions.

June 2017 - White Paper The Hard Choices Game Explained

Topics: Software Architecture

Authors: Nanette Brown, Philippe Kruchten, Erin Lim, Robert Nord, Ipek Ozkaya

The Hard Choices game is a simulation of the software development cycle meant to communicate the concepts of uncertainty, risk, and technical debt.

June 2017 - Podcast SEI Fellows Series: Peter Feiler

Topics: Software Architecture

Authors: Peter H. Feiler

Peter Feiler was named an SEI Fellow in August 2016. This podcast is the second in a series highlighting interviews with SEI Fellows.

June 2017 - Video SEI Cyber Minute: Code Flaw Alert Classification

Authors: Lori Flynn

Watch Lori Flynn in this SEI Cyber Minute as she discusses "Code Flaw Alert Classification".

June 2017 - Video SEI Cyber Minute: Adding Security to Agile's Scrum

Authors: Mark Sherman

Watch Mark Sherman in this SEI Cyber Minute as he discusses "Adding Security to Agile's Scrum".

June 2017 - White Paper Federal Virtual Training Environment (FedVTE)

Authors: Marie Baker, April Galyardt, Dominic A. Ross

The Federal Virtual Training Environment (FedVTE) is an online, on‐demand training system containing cybersecurity and certification prep courses, at no cost to federal, state, and local government employees.

June 2017 - White Paper Blacklist Ecosystem Analysis: July – December 2016

Authors: Eric Hatleback, Leigh B. Metcalf

This report provides a summary of various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from July 1 through December 31, 2016.

May 2017 - Presentation Mothra: A Large-Scale Data Processing Platform for Network Security Analysis

Authors: Anthony Cebzanov

In this presentation, the author discusses the Mothra security analysis platform.

May 2017 - Video SEI Cyber Minute: Wannacry Ransomware

Authors: Robert W. Beveridge

Watch Robert Beveridge in this SEI Cyber Minute as he discusses "Wannacry Ransomware".

May 2017 - Presentation Assessing Targeted Attacks in Incident Response Threat Correlation

Authors: Allan Thomas (Looking Glass), Dr. Jamison Day (Looking Glass)

In this presentation, the authors assess targeted attacks and advise how automating correlation of threat and network information can help your organization.

May 2017 - Podcast NTP Best Practices

Topics: Cyber-Physical Systems

Authors: Timur D. Snoke

In this podcast, Timur Snoke explores the challenges of NTP and prescribes some best practices for securing accurate time with this protocol.

May 2017 - Presentation Changes and Challenges of Technical Debt and Its Management During Ongoing Digital Transformation

Authors: Jesse Yli-Huumo (Aalto University), Kari Smolander (Aalto University)

This presentation was part of the Ninth International Workshop on Managing Technical Debt, held in conjunction with XP 2017.

May 2017 - Presentation Revisiting Context-Based Code Smells Prioritization: On Supporting Referred Context

Authors: Natthawute Sae-Lim (Tokyo Institute of Technology), Shinpei Hayashi (Tokyo Institute of Technology), Motoshi Saeki (Tokyo Institute of Technology)

This presentation was part of the Ninth International Workshop on Managing Technical Debt, held in conjunction with XP 2017.

May 2017 - Presentation The Magnificent Seven: Towards a Systematic Estimation of the Technical Debt Interest

Authors: Antonio Martini (Chalmers University of Technology and University of Gothenburg), Jan Bosch (Chalmers University of Technology)

This presentation was part of the Ninth International Workshop on Managing Technical Debt, held in conjunction with XP 2017.

May 2017 - Presentation Assessing Code Smell Interest Probability: A Case Study

Authors: Sofia Charalampidou (University of Groningen), Alexander Chatzigeorgiou (University of Groningen), Apostolos Ampatzoglou (University of Groningen), Paris Avgeriou (University of Groningen)

This presentation was part of the Ninth International Workshop on Managing Technical Debt, held in conjunction with XP 2017.

May 2017 - Presentation Selling the Business Case for Architectural Debt Reduction

Authors: Eltjo Poort (CGI)

Eltjo Poort presents failure and success stories from CGI's architects in three golden rules to help sell your business case for architectural debt reduction.

May 2017 - Presentation Navigating the Pitfalls and Promises of Network Security Monitoring (NSM)

Authors: Dr. Scott Miserendino (BluVector), Michael Gora (BluVector)

In this presentation, the authors discuss Network Security Monitoring (NSM).

May 2017 - Presentation SilkWeb – Analyze Silk Data Through API and Javascript Frameworks

Authors: Vijay S. Sarvepalli, Dwight S. Beaver

In this presentation, the authors describe SilkWeb and how to analyze silk data through API and Javascript frameworks.

May 2017 - Presentation Finding the Needle in the Haystack

Authors: Jonzy Jones (University of Utah)

In this presentation, given at FloCon 2017, Jonzy Jones discusses NetFlows and methods to discover illegitimate traffic.

May 2017 - Article Graduate Curricula in Software Engineering and Software Assurance: Need and Recommendations

Authors: Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University)

This paper discusses two related efforts to provide guidance about improving professional software engineering through graduate education.

May 2017 - Video SEI Cyber Minute: Distributed Artificial Intelligence in Space

Topics: Cyber-Physical Systems

Authors: James Edmondson

SEI Podcast Series: Distributed Artificial Intelligence in Space by James Edmondson

May 2017 - Presentation Using Flow for Realtime Traffic Management in 100G Networks

Authors: John Gerth (Stanford University), Johan van Reijendam (Stanford University)

In this presentation, the authors discuss using flow for realtime traffic and the challenges that can occur.

May 2017 - Podcast Establishing Trust in Disconnected Environments

Authors: Grace Lewis

In this podcast, Grace Lewis presents a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field, as well as an evaluation and implementation of the solution.

May 2017 - Presentation Detecting Threats, Not Sandboxes

Authors: Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.)

In this presentation, the authors discuss detecting threats and characterizing network environment to improve Malware Classification.

May 2017 - Presentation I Want Your Flows To Be Lies

Authors: Adam Wick (Galois, Inc.)

In this presentation, Adam Wick discusses Netflow and problems that could occur on a network.

May 2017 - Presentation Backbone Network DRDoS Attack Monitoring and Analysis

Authors: Yang Xu, Qitian Su

In this presentation, the authors discuss Thread Research, Security Basic Data, including DRDoS montioring, scanner tracking, Bot-Net trac, and other systems.

May 2017 - Presentation Netflow Collection and Analysis at Tier 1 Internet Peering

Authors: Fred Stringer (AT&T Chief Security Organization)

In this presentation, Fred Stringer defines Internet Peering and discusses Netflow Collection and Analysis.

May 2017 - Presentation DDoS Defense for a Community of Peers

Authors: Jem Berkes (Galois), Adam Wick (Galois, Inc.)

In this presentation the authors discuss DDoS Defense.

May 2017 - Presentation An API to Filter Network Flows in the Web to Use as Plugin in Web Based Network Visualization Apps

Authors: Julio de la Cruz (University of Puerto Rico), Ian Dávila (University of Puerto Rico), Dr. José Ortiz Ubarri (University of Puerto Rico)

In this presentation, the authors describe how to create an API that allow system administratiors to manage network flows of data in the web.

May 2017 - Video SEI Cyber Minute: Enterprise Risk Management

Topics: Cyber Risk and Resilience Management

Authors: Summer C. Fowler

Watch Summer Fowler in this SEI Cyber Minute as she discusses "Enterprise Risk Management".

May 2017 - Webinar Building Analytics for Network Flow Records

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall, Matthew Heckathorn

Learn how to identify network flow characteristics and metrics that support understanding traffic

May 2017 - Presentation Linda Northrop Software Architecture Award Keynote: Visual Architecting

Authors: Ruth Malan (Bredemeyer Consulting)

How we think of architecture shapes what we do as architects, and what we do shapes how we think of architecture. This presentation emphasizes visual expression of design.

May 2017 - Presentation Ultimate Architecture Enforcement: Write Your Own Rules and Enforce Them Continuously

Authors: Paulo Merson (Brazilian Federal Court of Accounts)

The architecture carefully created is often not followed in the implementation. This tutorial provides an easy-to-use, automated approach to avoid this issue.

May 2017 - Presentation Architecture Decision Records in Action

Authors: Michael Keeling (IBM Watson Group), Joe Runde (IBM)

Architecture Decision Records capture architectural design decisions in a lightweight plain-text template stored in your existing version control system.

May 2017 - Presentation Django & Twitter Bootstrap in the Workplace: Build 'em Fast and Furious

Topics: Software Architecture

Authors: Eliezer Kanal

In this talk, I'll discuss how I used the Django web framework, in conjunction with Twitter Bootstrap, to quickly build complex business applications.

May 2017 - Presentation Going Serverless: Building Production Applications Without Managing Infrastructure

Authors: Christopher Phillips (Stanley Black & Decker, Inc.)

This talk introduces serverless computing, a new paradigm in the cloud for deploying applications that requires no server administration and scales in function and cost.

May 2017 - Presentation Making the Switch to "Serverless" Full-Stack Development

Authors: David Aktary (AktaryTech)

This session covers what serverless really means, the differences among providers, why to consider using a serverless architecture, and how to implement one.

May 2017 - Presentation EventStorming: Collaborative Learning for Complex Domains

Authors: Paul Rayner (Virtual Genius LLC)

In the EventStorming workshop, developers and business experts use sticky notes to map out an event-based story of how a software system behaves.

May 2017 - Presentation Customer Experience Architecture, Hands On

Authors: Bett Bollhoefer (GE Digital)

In this interactive session, participants redesign a system by interviewing a customer, creating a prototype, reviewing it with the group, and getting feedback.

May 2017 - Presentation Smelling Out a Bad Security Culture

Authors: Harald Wesenberg (Statoil ASA)

In this talk, I share experiences from years of security observations that help identify weak signals of a faulty security culture in a large organization.

May 2017 - Presentation Real-Life SOA Transformation: A Journey at Rackspace from Monolithic to SOA and Beyond

Authors: Marco Cuellar (Rackspace), Yogeshwar Srikrishnan (Rackspace)

An enterprise-wide transformation like moving to SOA is not an easy task. A team of Rackspace architects will share their transformation journey and future plans.

May 2017 - Presentation High-Performance Multi-Threaded Immutable Store for C++

Authors: Adi Levin (Align Technology)

We present a battle-proven architecture for lock-free concurrency control. Our method supports high-performance data-driven and event-driven applications.

May 2017 - Presentation Enterprise IT: How to Avoid Mediocrity

Authors: Jørn Ølmheim (Statoil ASA)

This talk outlines why large enterprises attract and cultivate mediocrity and suggests some measures that large organizations can take to avoid this phenomenon.

May 2017 - Presentation Quality Metrics: Nutritional Labels for Code

Authors: G. Ann Campbell (SonarSource SA)

Nutrition labels give help us make smart choices about the food we eat. Quality metrics are easy to collect and should be as universally available as nutrition labels.

May 2017 - Presentation An In-Depth Look at Event Sourcing with Command Query Responsibility Segregation

Authors: Sebastian von Conrad (Envato)

Event Sourcing can enable us to move faster by supporting rapid experimentation with new perspectives, new user interactions, and new insights into our business.

May 2017 - Presentation Building Smarter Apps with Cognitive APIs

Authors: Pavel Veller (EPAM Systems, Inc.)

This session introduces cognitive APIs, pre-trained APIs, and trainable-models-as-a-service and showcases using cognitive APIs to build a conversational chatbot.

May 2017 - Presentation Beyond Bitcoin: What to Do with Blockchain?

Authors: Nelson Petracek (TIBCO Software, Inc.)

Blockchain is an emerging technology that is receiving interest among enterprises and analysts. It has potential far beyond the cryptocurrency known as Bitcoin.

May 2017 - Presentation The Life and Times of an Architecture: Architectural Decision Making Throughout the Solution Life Cycle

Authors: Eltjo Poort (CGI)

Explore the metaphor of a human lifetime to illustrate various aspects of architectural decision making throughout a software system's lifecycle.

May 2017 - Presentation Cloud-Native Development, Cloud-Nomadic Deployment

Authors: Topher Bullock (Pivotal Software, Inc.)

This talk overviews emerging trends covering how cloud-native applications, platform as a service, automation, and infrastructure as code help you deploy software.

May 2017 - Presentation Keynote: There Is No Such Thing as a Microservice!

Authors: Chris Richardson (Eventuate, Inc.)

The concept of microservices is not well understood. This talk defines the microservice architecture as an architectural style and explains what that actually means.

May 2017 - Presentation Is Your Project in Trouble on System Performance?

Authors: Charles Chow (Deloitte Consulting)

Why do so many projects have system performance issues at a later stage of implementation? Are projects with severe performance issues salvageable?

May 2017 - Presentation How to Perform a Rapid Assessment of Any Software Architecture

Authors: Tim Kertis (Raytheon)

This presentation suggests a simple process to perform a rapid assessment of any software architecture effort, regardless of size, complexity, or development stage.

May 2017 - Presentation How to Gain Influence as a Software Architect

Authors: Adi Levin (Align Technology)

The success of a software architect relies on his or her ability to influence development teams and decision makers and to gain the trust of other stakeholders.

May 2017 - Presentation Turning Projects into Products and Wind into Profit, or How GE Renewables Was Transformed into a Cloud SaaS Provider

Authors: Arila Barnes (GE Digital)

I share a case study of how a lean approach to developing product architecture was applied at GE Renewables Digital to bring software products to renewables assets.

May 2017 - Presentation Reliable Statements About a Fault-Tolerant X-by-Wire eCar

Authors: Joachim Fröhlich (Siemens AG), Florian Krautwurm (Siemens AG), Stefan Rothbauer (Siemens AG)

We discuss the use of novel test probes for hardware and software to check functional, performance, and safety properties in cyber-physical systems in an eCar.

May 2017 - Presentation Cloud Detour: Resiliency Testing Tool for Cloud Resources

Authors: Sathiya Shunmugasundaram (Capital One), Gnani Dathathreya (Capital One)

Cloud Detour—a chaos-engineering discipline—subjects applications to failures in the cloud and helps you weigh them against resiliency levels.

May 2017 - Presentation Refactoring with Cognitive Complexity: The New Option for Measuring Understandability

Authors: G. Ann Campbell (SonarSource SA)

Cyclomatic complexity measures testability, not understandability. Learn how to use cognitive complexity in refactoring for simpler, more maintainable code.

May 2017 - Presentation Microservices in the Cloud Using Kubernetes, Docker, and Jenkins

Authors: Kurt Stam (Red Hat)

This presentation introduces Docker and Kubernetes, dives into microservices development and deployment using CI/CD pipelines, and shows a demo of a cloud-in-a-box.

May 2017 - Presentation Case Studies of Enterprise IT Governance Models for Maturity Assessment of Architectures and Frameworks

Authors: Siva Muthu (Deloitte Consulting)

This presentation explores IT governance models used to govern architecture decisions and a framework to assess architecture maturity in large-scale enterprises.

May 2017 - Presentation CD for DBs: Database Deployment Strategies

Authors: Christopher Fulton (Electric Cloud)

Your organization's database stores mission-critical and sensitive data. You need to ensure data integrity, ACID, and data retention and have a rollback strategy.

May 2017 - Presentation Automate ALL the Things: Taking Advantage of Free Tools to Automate Your End-to-End Release Pipelines

Authors: Avantika Mathur (Electric Cloud)

Learn how to create a fully automated release pipeline by tying in common tools that you likely use in your process from Continuous Integration build to release.

May 2017 - Presentation Functional Programming Invades Architecture

Authors: George Fairbanks (Google)

Functional programming (FP) has invaded architectures. This talk surveys FP architecture ideas, how they work, and why they are increasingly popular.

May 2017 - Presentation From REST to gRPC: An API Evolution Story

Authors: Michael Keeling (IBM Watson Group), Joe Runde (IBM)

In this talk, we describe how we moved backing Watson Discovery microservices from REST to gRPC and the lessons we learned in the process.

May 2017 - Presentation Deliver Fast with Confidence

Authors: Joseph Yoder (The Refactory, Inc.)

This talk examines various practices and techniques that lead to better software quality, all of which enable teams to deliver faster and with more confidence.

May 2017 - Presentation Love Your Architecture II

Authors: Paulo Merson (Brazilian Federal Court of Accounts (TCU))

Architecture requires attention throughout a project. Using FOSS tools in a fully automated way, ensure that architectural design decisions are implemented.

May 2017 - Presentation Story of an Architect Growing up in Mr. Agile's Neighborhood

Authors: Amine Chigani (Current by GE)

If the Agile Manifesto were a boy, he'd be a high school junior today. This talk presents some stories about growing up in this kid's neighborhood.

May 2017 - Presentation Safety and Security in Mission-Critical IoT Systems

Authors: Einar Landre (Statoil ASA)

Mission-critical and safety-critical applications have crept into the Internet of Things (IoT). This talk covers architectural challenges that the IoT brings.

May 2017 - Presentation Keynote: Software Is Details

Authors: Kevlin Henney (Curbralan Limited)

"It's just a detail." Software is lots of details brought together in combination. If we don't focus on the details, we get debt, defects, and delays.

May 2017 - Presentation Continuously Validating Architectures in an Agile-Centric World

Authors: Erder Murat (Deutsche Bank), Pierre Pureur (Travelers)

IT groups are using agile approaches and short release cycles to deliver systems rapidly. We present a new approach for continuously validating architectures.

May 2017 - Presentation Microservices Architecture: Lessons Learned

Authors: Sairam Tadigadapa (Capital One)

This presentation shares lessons learned about microservices architecture, key success factors, and practical considerations such as production support issues.

May 2017 - Presentation Microservices and Docker at Scale: The PB&J of Modern Application Delivery

Authors: Avantika Mathur (Electric Cloud)

This talk describes requirements for building, deploying, and operating microservices on a large-scale Docker-ized infrastructure, a good fit for microservices.

May 2017 - Presentation Crowdsourcing Software Architecture: The Distributed Architect

Authors: Stefan Toth (embarc Software Consulting GmbH)

It has always been difficult to find all important aspects of an architect in one person. This talk introduces distributed approaches to the architect's role.

May 2017 - Presentation A Hands-on Introduction to Docker

Authors: Len Bass (Carnegie Mellon University)

Containers are lightweight virtual machines that have become default packaging mechanisms for deploying systems, and Docker is the pre-eminent container system.

May 2017 - Presentation Pragmatic Architecture, Today

Authors: Bart Blommaerts (Ordina)

Do we really need architecture in agile projects? Can an architect help make rapid, agile delivery sustainable in a changing world? Yes! This talk demonstrates how.

May 2017 - Presentation Agile Architecture and Design

Authors: Pradyumn Sharma (Pragati Software Pvt Ltd)

This session provides examples from projects to help you understand how to establish an architecture for a system in an agile way while meeting requirements.

May 2017 - Presentation The Influential Architect: Succeeding at Scale Among Fully Autonomous Teams

Authors: Sebastian von Conrad (Envato)

In a company at scale with many fully autonomous and agile development teams, the architect's role is more about preventing entropy than about setting direction.

May 2017 - Presentation Component Systems in the Field: Integrating and Controlling System Services Easily Using Connectors

Authors: Joachim Fröhlich (Siemens AG), Florian Krautwurm (Siemens AG), Markus Lachenmayr (Siemens AG)

Connectors simplify DevOps in industrial environments. They decouple components without performance costs and let services intersect with component functions.

May 2017 - Presentation Blending Product Thinking with Architecture

Authors: Joel Tosi (independent consultant)

Product Thinking is critical to avoid over-engineering a product. This session explores simple that help teams blend architecture with the need of the product.

May 2017 - Presentation A Method for Business Function Allocation and Interface Definition in System-of-Systems Architecture

Authors: Andrzej Knafel (Roche Diagnostics International, Ltd.)

This method for making architecture decisions allocates business functions to system-of-systems components and defines interfaces for complex IT and software.

May 2017 - Presentation Get Management Attention and Transform Your Software: Communicating Architecture with Value Proposition Design

Authors: Thijmen de Gooijer (ASSA ABLOY Group)

Overcome lengthy backlogs and tight development budgets, and win over your stakeholders by talking about how to deliver customer value quickly and iteratively.

May 2017 - Presentation Thinking about Intrusion Kill Chains as Mechanisms

Topics: Cybersecurity Engineering

Authors: Jonathan Spring, Eric Hatleback

We integrate two established modeling methods from disparate fields: mechanisms from the philosophy of science literature and intrusion kill chain modeling from the computer security literature.

May 2017 - Presentation Keep CALM and Architect On: An Architect's Role in DevOps

Authors: Terri Potts (Raytheon Intelligence, Information and Services), Eric Ort (Raytheon)

The key concepts in DevOps are CALM: Culture, Automation, Lean, and Measurement. How does an architect support the transformation to DevOps in the four CALM areas?

May 2017 - Presentation DevOps, Architecture, and Security in a Cloud

Authors: Greg Shevchenko (UPMC Enterprises), Paul Dudeck (UPMC Enterprises)

The success of your DevOps team depends on collaboration between development and operations, maturity of development processes, and guiding architecture principles.

May 2017 - Article Assessing DoD System Acquisition Supply Chain Risk Management

Topics: Cybersecurity Engineering, Acquisition Support, Risk and Opportunity Management

Authors: Christopher J. Alberts, John Haller, Charles M. Wallen, Carol Woody, PhD

In this Crosstalk article, the authors discuss the growing challenge of cyber risks in the defense supply chain.

April 2017 - Video SEI Cyber Minute: Automated Code Repair

Authors: William Klieber

Watch Will Klieber in this SEI Cyber Minute as he discusses "Automated Code Repair".

April 2017 - Podcast Distributed Artificial Intelligence in Space

Topics: Cyber-Physical Systems

Authors: James Edmondson

In this podcast, James Edmondson discusses his work to bring distributed artificial intelligence to a next generation, renewable power grid in space.

April 2017 - Video SEI Cyber Minute: Insider Threats

Topics: Insider Threat

Authors: Randall F. Trzeciak

Watch Randy Trzeciak in this SEI Cyber Minute as he discusses "Insider Threats".

April 2017 - Technical Report IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement (SPA) Award 2016: Nationwide

Topics: Process Improvement

Authors: Will J.M. Pohlman (Nationwide IT)

This report describes the 10-year history of Nationwide's software process improvement journey. Nationwide received the 2016 Watts Humphrey Software Process Achievement Award from the SEI and IEEE.

April 2017 - Conference Paper What to Fix? Distinguishing Between Design and Non-design Rules in Automated Tools

Topics: Software Architecture

Authors: Neil Ernst, Stephany Bellomo, Ipek Ozkaya, Robert Nord

This paper describes an empirical study using a structured categorization approach to manually classify 466 software quality rules from three industry tools.

April 2017 - Conference Paper Using Stakeholder Preferences to Make Better Architecture Decisions

Topics: Software Architecture

Authors: Neil Ernst, John Klein, George Mathew (North Carolina State University), Tim Menzies (North Carolina State University)

This paper describes a method to collect stakeholder preferences about architecture options and uses automated optimization to identify important architecture decisions.

April 2017 - Technical Note Prototype Software Assurance Framework (SAF): Introduction and Overview

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, PhD

In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

April 2017 - Video SEI Cyber Minute: Enhancing Malware Analysis with AI

Authors: Eliezer Kanal

Watch Elli Kanal in this SEI Cyber Minute as he discusses "Enhancing Malware Analysis with AI".

April 2017 - Video SEI Cyber Minute: Defending Against DDOS Attacks

Topics: Cyber Risk and Resilience Management

Authors: Rachel Kartch

Watch Rachel Kartch in this SEI Cyber Minute as she discusses "Defending Against DDOS Attacks".

March 2017 - Presentation Keynote: A Perspective on Military Software Needs

Authors: Heidi Shyu (No Affiliation)

The commercial software industry is rapidly growing and creating disruptive technologies. How do we leverage the explosive growth in software capabilities for the military? What are the unique software challenges for the military?

March 2017 - Podcast Verifying Distributed Adaptive Real-Time Systems

Authors: Sagar Chaki, James Edmondson

In this podcast, James Edmondson and Sagar Chaki describe an architecture and approach to engineering high-assurance software for Distributed Adaptive Real-Time (DART) systems.

March 2017 - Presentation Agile Project Success and Failure (The Story of the FBI Sentinel Program)

Authors: Thomas E. Friend (Agile On Target)

This presentation describes how the FBI adopted Agile and succeeded after two failed attempts at building a $300 million case management system.

March 2017 - Presentation Using Malware Analysis to Identify Overlooked Security Requirements

Topics: Malware Analysis, Vulnerability Analysis

Authors: Nancy R. Mead, Jose A. Morales

This presentation describes initial research conducted by CERT and Carnegie Mellon to determine if malware report databases were amenable to automated processing to identify flaws

March 2017 - Presentation 6 Things You Need to Know About Data Governance

Authors: John Klein

This presentation presents a framework to guide governance decisions.

March 2017 - Presentation A Tale of Two (Agile) Programs

Authors: Suzanne Miller, Will Hayes

The SEI has worked with several government programs that are adopting Agile and Lean engineering approaches. In this presentation, we provide insights into two distinct patterns of adoption that we have seen in our work.

March 2017 - Presentation The Relationship Between Design Flaws and Software Vulnerabilities: A Technical Debt Perspective

Topics: Software Architecture

Authors: Ipek Ozkaya, Robert Nord

This presentation explores the relationships between design flaws and software vulnerabilities, and their impact on software assurance and sustainable development and delivery.

March 2017 - Presentation Struggles at the Frontiers: Persistent Pursuit of Software Assurance in the Development and Sustainment of Defense Systems

Topics: Acquisition Support

Authors: Kenneth Nidiffer

This presentation presents new processes, techniques, and tools being used to improve software assurance in the development and sustainment of defense systems.

March 2017 - Presentation Panel: Software Sustainment - Continuous Engineering to Deliver Warfighter Capability

Topics: Measurement and Analysis, Acquisition Support

Authors: Michael McLendon, Stephany Bellomo, Forrest Shull, John Stankowski (Office of the DASD for Maintenance Policy and Programs)

This technical panel focused on the DoD's software sustainment challenges and highlighted the key findings of the SEI's study of DoD software sustainment infrastructure.

March 2017 - Presentation Nationwide IT: A Software Process Improvement Journey

Authors: Guru Vasudeva (Nationwide IT)

By deploying and scaling a blend of Agile and Lean concepts, a unique team model, and fostering a problem solving and learning culture, Nationwide IT has produced significant business outcomes and demonstrated increasing employee engagement.

March 2017 - Podcast 10 At-Risk Emerging Technologies

Topics: Cyber-Physical Systems

Authors: Christopher King

Researchers in the SEI's CERT Division recently examined the security of a large swath of technology domains being developed in industry and maturing over the next five years.

March 2017 - Presentation Keynote: Learning to Drive a C.A.R. at the U.S. Census Bureau

Authors: Harry Lee

Keynote address by Harry A. Lee, Assistant Director for Information Technology and Deputy CIO.

March 2017 - Presentation Building Secure Software for Mission Critical Systems

Topics: Secure Coding, Vulnerability Analysis

Authors: Mark Sherman

This presentation explores the expanding landscape of vulnerabilities that accompanies the increasing reliance on software and then examines some key steps to help mitigate the increased risk.

March 2017 - Presentation Secure Tactical Cloudlets for Mission Support at the Edge

Topics: Software Architecture

Authors: Grace Lewis, Sebastián Echeverría (Universidad de los Andes), Dan J. Klinedinst, Keegan M. Williams

This presentation introduces the architecture and features of tactical cloudlets and presents a solution for establishing trusted identities in disconnected environments based on the generation and exchange of secure keys in the field.

March 2017 - Presentation How to Minimize Configuration Switching Time and Cost for Design of Experiments

Topics: Measurement and Analysis

Authors: Robert V. Binder

This presentation shows how classical integer programming can be used to determine the least cost (that is, the quickest) order for test configurations.

March 2017 - Presentation Replacing Promises with Data: A Structured Way to Assess Software Health

Topics: Acquisition Support

Authors: Karen LaFond (U.S. Army), Alfred Schenker, Robert W. Stoddard

Acquisition programs need a structured approach to evaluating the health of contractors' software projects. This presentation describes the Army Ground Combat Systems program's efforts in this area.

March 2017 - Presentation A Reverse Chronology of Evolutionary Architecture and Agile Development

Authors: Brian P. Gallagher (CACI International), Hanif Mostafa (CACI International), Mielke Thomas (CACI International)

This presentation describes the development of an architecture-centric software development life cycle that allows for rapid, stable feature delivery.

March 2017 - Presentation CISQ Standards for the Automated Measurement of Software Size and Structural Quality

Authors: Bill Curtis (CAST Research Labs)

This presentation describes a set of measures created by the Consortium for IT Quality (CISQ) and explains how the measures can be used in productivity programs, quality assurance practices, and vendor contracts.

March 2017 - Presentation Risks in the Software Supply Chain

Topics: Acquisition Support

Authors: Mark Sherman

This presentation describes the parts of the software supply chain, how vulnerabilities have been introduced, and the actions developers can employ to avoid or mitigate the risks inherent in an assembly-based software development strategy.

March 2017 - Presentation So Much Money for So Little Capability: The Reality of Sustaining DoD Software Systems

Authors: David Schneider, Alfred Schenker, Grady Campbell

This presentation identifies and explains some of the most significant factors that affect long-term software sustainment.

March 2017 - Presentation Why Does Software Cost So Much? Toward a Causal Model (March 2017)

Topics: Measurement and Analysis

Authors: Robert W. Stoddard, Michael D. Konrad, William Nichols, David Danks (Carnegie Mellon University), Kuh Zhang (Carnegie Mellon University)

This presentation shares early research results that may confirm some well-known drivers of DoD software cost and debunk others.

March 2017 - Presentation Improvements in Safety Analysis for Safety Critical Software Systems

Authors: Peter H. Feiler

Recent advances in virtual system integration through architecture modeling and analysis have led to improvements in safety analysis in several ways, which will be described in this presentation.

March 2017 - Presentation Security Measurement: Establishing Confidence that Security Is Sufficient

Topics: Science of Cybersecurity

Authors: Carol Woody, PhD, Christopher J. Alberts

The SEI is researching how measurement can be used to establish confidence in software security. This presentation shares our progress to date.

March 2017 - Presentation Measuring Complexity for System Safety Assurance

Authors: Sarah Sheard, Michael D. Konrad, William Nichols, Charles B. Weinstock

This presentation describes a two-year research effort to define complexity measures for avionics systems in order to help the FAA identify when systems are too complex to assure their safety.

March 2017 - Presentation Temporal Partitioning and Verification in Distributed Cyber-Physical Systems

Topics: Cyber-Physical Systems

Authors: Dionisio de Niz, Bjorn Andersson

This presentation describes innovations in the temporal protection of components that perform computations throughout multiple processors and have end-to-end timing requirements.

March 2017 - Presentation Methodology for the Cost Benefit Analysis of a Large Scale Multi-phasic Software Enterprise Migration

Topics: Software Architecture

Authors: Jerry Jackson, Bryce L. Meyer, James Wessel

This presentation describes the methodology used by the SEI to conduct a cost-benefit analysis of the proposed migration of all Army software-based systems to a common operating environment (COE) and common software infrastructure.

March 2017 - Presentation Methodology for Comparing Cloud Service Offerings

Authors: Jeff Davenport, Sarah Sheard

This presentation describes a methodology for normalizing the offerings into common units of measure that are relevant to the procurer of the services.

March 2017 - Conference Paper Testing in a Non-Deterministic World

Authors: Donald Firesmith

This presentation discusses sources of non-determinism, testing ramifications of non-determinism, and recommendations for testing in a non-deterministic world.

March 2017 - Presentation Agile in Government: A Research Agenda for Agile Software Development

Authors: Will Hayes, Suzanne Miller, Eileen Wrubel

The SEI team working with Agile in government has built a rich narrative of Agile implementation experiences and now works with an extensive network of collaborators on fundamental research questions that dive deep into cause-and-effect mechanisms.

March 2017 - Presentation Applied Machine Learning in Software Engineering

Authors: Eliezer Kanal

This presentation describes why software engineers should care about machine learning and how they can immediately benefit from it.

March 2017 - Presentation Toward Successfully Navigating Large-Scale IT Modernization Efforts

Topics: Software Architecture

Authors: Felix Bachmann, Stephany Bellomo

The authors of this presentation share their experiences developing and putting in place an IT roadmap for a large government organization, resulting in the implementation of an enterprise-wide shared data service.

March 2017 - Webinar 5 Things You Need to Know About Leading a Successful Large IT Modernization Project

Authors: Stephany Bellomo, Felix Bachmann, Will Hayes

In this webinar we discussed topics to consider when planning a large modernization project and share mitigation strategies for executing the modernization effort.

March 2017 - Video SEI Cyber Minute: Tactical Cloudlets

Authors: Grace Lewis

Watch Grace Lewis in this SEI Cyber Minute as she discusses "Tactical Cloudlets".

February 2017 - Podcast Technical Debt as a Core Software Engineering Practice

Authors: Ipek Ozkaya

In this podcast, Ipek Ozkaya talks about managing technical debt as a core software engineering practice and its importance in the education of future software engineers.

February 2017 - Conference Paper Efficient Decision-Making under Uncertainty for Proactive Self-Adaptation

Authors: Gabriel Moreno, Javier Cámara (CMU), David Garlan, Bradley Schmerl

In this paper, we present an approach that eliminates runtime overhead by constructing most Markov decision processes offline using formal specification.

February 2017 - Podcast DNS Best Practices

Authors: Mark Langston

In this podcast, Mark Langston discusses best practices for designing a secure, reliable DNS infrastructure.

February 2017 - White Paper The CISO Academy

Topics: Cyber Risk and Resilience Management

Authors: Pamela D. Curtis, Summer C. Fowler, David Tobar, David Ulicne

In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.

February 2017 - Video Assuring Autonomous Software

Authors: Sagar Chaki

Watch Sagar Chaki in this SEI Cyber Minute as he discusses "Assuring Autonomous Software".

February 2017 - Video CYBER LEAPfwd (Learning & Experience Acceleration Platform)

Topics: Workforce Development

Authors: Christopher May

Watch Chris May in this Cyber Minute as he discusses "CYBER LEAPfwd", a new educational platform aimed at the next generation of cybersecurity professionals.

February 2017 - Video Trusting Machines

Authors: Jeff Boleng

Watch Jeff Boleng in this SEI Cyber Minute as he discusses "Trusting Machines".

January 2017 - Podcast Three Roles and Three Failure Patterns of Software Architects

Topics: Software Architecture

Authors: John Klein

This podcast explores three roles and three failure patterns of software architects that he has observed working with industry and government software projects.

January 2017 - Webinar Building and Scaling a Malware Analysis System

Topics: Malware Analysis

Authors: Brent Frye

This webinar describes some of the issues involved in automating the collection and analysis of malware, which has seen exponential growth over the past decade.

January 2017 - Book Cyber-Physical Systems

Topics: Cyber-Physical Systems

Authors: Ragunathan (Raj) Rajkumar, Dionisio de Niz, Mark H. Klein

This book addresses Cyber-Physical Systems (CPS) challenges and innovations, it describes the foundations that underlie CPS, and offers guiding principles for all levels.

January 2017 - Conference Paper Certifiable Runtime Assurance of Distributed Real-Time Systems

Topics: Software Assurance

Authors: Sagar Chaki, Dionisio de Niz

This paper presents two challenge problems guiding research on developing a provably correct approach for runtime assurance of distributed real-time embedded systems.

January 2017 - Webinar How to Reduce the Graveyard of Software Tools with UI/UX Capability

Authors: Jennifer Cowley, Michael J. Szegedy

For different reasons, usability is generally an afterthought in the cybersecurity tool development process. In this webinar, we teach the audience the value of defining the problem and how this impacts the software quality outcomes.

January 2017 - Podcast Security Modeling Tools

Topics: Software Architecture

Authors: Julien Delange

In this podcast, Julien Delange discusses security modeling tools that his team developed and how to use them to capture vulnerabilities and their propagation path in an architecture.

January 2017 - Special Report A Technical History of the SEI

Authors: Larry Druffel

This report chronicles the technical accomplishments of the Software Engineering Institute and its impact on the Department of Defense software community, as well as on the broader software engineering community.

January 2017 - Video SEI Cyber Minute: DevOps for Better Software Build

Authors: Hasan Yasar

Watch Hasan Yasar in this SEI Cyber Minute as he discusses "DevOps for Better Software Build".

January 2017 - Presentation Panel: Secure Software Workforce Development Panel Session

Authors: Girish Seshagiri (Ishpi Information Technologies, Inc), Nancy R. Mead, William Newhouse (NIST), James W. Over

This panel discussed programs designed to meet the growing need for software assurance professionals.

January 2017 - Presentation Using Malware Analysis to Identify Overlooked Security Requirements (MORE)

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this presentation, Nancy Mead explains how malware analysis can be used effectively to identify otherwise overlooked security requirements.

January 2017 - Presentation Flow-Based Monitoring, Troubleshooting and Security using nProbe

Authors: Luca Deri (ntop)

In this presentation, Luca Deri discusses flow-based monitoring, troubleshooting, and security using nProbe.

December 2016 - Presentation Lightning Talk: Four Messages that Work

Authors: Alan Willett

Presentation at TSP Community of Practice Workshop December 13-15, 2016.

December 2016 - Presentation Lightning Talk: History of TSP at Cadence

Authors: Elias Fallon (Cadence Design Systems, Inc.)

Presentation at TSP Community of Practice Workshop December 13-15, 2016.

December 2016 - Presentation Lightning Talk: An Innovative Cloud Process with the TSP

Authors: Yoshihiro Akiyama (Next Process, Inc.)

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation Lightning Talk: Beyond the Agile Manifesto

Authors: Jeff Schwalb

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation Lightning Talk: Tooling for Agile Outreach

Authors: David Tuma (Tuma Solutions)

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation Lightning Talk: The Value of TSP in Agile Practices

Authors: David Saint-Amand (NAVAIR)

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation Lightning Talk: TSP/PSP Activity Subsets and Their Influence on Team Performance

Authors: Brad Hodgins (NAVAIR)

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation Welcome and Agenda: TSP Community of Practice Workshop 2016

Authors: James W. Over

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation TSP Secure

Authors: William Nichols

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation TSP Open Licensing

Authors: James W. Over

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation The Value of TSP in Agile Practices

Authors: Jim McHale

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016.

December 2016 - Presentation The NAVAIR Story: TSP CoP Overview

Authors: Jeff Schwalb

Presentation from the TSP Community of Practice Workshop, December 13-15, 2016

December 2016 - Video SEI Cyber Minute: Cyber Security Engineering

Authors: Nancy R. Mead

Watch Nancy Mead in this SEI Cyber Minute as she discusses "Cyber Security Engineering."

December 2016 - Technical Report Common Sense Guide to Mitigating Insider Threats, Fifth Edition

Topics: Insider Threat

Authors: Matthew L. Collins, Michael C. Theis, Randall F. Trzeciak, Jeremy R. Strozer, Jason W. Clark, Daniel L. Costa, Tracy Cassidy, Michael J. Albrethsen, Andrew P. Moore

Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.

December 2016 - Technical Report Architecture-Led Safety Process

Topics: Software Architecture

Authors: Peter H. Feiler, Julien Delange, David P. Gluch, John McGregor

Architecture-Led Safety Analysis (ALSA) is a safety analysis method that uses early architecture knowledge to supplement traditional safety analysis techniques to identify faults as early as possible.

December 2016 - Podcast Best Practices for Preventing and Responding to Distributed Denial of Service (DDoS) Attacks

Topics: Network Situational Awareness

Authors: Rachel Kartch

In this podcast, CERT researcher Rachel Kartch provides an overview of DDoS attacks and best practices for mitigating and responding to them.

December 2016 - Technical Report The Critical Role of Positive Incentives for Reducing Insider Threats

Topics: Insider Threat

Authors: Andrew P. Moore, Jeff Savinda, Elizabeth A. Monaco, Jamie L. Moyes, Denise M. Rousseau (Carnegie Mellon University), Samuel J. Perl, Jennifer Cowley, Matthew L. Collins, Tracy Cassidy, Nathan VanHoudnos, Palma Buttles-Valdez, Daniel Bauer, Allison Parshall

This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.

December 2016 - Technical Note Update 2016: Considerations for Using Agile in DoD Acquisition

Topics: Acquisition Support

Authors: Suzanne Miller, Dan Ward (Dan Ward Consulting), Mary Ann Lapham, Ray C. Williams, Charles (Bud) Hammons, Daniel Burton, Alfred Schenker

This report updates a 2010 technical note, addressing developments in commercial Agile practices as well as the Department of Defense (DoD) acquisition environment.

December 2016 - Video SEI Cyber Minute: Defects in Software

Authors: Jim McHale

James McHale discusses "Defects in Software."

December 2016 - Technical Note Scaling Agile Methods for Department of Defense Programs

Topics: Acquisition Support

Authors: Will Hayes, Mary Ann Lapham, Suzanne Miller, Eileen Wrubel, Peter Capell

This report discusses methods for scaling Agile processes to larger software development programs in the Department of Defense.

December 2016 - Technical Note Low Cost Technical Solutions to Jump Start an Insider Threat Program

Topics: Insider Threat

Authors: George Silowash, Derrick Spooner, Daniel L. Costa, Michael J. Albrethsen

This technical note explores free and low cost technical solutions to help organizations prevent, detect, and respond to malicious insiders.

December 2016 - Podcast Cyber Security Engineering for Software and Systems Assurance

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Carol Woody, PhD

In this podcast Nancy Mead and Carol Woody discuss their new book, Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, which introduces a set of seven principles for software assurance.

December 2016 - Video SEI Cyber Minute: Reducing the Effects of Malware

Authors: Michael Cook (SEI CERT)

Mike Cook discusses "Reducing the Effects of Malware"

December 2016 - Presentation Avoiding Insecure C++

Topics: Secure Coding

Authors: David Svoboda, Aaron Ballman

This presentation introduces the SEI CERT C++

December 2016 - Video SEI Cyber Minute: Machine Learning

Authors: Eliezer Kanal

Elli Kanal discusses "Machine Learning."

December 2016 - White Paper Ultra-Large-Scale Systems: Socio-adaptive Systems

Topics: Ultra-Large-Scale Systems

Authors: Scott Hissam, Mark H. Klein, Gabriel Moreno, Linda M. Northrop, Lutz Wrage

Ultra-large-scale systems are interdependent webs of software, people, policies, and economics. In socio-adaptive systems, human and software interact as peers.

December 2016 - White Paper Cyber-Physical Systems

Topics: Cyber-Physical Systems

Authors: Björn Anderson, Sagar Chaki, Dionisio de Niz, Jeffrey Hansen, Scott Hissam, John J. Hudak, Mark H. Klein, David Kyle, Gabriel Moreno

Cyber-physical systems (CPS) integrate computational algorithms and physical components. SEI promotes efficient development of high-confidence, distributed CPS.

December 2016 - White Paper Pervasive Mobile Computing

Topics: Pervasive Mobile Computing

Authors: William Anderson, Jeff Boleng, Ben W. Bradshaw, James Edmondson, Grace Lewis, Edwin J. Morris, Marc Novakouski, James Root

Pervasive mobile computing focuses on how soldiers and first responders can use smartphones, tablets, and other mobile/wearable devices at the tactical edge.

December 2016 - White Paper Predictability by Construction

Topics: Process Improvement

Authors: Sagar Chaki, Scott Hissam, Gabriel Moreno, Linda M. Northrop, Kurt C. Wallnau

Predictability by construction (PBC) makes the behavior of a component-based system predictable before implementation, based on known properties of components.

December 2016 - White Paper Blacklist Ecosystem Analysis: January – June, 2016

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf, Eric Hatleback

This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from January 1, 2016 through June

November 2016 - White Paper FAA Research Project on System Complexity Effects on Aircraft Safety: Testing the Identified Metrics

Topics: Measurement and Analysis

Authors: Michael D. Konrad, Sarah Sheard, Charles B. Weinstock, William Nichols

This report describes a test of an algorithm for estimating the complexity of a safety argument.

November 2016 - White Paper FAA Research Project on System Complexity Effects on Aircraft Safety: Estimating Complexity of a Safety Argument

Topics: Measurement and Analysis

Authors: Michael D. Konrad, Sarah Sheard, Charles B. Weinstock, William Nichols

This report presents a formula for estimating the complexity of an avionics system and directly connects that complexity to the size of its safety argument.

November 2016 - White Paper FAA Research Project on System Complexity Effects on Aircraft Safety: Identifying the Impact of Complexity on Safety

Topics: Measurement and Analysis

Authors: Sarah Sheard, Charles B. Weinstock, Michael D. Konrad, Donald Firesmith

This report organizes our work on the impact of software complexity on aircraft safety by asking, “How can complexity complicate safety and, thus, certification?”

November 2016 - White Paper FAA Research Project on System Complexity Effects on Aircraft Safety: Candidate Complexity Metrics

Topics: Measurement and Analysis

Authors: William Nichols, Sarah Sheard

This special report identifies candidate measures of complexity for systems with embedded software that relate to safety, assurability, or both.

November 2016 - White Paper FAA Research Project on System Complexity Effects on Aircraft Safety: Literature Search to Define Complexity for Avionics Systems

Topics: Measurement and Analysis

Authors: Michael D. Konrad, Sarah Sheard

This special report describes the results of a literature review sampling what is known about complexity for application in the context of safety and assurance.

November 2016 - Presentation Construction and Implementation of CERT Secure Coding Rules Improving Automation of Secure Coding

Topics: Secure Coding

Authors: Mark Sherman, Aaron Ballman

This presentation describes the need for secure coding standards, which help reduce vulnerabilities due to programming errors.

November 2016 - Podcast Moving Target Defense

Topics: Network Situational Awareness, Cyber-Physical Systems

Authors: Andrew O. Mellinger

In this podcast, Andrew Mellinger, a senior software developer in the SEI's Emerging Technology Center discusses work to develop a platform to organize dynamic defenses.

November 2016 - Presentation Deriving the Average-case Performance of Bandwidth-like Interfaces for Tasksets with Infinite Minimum Inter-Arrival Time, Equal Task Density, Uniformly Distributed Deadlines, and Infinite Number of Tasks

Topics: Process Improvement

Authors: Björn Anderson, Hyoseung Kim (Carnegie Mellon University), J. Lehoczky, Dionisio de Niz

This presentation was presented at the 9th International Workshop on Compositional Theory and Technology for Real-Time Embedded Systems (CRTS 2016).

November 2016 - Presentation Got Technical Debt? Surfacing Elusive Technical Debt in Issue Trackers

Topics: Software Architecture

Authors: Stephany Bellomo, Robert Nord, Ipek Ozkaya, Mary Popeck

This presentation on measuring and managing technical debt was given at the 49th CREST Open Workshop Software Architecture and Technical Debt in November 2016.

November 2016 - Presentation Measure It? Manage It? Ignore It? Software Practitioners and Technical Debt

Topics: Software Architecture

Authors: Neil Ernst, Stephany Bellomo, Ipek Ozkaya, Robert Nord, Ian Gorton

This presentation on measuring and managing technical debt was given at the 49th CREST Open Workshop Software Architecture and Technical Debt in November 2016.

November 2016 - Video SEI Cyber Minute: Workplace Violence/IT Sabotage

Authors: Michael C. Theis

Michael Theis discusses "Workplace Violence/IT Sabotage."

November 2016 - Presentation Assurance Cases and Confidence

Topics: Software Assurance, Software Architecture

Authors: Charles B. Weinstock

This talk on assurance cases and confidence was presented at the IEEE Invitational Workshop to Create a Building-Code for Power System Software Security.

November 2016 - Presentation Temporal Protection in Real-Time System

Authors: Dionisio de Niz

Dionisio de Niz delivered the keynote presentation “Temporal Protection in Real-Time Systems,” at the Brasilian Symposium on Computing Systems Engineering.

November 2016 - Book Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Topics: Software Architecture

Authors: Nancy R. Mead, Carol Woody, PhD

Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody present the latest practical knowledge and case studies.

November 2016 - Podcast Improving Cybersecurity Through Cyber Intelligence

Topics: Cyber-Physical Systems

Authors: Jared Ettinger

In this podcast, Jared Ettinger of the SEI’s Emerging Technology Center (ETC) talks about the ETC’s work in cyber intelligence as well as the Cyber Intelligence Research Consortium.

November 2016 - Webinar From Secure Coding to Secure Software

Topics: Secure Coding

Authors: Mark Sherman, Robert Schiela

In this webinar, we discussed how you can improve your organization's secure coding capabilities.

November 2016 - Presentation Data Science: What It Is and How It Can Help Your Company

Authors: Eliezer Kanal, Brian Lindauer

In this presentation, the speakers discussed what the term “data science” means, what skills a data scientist brings to the table, and what competitive edge data science can bring to your team.

November 2016 - Article Giant Slayer: Will You Let Software be David to Your Goliath System?

Authors: Stephen Blanchette, Jr.

The article discusses what can (and should) be done to improve the state of software engineering on large scale aerospace programs.

November 2016 - Presentation A Scorecard for Cyber Resilience: What We Have Observed

Topics: Cyber Risk and Resilience Management

Authors: Robert A. Vrtis, Andrew F. Hoover

In this presentation the speakers discuss the Cyber Resilience Review (CRR).

November 2016 - Conference Paper Automated Code Repair Based on Inferred Specifications

Topics: Secure Coding

Authors: William Klieber, William Snavely

In this paper, the authors describe automated repairs for three types of bugs: integer overflows, missing array bounds checks, and missing authorization checks.

November 2016 - Presentation Beyond errno: Error Handling in C

Topics: Secure Coding

Authors: David Svoboda

In this tutorial, David Svoboda examines the technologies available to the C developer for handling errors.

November 2016 - Conference Paper Static Analysis Alert Audits: Lexicon & Rules

Topics: Secure Coding

Authors: David Svoboda, Lori Flynn, William Snavely

In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.

November 2016 - Video SEI Cyber Minute: Cyber Risk Game - 3 Envelopes

Authors: Rotem D. Guttman

Rotem Guttman discusses a new cybersecurity game from the SEI called "3 Envelopes."

November 2016 - Presentation Leveraging Serious Games to Assist Motivation and Education

Authors: Rotem D. Guttman

Project seeks to integrate realistic representation of kinetic operations into cyber training

November 2016 - Presentation Generalized Automated Cyber-Readiness Evaluation

Authors: Rotem D. Guttman

Applies principles of train as you fight and evaluate as you fight to cyber workforce development

November 2016 - Presentation Workplace Violence and IT Sabotage: Two Sides of the Same Coin

Authors: Michael C. Theis

Work objective is to determine if coherent, integrated, and validated indicators for insider workplace violent and insider cyber sabotage can be found

November 2016 - Presentation Why did the Robot do That?

Authors: Stephanie Rosenthal

Investigated how having robots automatically explain their behavior using natural language would improve users' trust

November 2016 - Presentation The Critical Role of Positive Incentives in Reducing Insider Threat

Authors: Andrew P. Moore

Investigated job engagement, perceived organizational support, and connectedness at work

November 2016 - Presentation Statistical Model Checking for SWARMS

Authors: Jeffrey Hansen

Research that validates approach of applying adaptive sampling and input attribution toward model checkint and attribution of failure conditions

November 2016 - Presentation Supporting Software Engineering Best Practices in Additive Manufacturing

Authors: Stephanie Rosenthal

Project developed a framework to support scalable production and customization of 3D models

November 2016 - Presentation Multi-Agent Decentralized Planning for Adversarial Robotic Teams

Authors: James Edmondson

Objective of this work is to allow one person to command an entire swarm of UAS to do mission-level tasks

November 2016 - Presentation Human-Computer Decision Systems for Cybersecurity

Authors: Brian Lindauer

This work discovered a surprising result regarding the potential for non-experts to perform malware family analsys

November 2016 - Presentation GraphBLAS: A Programming Specification for Graph Analysis

Authors: Scott McMillan

Describes work in graph analysis, an important and pervasive areas for the DoD

November 2016 - Presentation Experiences Developing an IBM Watson Cognitive Processing Application

Authors: Mark Sherman

Inquiry into whether DoD could use IBM Watson to improve assurance

November 2016 - Presentation Vulnerability Discovery

Authors: Edward J. Schwartz, David Warren

Overall aim is to increase assurance of DoD software through enhanced vulnerability discovery techniques

November 2016 - Presentation Prioritizing Alerts from Static Analysis with Classification Models

Topics: Secure Coding

Authors: Lori Flynn

In this presentation, Lori Flynn describes work toward an automated and accurate statistical classifier, intended to efficiently use analyst effort and to remove code flaws.

November 2016 - Presentation Establishing Coding Requirements for Non-Safety-Critical C++ Systems

Authors: Aaron Ballman

Developed checkers, rules, and rule organization for secure C++ code

November 2016 - Presentation Automated Code Repair

Authors: William Klieber

Work aims to develop technique to eliminate security vulnerabilities at a lower cost than manual repair

November 2016 - Presentation Tactical Computing and Communications

Authors: Grace Lewis

Discusses work in trusted identities, secure VM migration, and delay-tolerant data sharing

November 2016 - Presentation Tactical Analytics

Authors: Edwin J. Morris

This work aims, in the long term, to build a pipeline to recognize and validate events and patterns

November 2016 - Presentation Semiconductor Foundry Verification

Authors: Alexander Volynkin

Work aims to use semi-automated image processing to identify semiconductor foundry

November 2016 - Presentation Enabling Evidence Based Modernization

Authors: John Klein

The goal of is work is to develop a lightweight method for representing alternatives

November 2016 - Presentation Verifying DART Systems

Authors: Sagar Chaki, Dionisio de Niz

This work is producing validated assurance techniques for distributed adaptive real-time (DART) systems

November 2016 - Presentation Using Technical Debt to Improve Software Sustainability and Find Software Vulnerabilities

Authors: Ipek Ozkaya, Robert Nord

Introduces analytics use of technical debt

November 2016 - Presentation Property Directed Test Case Generation

Authors: Edward J. Schwartz

This work automatically generated executables to trigger desired behaviors for testing

November 2016 - Presentation Incremental Lifecycle Assurance of Critical Systems

Authors: Peter H. Feiler

Describes research that produced tools for demonstrating a measurable reduction in the cost of verifying system implmementations

November 2016 - Presentation Evaluation of Threat Modeling Methodologies

Authors: Forrest Shull

The result of this work is a set of test principles that can help Programs select the most appropriate threat modeling methodologies.

November 2016 - Presentation Automated Assurance of Security Policy Enforcement

Authors: Julien Delange

Security is not only a matter of code. This work extends the AADL with security design rules

November 2016 - Presentation Auto-Active Verification of Software with Timers and Clocks

Authors: Sagar Chaki, Dionisio de Niz

Software that accesses the system clock is the key to real-time and cyber-physical systems

October 2016 - Webinar Security Practitioner Perspective on DevOps for Building Secure Solutions

Authors: Hasan Yasar

This webinar covered the perspectives of security practitioners on building secure software using the DevOps development process and modern security approach.

October 2016 - Presentation Threat Modeling and Risk Analysis for Developers and Testers

Authors: Matthew Trevors

Matt Trevors presented this presentation at The Three Rivers Information Security Symposium on 10/28/16.

October 2016 - Technical Report Definition and Measurement of Complexity in the Context of Safety Assurance

Topics: Performance and Dependability

Authors: Sarah Sheard, Michael D. Konrad, Charles B. Weinstock, William Nichols

This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.

October 2016 - White Paper Establishing Trusted Identities in Disconnected Edge Environments

Authors: Sebastián Echeverría (Universidad de los Andes), Dan J. Klinedinst, Keegan M. Williams

he goal of this paper is to present a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field.

October 2016 - Podcast A Requirement Specification Language for AADL

Topics: Software Architecture

Authors: Peter H. Feiler

In this podcast, Peter Feiler describes a textual requirement specification language for the Architecture Analysis & Design Language (AADL) called ReqSpec.

October 2016 - Technical Note A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)

Topics: Cyber Risk and Resilience Management

Authors: Jeffrey L. Pinckard, Michael Rattigan, Robert A. Vrtis

To help financial organizations assess cyber resilience, we map FFIEC Cybersecurity Assessment Tool (CAT) statements to Cyber Resilience Review (CRR) questions.

October 2016 - Presentation What Do Systems Engineers Need To Know About Software?

Authors: Sarah Sheard

This presentation was given at the NDIA (National Defense Industrial Association) Systems Engineering Conference, held in Springfield VA, 24-27 October 2016.

October 2016 - Video SEI Cyber Minute: CERT STEPfwd Overview

Authors: Dennis M. Allen

Dennis Allen discusses "CERT STEPfwd Overview"

October 2016 - Podcast Becoming a CISO: Formal and Informal Requirements

Authors: Darrell Keeling (Parkview Health), Lisa R. Young

In this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO in today’s fast-paced cybersecurity field.

October 2016 - Poster Why did the robot do that?

Authors: Stephanie Rosenthal

Why did the robot do that?

October 2016 - Poster Using Serious Games

Authors: Rotem D. Guttman

Leveraging: Cyber Kinetic Effects Integration (CKEI)

October 2016 - Poster Software Engineering for Additive Manufacturing

Authors: Stephanie Rosenthal

3D Printing

October 2016 - Poster Evaluation of Threat Modeling Methodologies

Authors: Forrest Shull

Evaluation of Threat Modeling Methodologies

October 2016 - Poster Data Validation for Large-Scale Analytics

Authors: Stephanie Rosenthal

Building Tools to Support Data Sampling and Visualization

October 2016 - Poster Reducing Insider Threat through Positive Incentives

Authors: Andrew P. Moore

Extending the Traditional Insider Threat Security Paradigm

October 2016 - Poster Research to Operations

Authors: Peter H. Feiler

Virtual System Integration

October 2016 - Poster Developing and IBM Watson Cognitive Processing Application

Authors: Mark Sherman

Supporting Application Security (Software Assurance)

October 2016 - Poster GraphBLAS

Authors: Scott McMillan

A Programming Specification for Graph Analysis

October 2016 - Poster MBAL—The Model-based Assurance Lab

Authors: Robert V. Binder

Model-based testing reference environment for real-time reactive systems

October 2016 - Poster Automated Code Repair

Authors: William Klieber

Integer overflow in calculations related to array bounds or indices is almost always a bug

October 2016 - Poster Establishing Coding Requirements for Non-Safety-Critical C++

Authors: Aaron Ballman

Establishing Coding Requirements for Non-Safety-Critical C++

October 2016 - Poster Prioritizing Alerts from Static Analysis with Classification Models

Topics: Secure Coding

Authors: Lori Flynn

This poster describes CERT Division research on an automated and accurate statistical classifier.

October 2016 - Poster Vulnerability Discovery

Authors: David Warren

Vulnerability Discovery

October 2016 - Poster Workplace Violence and IT Sabotage

Authors: Michael C. Theis

Determine if indicators for Insider Workplace Violence and Insider Cyber Sabotage can be identified

October 2016 - Poster Enabling Evidence-Based Modernization

Authors: John Klein

Evidence-Based Modernization (EEBM)

October 2016 - Poster Tactical Analytics

Authors: Edwin J. Morris

Recognizing Patterns of Life and Determining Credibility of Textual Data

October 2016 - Poster Semiconductor Foundry Verification

Authors: Alexander Volynkin

Detecting Counterfeit Electronics

October 2016 - Poster Automated Cyber-Readiness Evaluator

Authors: Rotem D. Guttman

ACE

October 2016 - Poster Tactical Computing and Communications (TCC)

Authors: Grace Lewis

Secure and Efficient Computing and Communications at the Edge

October 2016 - Poster Using Technical Debt to Improve Software Sustainability

Authors: Ipek Ozkaya

Technical Debt

October 2016 - Poster Statistical Model Checking for Swarms

Authors: Jeffrey Hansen

Input Attribution

October 2016 - Poster Human-Computer Decision Systems

Authors: Brian Lindauer

Security decision systems often use a combination of human and automated analysis

October 2016 - Poster Property Directed Test-case Generation

Authors: Jeff Gennari

Property Directed Test-case Generation

October 2016 - Poster Auto-Active Verification of Software with Timers and Clocks

Authors: Sagar Chaki

Formally verify STACs at the source code level using deductive (aka auto-active) verification

October 2016 - Poster Verifying Distributed Adaptive Real (DART) Systems

Authors: Sagar Chaki

DART Vision

October 2016 - Poster Automated Assurance of Security Policy Enforcement

Authors: Julien Delange

Detecting and fixing architecture-related vulnerabilities early in the lifecycle

October 2016 - Poster Incremental Lifecycle Assurance of Critical Systems

Authors: Peter H. Feiler

Critical System Assurance Challenge

October 2016 - Podcast Predicting Quality Assurance with Software Metrics and Security Methods

Topics: Cybersecurity Engineering

Authors: Carol Woody, PhD

In this podcast, Dr. Carol Woody explores the connection between measurement, methods for software assurance, and security.

October 2016 - Video SEI Cyber Minute: Penetration Testing

Authors: Brent Kennedy

Brent Kennedy discusses "Pen Testing."

October 2016 - Conference Paper Contract-Based Verification of Timing Enforcers

Authors: Sagar Chaki, Dionisio de Niz

In this paper, the authors focus on proving the correctness of the budget enforcement that guarantees that no task τi executes beyond its W1 i. They present their approach and some preliminary results.

October 2016 - Conference Paper Automated Fault Tree Analysis from AADL Models

Topics: Cyber-Physical Systems

Authors: Peter H. Feiler, Julien Delange

In this paper, the authors we discuss three elements that are key to safety analysis automation in the context of fault tree analysis (FTA).

October 2016 - Conference Paper Analysis and Design of Safety-critical, Cyber-Physical Systems

Topics: Software Architecture

Authors: John McGregor, David P. Gluch, Peter H. Feiler

In this paper, the authors focus on the architecture-led development process and illustrate the support given by ALISA.

October 2016 - Conference Paper Modeling, Verifying, and Generating Software for Distributed Cyber-Physical Systems using DMPL and AADL.

Topics: Cyber-Physical Systems

Authors: Sagar Chaki, Dionisio de Niz, Joe Seibel

This paper provides an end-to-end framework where DART systems can be designed, analyzed, and implemented within the same toolchain. In this talk, the authors present this toolchain and demonstrate it on a few representative examples.

October 2016 - Presentation Adjusting the Balance Sheet by Appending Technical Debt

Authors: Shirin Akbarinasaji (Ryerson University), Ayse Bener (Ryerson University)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation Welcome to the Eighth International Workshop on Managing Technical Debt

Authors: Clemente Izurieta (Montana State University), Ipek Ozkaya, Will Snipes (ABB Corporate Research)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation Practical Technical Debt Discovery by Matching Patterns in Assessment Graphs

Authors: Andriy Shapochka (SoftServe, Inc.), Borys Omelayenko (SoftServe, Inc.)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation Toward Assessing the Technical Debt of Undesired Software Behaviors in Design Patterns

Authors: Derek Reimanis (Montana State University), Clemente Izurieta (Montana State University)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation Technical Debt Indexes Provided by Tools: A Preliminary Discussion

Authors: Francesca Arcelli Fontana (University of Milano Bicocca), Riccardo Roveda (University of Milano–Bicocca), Marco Zanoni (University of Milano Bicocca)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation How "Specification by Example" and Test-Driven Development Help to Avoid Technical Debt

Authors: Wolfgang Trumler (Siemens AG), Frances Paulisch (Siemens Corporate Research)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation Database Design Debts Through Examining Schema Evolution

Authors: Mashel Albarak (University of Birmingham and King Saud University), Rami Bahsoon (University of Birmingham)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Presentation 50 Years of Technical Debt with Rising Interest Rates

Authors: Firas Glaiel (Raytheon Integrated Defense Systems), Terri Potts (Raytheon Intelligence, Information and Services)

This presentation was part of the Eighth International Workshop on Managing Technical Debt, held in conjunction with ICSME 2016.

October 2016 - Conference Paper Verifying Cyber-Physical Systems by Combining Software Model Checking with Hybrid Systems Reachability

Authors: Stanley Bak (Air Force Resarch Laboratory), Sagar Chaki

This work proposes a bridge between two important verification methods, software model checking and hybrid systems reachability.

September 2016 - Video SEI Cyber Minute: Secure DevOps

Authors: Aaron Volkmann

Aaron Volkmann discusses "Secure Devops."

September 2016 - Podcast Network Flow and Beyond

Authors: Timothy J. Shimeall

In this podcast, Timothy Shimeall discusses approaches for analyzing network security using and going beyond network flow data to gain situational awareness to improve security.

September 2016 - White Paper Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach

Topics: Cyber Risk and Resilience Management

Authors: John Haller, Charles M. Wallen

A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.

September 2016 - Presentation Exploiting Java Serialization for Fun and Profit

Topics: Secure Coding

Authors: David Svoboda

In this presentation, David Svoboda explains how exploits can occur using Java serialization.

September 2016 - Brochure Agile Development in Government: Myths, Monsters, and Fables

Topics: Acquisition Support

Authors: David J. Carney, Suzanne Miller, Mary Ann Lapham

This volume is a reflection on attitudes toward Agile software development now current in the government workplace.

September 2016 - Video SEI Cyber Minute: Cyber Workforce Development Research

Authors: Josh Hammerstein

Josh Hammerstein discusses "CERT Cyber Workforce Development Research."

September 2016 - Conference Paper Input Attribution for Statistical Model Checking using Logistic Regression

Authors: Jeffrey Hansen, Sagar Chaki, Scott Hissam, James Edmondson, Gabriel Moreno, David Kyle

In this conference paper, the authors describe an approach to Statistical Model Checking (SMC). This paper is part of the Lecture Notes in Computer Science book series.

September 2016 - Presentation The Java Security Architecture: How? and Why?

Topics: Secure Coding

Authors: David Svoboda

In this tutorial, David Svoboda describes the design of Java's security architecture and its pros and cons.

September 2016 - Presentation Inside the CERT Oracle Secure Coding Standard for Java

Topics: Secure Coding

Authors: David Svoboda

In this session, the authors of the CERT Oracle Secure Coding Standard for Java describe how it can be used to secure your Java projects.

September 2016 - Presentation Unleashing Your Inner Code Warrior

Topics: Secure Coding

Authors: Mary Ann Davidson (Oracle)

This keynote presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.

September 2016 - Podcast A Community College Curriculum for Secure Software Development

Topics: Cyber Risk and Resilience Management, Performance and Dependability, Cybersecurity Engineering

Authors: Girish Seshagiri (Ishpi Information Technologies, Inc)

In this podcast, Girish Seshagiri discusses a two-year community college software assurance program that he developed and facilitated with SEI Fellow Nancy Mead at Illinois Central College.

September 2016 - Video SEI Cyber Minute: Wireless Simulation/WELLE-D

Authors: Adam Welle (SEI CERT)

Adam Welle discusses "Wireless Simulation/WELLE-D."

September 2016 - Presentation Driving Efficiencies into the Software Life Cycle for Army Systems

Topics: Software Architecture

Authors: Stephen Blanchette, Jr.

This presentation was presented to the CECOM Software Solarium.

September 2016 - White Paper Striving for Effective Cyber Workforce Development

Topics: Workforce Development

Authors: Marie Baker

This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.

September 2016 - Presentation Common Exploits and How to Prevent Them

Topics: Secure Coding

Authors: David Svoboda

This presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.

September 2016 - Presentation Strengthening the Cyber Ecosystem

Topics: Secure Coding

Authors: Dr. Peter M. Fonash (Department of Homeland Security, CS&C)

This keynote presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.

September 2016 - Video SEI Cyber Minute: Coordinated Vulnerability Disclosure

Authors: Art Manion

Art Manion discusses "Coordinated Vulnerability Disclosure."

September 2016 - Video SEI Cyber Minute: Internet Protocol Version 6 (IPv6)

Authors: Dennis M. Allen

Dennis Allen discusses "Internet Protocol Version 6 (IPv6)."

August 2016 - Conference Paper Spatial references and perspective in natural language instructions for collaborative manipulation

Authors: Shen Li (Carnegie Mellon University), Rosario Scalise (Carnegie Mellon University), Henny Admoni (Carnegie Mellon University), Stephanie Rosenthal, Siddhartha S. Srinivasa (Carnegie Mellon University)

In this work, we investigate spatial features and perspectives in human spatial references and compare word usage when instructing robots vs. instructing other humans.

August 2016 - Conference Paper Enhancing Human Understanding of a Mobile Robot’s State and Actions using Expressive Lights

Authors: Kim Baraka (Carnegie Mellon University), Stephanie Rosenthal, Manuela Veloso (Carnegie Mellon University)

In this work, we present an online study to evaluate the effect of robot communication through expressive lights on people's understanding of the robot's state and actions.

August 2016 - Conference Paper Dynamic Generation and Refinement of Robot Verbalization

Authors: Vittorio Perera (Carnegie Mellon University), Sai P. Selveraj (Carnegie Mellon University), Stephanie Rosenthal, Manuela Veloso (Carnegie Mellon University)

With a growing number of robots performing autonomously without human intervention, it is difficult to understand what the robots experience along their routes during execution without looking at execution logs. Rather than looking through logs, our goal

August 2016 - Podcast Security and the Internet of Things

Topics: Vulnerability Analysis

Authors: Art Manion

In this podcast, CERT researcher Art Manion discusses work that his team is doing with the Department of Homeland Security to examine and secure IoT devices.

August 2016 - Video SEI Cyber Minute: Automating Workforce Evaluation

Authors: Rotem D. Guttman

Rotem Guttman discusses "Automating Workforce Evaluation."

August 2016 - Poster Artist Rendering of Keynote: Architecting the Unknown

Authors: MJ Broadbent (GE Digital)

In this poster, MJ Broadbent of GE provides an artistic rendering of the keynote talk "Architecting the Unknown," by Grady Booch of IBM.

August 2016 - Poster Artist Rendering of Keynote: Rethinking Software Design

Authors: MJ Broadbent (GE Digital)

In this poster, MJ Broadbent of GE provides an artistic rendering of the keynote talk "Rethinking Software Design," by Daniel Jackson of MIT.

August 2016 - Technical Report Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks

Topics: Cyber-Physical Systems, Performance and Dependability

Authors: Junsung Kim, Björn Andersson (Carnegie Mellon University), Dionisio de Niz, Ragunathan (Raj) Rajkumar, Jian-Jia Chen, Wen-Hung Huang, Geoffrey Nelissen

This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks.

August 2016 - Technical Note Creating Centralized Reporting for Microsoft Host Protection Technologies: The Enhanced Mitigation Experience Toolkit (EMET)

Authors: Craig Lewis, Joseph Tammariello

This report describes how to set up a centralized reporting console for the Windows Enhanced Mitigation Experience Toolkit.

August 2016 - Video SEI Cyber Minute: CERT Resilience Management Model (RMM)

Authors: Lisa R. Young

Lisa Young discusses "CERT Resilience Management Model (RMM)."

August 2016 - Technical Note The QUELCE Method: Using Change Drivers to Estimate Program Costs

Topics: Measurement and Analysis

Authors: Sarah Sheard

This technical note introduces Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), a method for estimating program costs early in development.

August 2016 - Webinar Data Science: What It Is and How It Can Help Your Company

Authors: Brian Lindauer, Eliezer Kanal

In this webinar, we discussed what the term “data science” means, what skills a data scientist brings to the table, and what competitive edge data science can bring to your team.

August 2016 - White Paper Blacklist Ecosystem Analysis: 2016 Update

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf, Eric Hatleback, Jonathan Spring

This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.

August 2016 - Video SEI Cyber Minute: Engaging Stakeholders on Insider Threat

Authors: Randall F. Trzeciak

Randy Trzeciak discusses "Engaging Stakeholders on Insider Threat."

August 2016 - Podcast The SEI Fellow Series: Nancy Mead

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

This podcast is the first in a series highlighting interviews with SEI Fellows.

August 2016 - Video SEI Cyber Minute: Cyber and Kinetic Warfighter Training

Authors: Rotem D. Guttman

Rotem Guttman discusses "Cyber and Kinetic Warfighter Training."

July 2016 - Podcast An Open Source Tool for Fault Tree Analysis

Topics: Software Architecture

Authors: Julien Delange

In this podcast, Dr. Julien Delange discusses fault tree analysis and introduces a new tool to design and analyze fault trees.

July 2016 - Conference Paper UAV and Service Robot Coordination for Indoor Object Search Tasks

Authors: Sandeep Konam (Carnegie Mellon University), Stephanie Rosenthal, Manuela Veloso (Carnegie Mellon University)

In this paper, we propose the concept of coordination between CoBot and the Parrot ARDrone 2.0 to perform service-based object search tasks, in which CoBot localizes and navigates to the general search areas carrying the ARDrone and the ARDrone searches l

July 2016 - Podcast Global Value Chain – An Expanded View of the ICT Supply Chain

Topics: Cyber Risk and Resilience Management

Authors: Edna M. Conway (Cisco Systems, Inc.), John Haller, Lisa R. Young

In this podcast, Edna Conway and John Haller discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.

July 2016 - Webinar How to Build an Effective Insider Threat Program to Comply With the New NISPOM Mandate

Topics: Insider Threat

Authors: Randall F. Trzeciak

In this webinar, Randy Trzeciak, Technical Manager of the CERT Insider Threat Center, described the summary of new requirements mandated by NISPOM Change 2 and the impact it will have on DoD contracting organizations.

July 2016 - Video SEI Cyber Minute: Using Smart Service Level Agreements (SLAs)

Authors: John Haller

John Haller discusses "Using Smart SLAs."

July 2016 - Presentation Design and Implementation of the GraphBLAS Template Library (GBTL)

Authors: Scott McMillan, Samantha Misurda, Marcin Zalewski (Indiana University), Peter Zhang (Indiana University), Andrew Lumsdaine (Indiana University)

The design of the GraphBLAS Template Library separates graph algorithm development from performance tuning for heterogeneous high-performance computing architectures.

July 2016 - Conference Paper Verbalization: Narration of Autonomous Robot Experience

Authors: Stephanie Rosenthal, Sai P. Selvaraj (Carnegie Mellon University), Manuela Veloso (Carnegie Mellon University)

In this work, we address the generation of narrations of autonomous mobile robot navigation experiences.

July 2016 - Webinar Secure Software Development Landscape

Topics: Cybersecurity Engineering, Secure Coding

Authors: Mark Sherman

Examine how security can be introduced throughout the software development lifecycle to blunt vulnerabilities.

July 2016 - Webinar Coordinated Vulnerability Disclosure

Topics: Vulnerability Analysis

Authors: Dan J. Klinedinst

Learn how to develop a vulnerability coordination capability, which helps you respond to vulnerabilities and demonstrates that you are serious about fixing them.

July 2016 - Webinar Continuous Integration (Secure DevOps)

Topics: Process Improvement

Authors: Hasan Yasar

Learn how to better identify process improvements at your organization through new perspectives on secure software development and delivery.

July 2016 - Webinar Security Requirements Engineering

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts

Learn the importance of developing security requirements in the same time frame as functional requirements.

July 2016 - Video SEI Cyber Minute: Managing Operational Risk

Authors: Lisa R. Young

Lisa Young discusses "Managing Operational Risk."

July 2016 - Video SEI Cyber Minute: Are You Vulnerable to Insider Threats?

Authors: Randall F. Trzeciak

Randy Trzeciak discusses "Are You Vulnerable to Insider Threats?"

July 2016 - Video SEI Cyber Minute: Mitigating Ransomware

Authors: Rotem D. Guttman

Rotem Guttman discusses "Mitigating Ransomware."

July 2016 - Video SEI Cyber Minute: SEI's Internet in a Box Spurs Realistic Training

Authors: Gabriel Somlo (SEI CERT)

Gabriel Somlo discusses "SEI's Internet in a Box."

July 2016 - Video SEI Cyber Minute: Computing and the Human Context

Authors: Jeff Boleng

Jeff Boleng discusses "Computing and the Human Context."

July 2016 - Webinar Secure Coding Best Practices

Topics: Secure Coding

Authors: Robert Schiela

Learn why secure coding practices are important to reduce common programming errors that lead to vulnerabilities.

July 2016 - Video SEI Cyber Minute: Penetration Testing - Misconfigurations

Authors: Michael Cook (SEI CERT)

Mike Cook discusses "Penetration Testing."

June 2016 - Technical Report Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2

Topics: Software Architecture

Authors: Peter H. Feiler, John J. Hudak, Julien Delange, David P. Gluch

This report describes the Error Model Annex, Version 2 (EMV2), notation for architecture fault modeling, which supports safety, reliability, and security analyses.

June 2016 - Technical Report A Requirement Specification Language for AADL

Topics: Software Architecture

Authors: Peter H. Feiler, Julien Delange, Lutz Wrage

This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.

June 2016 - Technical Report DMPL: Programming and Verifying Distributed Mixed-Synchrony and Mixed-Critical Software

Topics: Cyber-Physical Systems

Authors: Sagar Chaki, David Kyle

DMPL is a language for programming distributed real-time, mixed-criticality software. It supports distributed systems in which each node executes a set of periodic real-time threads that are scheduled by priority and criticality.

June 2016 - Podcast Intelligence Preparation for Operational Resilience

Topics: Cyber Risk and Resilience Management

Authors: Douglas Gray, Lisa R. Young

In this podcast, Douglas Gray, a member of the CERT Cyber Risk Management team, discusses how to operationalize intelligence products to build operational resilience of organizational assets and services using IPOR.

June 2016 - Educational Material Tutorial Series for GAMS and MADARA

Authors: James Edmondson

This tutorial series shows new developers how to use GAMS and MADARA, tools that support writing programs for distributed, decentralized artificial intelligence.

June 2016 - Special Report Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines

Topics: Pervasive Mobile Computing

Authors: Christopher J. Alberts, Audrey J. Dorofee, Carol Woody, PhD

This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.

June 2016 - Presentation CERT BFF: From Start to PoC

Topics: Vulnerability Analysis

Authors: Will Dormann

This presentation describes the CERT Basic Fuzzing Framework (BFF) from start to PoC.

May 2016 - Podcast Evolving Air Force Intelligence with Agile Techniques

Topics: Acquisition Support

Authors: Harry L. Levinson

In this podcast, Harry Levinson discusses the SEI’s work with the Air Force to further evolve the AF DCGS system using Agile techniques working in incremental, iterative approaches to deliver more frequent, more manageable deliveries of capability.

May 2016 - Conference Paper GBTL-CUDA: Graph Algorithms and Primitives for GPUs

Authors: Peter Zhang (Indiana University), Marcin Zalewski (Indiana University), Andrew Lumsdaine (Indiana University), Samantha Misurda, Scott McMillan

In this paper we present our initial implementation of GraphBLAS primitives for graphics processing unit (GPU) systems called GraphBLAS Template Library (GBTL).

May 2016 - Technical Note Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis

Topics: Cyber Risk and Resilience Management

Authors: Douglas Gray

This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).

May 2016 - Webinar What Makes a Good Software Architect?

Topics: Software Architecture

Authors: Ipek Ozkaya, Andrew Kotov, John Klein

In this webinar, SEI researchers and an industry colleague discussed in two talks What Makes a Good Software Architect?

May 2016 - Conference Paper Got Technical Debt? Surfacing Elusive Technical Debt in Issue Trackers

Topics: Software Architecture

Authors: Stephany Bellomo, Robert Nord, Ipek Ozkaya, Mary Popeck

This paper reports on a study of issues from issue trackers to identify technical debt and present an approach for reporting technical debt in issue trackers.

May 2016 - Book Designing Software Architectures: A Practical Approach

Topics: Software Architecture

Authors: Rick Kazman, Humberto Cervantes (Universidad Autonoma Metropolitana–Iztapalapa)

Designing Software Architectures will teach you how to design any software architecture in a systematic, predictable, repeatable, and cost-effective way.

May 2016 - Podcast Threat Modeling and the Internet of Things

Topics: Vulnerability Analysis

Authors: Art Manion, Allen D. Householder

Art Manion and Allen Householder of the CERT Vulnerability Analysis team, talk about threat modeling and its use in improving the security of the Internet of Things (IoT).

May 2016 - Technical Report An Insider Threat Indicator Ontology

Topics: Insider Threat

Authors: Daniel L. Costa, Michael J. Albrethsen, Matthew L. Collins, Samuel J. Perl, George Silowash, Derrick Spooner

This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.

May 2016 - Presentation A Quality Attributes Guide for Space Flight Software Architects

Authors: Lorainne Fesq (Jet Propulsion Laboratory), Jonathan Wilmot (Jet Propulsion Labortory) , Daniel Dvorak (Jet Propulsion)

This presentation describes a table, generated by NASA's Software Architecture Review Board, that lists 14 key quality attributes, identifies important aspects of each quality attribute, and considers each aspect.

May 2016 - Technical Report A Quality Attributes Guide for Space Flight Software Architects

Authors: Daniel Dvorak (Jet Propulsion), Lorraine Fesq (Jet Propulsion Laboratory)

This presentation describes a table, from NASA's Software Architecture Review Board, of 14 quality attributes to guide development of space mission flight software.

May 2016 - Technical Report A Platform for Provisioning Integrated Data and Visualization Capabilities

Authors: Gerry Giese (Sandia National Laboratories)

In this report, the author will provide an overview of the architecture goals, quality attributes, final design, and some lessons learned along the way in creating the virtual data repository and data visualization platform.

May 2016 - Technical Report Using Honeynets and the Diamond Model for ICS Threat Analysis

Topics: Vulnerability Analysis

Authors: John Kotheimer, Kyle O'Meara, Deana Shick

This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure attackers.

May 2016 - Poster Artist Rendering of Keynote: Architecture and the Evolution of Complex Systems

Authors: Joseph Salvo (GE Global Research)

This is an artistic rendering of the keynote talk "Architecture and the Evolution of Complex Systems."

May 2016 - Presentation Can't Find Superheroes to Help You Out of a Crisis? How About Some Architecture and Lots of Superglue?

Authors: Adam Bar-Niv (Intel), Amir Shenhav (Intel)

This is the story of an organization that in crisis, struggling to meet project timelines while adhering to high quality, but unable to scale up as technical debt grew.

May 2016 - Presentation Discover Quality Requirements with the Mini-QAW

Authors: Will Chaparro (IBM), Michael Keeling (IBM Watson Group), Thijmen de Gooijer (ABB Corporate Research)

This session walks participants through a mini-QAW simulation, including scenario brainstorming with a system properties web, stakeholder empathy maps, and visual voting.

May 2016 - Presentation MarshmalloWars: A Gamification Experience

Authors: Marcelo Luis Walter (Objective Solutions), Juliano Ribeiro (Objective Solutions)

Gamification is a management technique that is growing in popularity. This talk explains how a software development team used this practice in a variety of scenarios.

May 2016 - Presentation Evolution of a Data-Streaming Solution

Authors: Joseph Paulchel (Capital One)

This talk describes a business need for data collection and streaming that led to a data-streaming solution for delivering messages from many clients to many end points.

May 2016 - Presentation The Tale of Three ATAMs for the Same Project

Authors: Andrzej Knafel (Roche Diagnostics International, Ltd.)

This experience report contains lessons learned from conducting three ATAMs for an IT project of significant size in the domain of the Internet of Things.

May 2016 - Presentation An Inverse Evaluation of Netflix Architecture Using ATAM

Authors: Stefan Toth (embarc Software Consulting GmbH)

This presentation describes an architecture evaluation of a Netflix system based on the Architecture Tradeoff Analysis Method (ATAM) applied in an inverse manner.

May 2016 - Presentation Adapting Architecture Practices to Changing Times—From What to Why and Back Again

Authors: Eltjo Poort (CGI)

CGI developed the Risk- and Cost-Driven Architecture (RCDA) approach to help architects manage the risks and costs associated with complex systems.

May 2016 - Presentation Reflections on Software Architecture

Topics: Software Architecture

Authors: Linda M. Northrop

This talk shares a perspective on the history of software architecture, challenges and trends influencing the need for change, and applicable research and practices.

May 2016 - Presentation Continuous Architecture

Authors: Pierre Pureur (Travelers), Erder Murat (Deutsche Bank)

This talk introduces Continuous Architecture, based on six principles of Agile and Continuous Delivery practices and a set of tools that support them.

May 2016 - Presentation UPDATE Your VIEW on DELETE: The Benefits of Event Sourcing

Authors: Sebastian von Conrad (Envato)

This talk explains what Event Sourcing is, how it differs from object-relational maps, and why you should consider using it, illustrated with practical examples.

May 2016 - Presentation The Journey to Hybrid Cloud: Considerations for Architecting Your Enterprise Roadmap

Authors: Tracy Bannon (Deloitte Consulting LLP), Jacques de Villiers (Deloitte Consulting LLP), Sebnem Tokcan (Deloitte Consulting LLP)

This session covers leading practices and lessons learned about cloud adoption in an international consultancy with experience across multiple business sectors.

May 2016 - Presentation Strategic Prototyping for Developing Big-Data Systems

Authors: Rick Kazman, Serhiy Haziyev (SoftServe, Inc.), Hong-Mei Chen (University of Hawaii), Olha Hrytsay (SoftServe, Inc.)

This session presents RASP (Risk-based, Architecture-centric Strategic Prototyping), a model for cost-effective risk management in Agile and Big Data development.

May 2016 - Presentation Security Design Refinement Through Mapping Tactics to Patterns

Topics: Software Architecture

Authors: Jungwoo Ryoo (Pennsylvania State University), Rick Kazman

This participatory session introduces participants to the concepts of software security, security tactics, and security patterns that underlie software architecture design.

May 2016 - Presentation U.S. Air Force Software Engineering Efficiency and Productivity for Information Operations

Authors: Paul Braden (U.S. Air Force)

The presenter analyzes an example program for sustainability as it progresses through the Air Force's process of being developed and maintained for a year.

May 2016 - Presentation Building a Data-Friendly Platform for a Data-Driven Future

Authors: Ben Hindman (Mesosphere)

This session describes the types of data-processing systems required to keep up with all the events that the Internet of Things will generate and send to data centers.

May 2016 - Presentation A Platform for Provisioning Integrated Data and Visualization Capabilities

Authors: Gerry Giese (Sandia National Laboratories)

This session overviews the architecture goals, quality attributes, final design, and lessons learned in creating a virtual data repository and visualization platform.

May 2016 - Presentation Agile Architecture Roadmapping

Authors: Eltjo Poort (CGI)

The tutorial is based on Risk- and Cost-Driven Architecture (RCDA), an approach developed by CGI that has proven to support solution architects globally in a lean and Agile manner.

May 2016 - Presentation Zen of Software Architecture

Authors: Bett Bollhoefer (GE Digital)

Do you dream of working on a team of enlightened people who create software that users love? Zen is now ready to enable our teams to create software together.

May 2016 - Presentation Going Bezirk: Things Plus Cloud Do Not Equal IoT

Authors: João de Sousa (Robert Bosch LLC), Cory Henson (Robert Bosch LLC)

Bezirk is an architectural framework for the consumer-space IoT being developed at Bosch. This talk describes the framework and showcases applications under development.

May 2016 - Presentation The Demise of Enterprise IT

Authors: Jørn Ølmheim (Statoil ASA)

The role of IT should be to provide software engineering competence and infrastructure to enable a business to create solutions for its challenges.

May 2016 - Presentation Applying Architecture Techniques to Anchor System Evolution Roadmaps

Authors: Alejandro Bianchi (Liveware IS S.A.), Andres Diaz-Pace (UNICEN University)

This presentation describes experiences applying a set of architectural techniques—utility trees, scenarios, and architectural views—to generate an evolution roadmap.

May 2016 - Presentation Architecting Agile Businesses: A Guideline for the Business-Oriented Software Architect

Authors: Kaine Ugwu (Konga Online Shopping, Ltd.)

This presentation suggests a method for architecting Agile businesses using the architecture practice at Konga, an African e-commerce company, as a case study.

May 2016 - Presentation Draw It Out: The Power of Visual Communication

Authors: MJ Broadbent (GE Digital), Amine Chigani (GE Digital)

Presenters package their experiences in UX design and architecture to coach participants through exercises for effective visualization techniques applicable to architects.

May 2016 - Presentation The Business Model Canvas Pattern: From Concept to Product Architecture in an Agile World

Authors: Arila Barnes (GE Digital)

This talk summarizes the Lean Business Canvas, Concept Maps, and Domain-Driven Design patterns and introduces a novel approach to developing product architecture.

May 2016 - Presentation Big Analog Data™, New Architectures to Realize New Insights

Authors: Jamie Smith (National Instruments)

Big Analog Data™ sources are all around us (light, RF signals, vibrations, temperatures). We will need new architectures to manage this data at the edge and in the cloud.

May 2016 - Presentation Bridging System Architecture

Authors: Charles Chow (Deloitte Consulting)

This presentation shows what a home-grown bridging system architecture looks like and how it works end to end to satisfy business needs in terms of system architecture.

May 2016 - Presentation Getting Your System to Production and Keeping It There

Authors: Eoin Woods (Endava)

This session explores why good software development practice is important but ultimately isn't sufficient to create a reliable and effective enterprise system.

May 2016 - Presentation How to Manage a Network of Software Architects Within Your Company

Authors: Frances Paulisch (Siemens Corporate Research), Ruediger Kreuter (Siemens AG)

A key element of the Siemens curriculum is active management of the network of certified architects. This presentation overviews how to manage this network.

May 2016 - Presentation IoT Lab

Authors: Paul Langdon (BLT Robotics)

In this participatory session, users can see, touch, and use a variety of IoT hardware and sensor so that participants can see how development is done on different platforms.

May 2016 - Presentation Rethinking Software Design

Authors: Daniel Jackson (MIT Computer Science and Artificial Intelligence Laboratory)

This talk presents a new theory of software design that provides a structuring principle for behavior and criteria for identifying good and bad structures.

May 2016 - Presentation Centralized vs. Decentralized Approaches to SOA: Hamilton vs. Jefferson

Authors: Michael Keeling (IBM Watson Group), George Fairbanks (Google)

This session takes an unusual path to explore essential topics in modern SOA, including governance, message passing, orchestration, quality assurance, and deployment.

May 2016 - Presentation Ethics as a Quality Attribute

Authors: Michael Keeling (IBM Watson Group)

In this talk, Keeling proposes that architects have a responsibility to define the ethical framework in the same way that they define other quality attributes.

May 2016 - Presentation Introduction to Scala and Spark

Authors: Brad Rubin (University of St. Thomas)

This presentation describes features of the Scala programming language that make it the first choice for the Apache Spark programming model.

May 2016 - Presentation Chasing Critical Code Anomalies with JSpIRIT

Authors: J. Andres Diaz-Pace (ISISTAN Research Institute), Santiago Vidal (UNICEN and CONICET-Argentina), Claudia Marcos (Universidad Nacional del Centro de la Provincia de Buenos Aires)

JSpIRIT (Java Smart Identification of Refactoring opportunITies) is a recommender system for ranking code smells according to multiple criteria.

May 2016 - Presentation IoT Reference Architectures and Case Studies

Authors: Serhiy Haziyev (SoftServe, Inc.), Yulian Slobodyan (SoftServe, Inc.)

This session uses real-world case studies to share a vision of the current state of standardization for the Internet of Things and describes several reference architectures.

May 2016 - Presentation Beyond REST

Authors: Yogeshwar Srikrishnan (Rackspace)

Writing APIs in a RESTful style is growing in popularity, but not all uses cases are good fits. This presentation overviews 10 alternative styles.

May 2016 - Presentation Flow Mapping: Visualizing User Stories Against Complex Interactions

Authors: Amber Haley (Hyperaktiv.co)

Flow mapping enhances decision points and events by appending a layer of user stories and user interactions on a flowchart or process diagram of the journey.

May 2016 - Presentation What Did the Smart Thing Say? Semantic Interoperability for the IoT

Authors: Cory Henson (Robert Bosch LLC), João de Sousa (Robert Bosch LLC)

This talk presents motivating use cases and example technologies to help realize the promise of the Internet of Things, in particular, semantic models and protocols.

May 2016 - Presentation Growing Up with Globalization

Authors: Andrew Turgeon (IBM)

This presentation describes converting a Ruby on Rails web application that didn't consider globalization at its inception, using code to illustrate how best to address it.

May 2016 - Presentation Model-Minded Development

Authors: George Fairbanks (Google)

This presentation introduces Model-Minded Development, which enables senior software developers to track many abstract yet complex models that constrain their code.

May 2016 - Presentation Software Architecture and Design Practices for Industrial IoT

Authors: Alisher Maksumov (GE Digital), Michelangelo Russo (GE Digital)

This session covers GE's experience building an Industrial Internet platform called Predix, its software architecture and design, and practices for addressing IoT challenges.

May 2016 - Presentation Architecting for Application Security

Authors: Tim Kertis (Raytheon)

The Secure Coding Framework prevents developers from silently triggering errors that lead to cyber vulnerabilities and enhances secure coding efforts.

May 2016 - Presentation Code Review Is an Architectural Necessity

Authors: Colin Dean (IBM)

This presentation focuses on quality attributes valued by a team that conducts code reviews, and how code review enables these attributes in a system architecture.

May 2016 - Presentation 12 Factor Apps: A Scorecard

Authors: Matt Momont (GE Digital)

Are you building applications that run in the cloud? This session presents "12 Factor Apps: A Scorecard" to help you evaluate your application's cloud-readiness.

May 2016 - Presentation Frankensteining Software: Recycling Parts of Legacy Systems

Authors: Jennifer Manning (IBM), Joseph Kramer (IBM)

This session covers software modularity, experiments to improve decision making and reduce risks, and analyzes a legacy system to make decisions for future design.

May 2016 - Presentation Microservices Beyond the Hype

Authors: Paulo Merson (Brazilian Federal Court of Accounts)

This talk answers questions about microservices vs. monoliths and discusses important SOA patterns that can help achieve common SOA quality requirements.

May 2016 - Presentation Architectural Refactoring

Authors: David Adsit (Pluralsight)

This session covers the evolution of the system of applications at Pluralsight as it grew from 4 to 80 developers and from 1 to 6 technology stacks in 4 years.

May 2016 - Presentation Cognitive IoT

Authors: Amit Fisher (IBM Watson)

The IBM Watson IoT platform extends the power of cognitive computing to the billions of connected devices, sensors, and systems that comprise the Internet of Things.

May 2016 - Presentation Evolutionary Architecture

Authors: Patrick Kua (ThoughtWorks)

This talk explores what evolutionary architecture is, concrete practices that architects use to build evolvable systems, and what makes building them easier.

May 2016 - Presentation Architecture-Led Pedagogical Artifacts as a Unifying Theme

Authors: John McGregor (Clemson University), Roselane Silva (Federal University of Bahia)

This session presents a set of pedagogical artifacts that illustrates the use of software architecture information to support multiple graduate courses.

May 2016 - Presentation IoT in Statoil: Present and Future

Authors: Jørn Ølmheim (Statoil ASA), Jarle Kallevik (Statoil ASA), Einar Landre (Statoil ASA), Harald Wesenberg (Statoil ASA)

This presentation overviews Statoil's experience with the types of devices that are called the Internet of Things and some challenges and opportunities in this area.

May 2016 - Presentation Abstracting the Unknown

Authors: Grady Booch (IBM)

This presentation considers what we know about software architecture, and then considers the systems that will stretch us both technically, socially, and ethically.

April 2016 - Conference Paper Managing Technical Debt in Software Engineering

Authors: Paris Avgeriou (University of Groningen, The Netherlands), Philippe Kruchten, Ipek Ozkaya, Carolyn Seaman (University of Maryland Baltimore County)

This report documents the program and outcomes of Dagstuhl Seminar 16162, “Managing Technical Debt in Software Engineering.” We summarize the goals and format of the seminar.

April 2016 - White Paper The QUELCE Method: Using Change Drivers to Estimate Program Costs

Topics: Measurement and Analysis

Authors: Sarah Sheard

This report introduces the Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method for estimating program costs early in a development lifecycle.

April 2016 - Technical Report A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology

Authors: Deana Shick, Kyle O'Meara

As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with network or incident data alone.

April 2016 - Presentation Managing Technical Debt in Software Engineering

Authors: Paris Avgeriou (University of Groningen, The Netherlands), Philippe Kruchten, Ipek Ozkaya, Carolyn Seaman (University of Maryland Baltimore County)

This report documents the program and outcomes of Dagstuhl Seminar 16162, “Managing Technical Debt in Software Engineering.”

April 2016 - Podcast Open Systems Architectures: When & Where to Be Closed

Topics: Acquisition Support

Authors: Donald Firesmith

Don Firesmith discusses how acquisition professionals and system integrators can apply OSA practices to effectively decompose large, monolithic business and technical architectures into manageable and modular solutions.

April 2016 - Webinar Structuring the Chief Information Security Officer Organization

Topics: Risk and Opportunity Management

Authors: Julia H. Allen, Nader Mehravari

This webinar described a CISO organizational structure and functions for a typical large, diverse organization using input from CISOs, policies, frameworks, maturity models, standards, and codes of practice.

April 2016 - White Paper On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle

Topics: Vulnerability Analysis

Authors: Dan J. Klinedinst, Christopher King

This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.

April 2016 - Technical Report 2016 Emerging Technology Domains Risk Survey

Topics: Pervasive Mobile Computing

Authors: Christopher King, Dan J. Klinedinst, Todd Lewellen, Garret Wassermann

This report provides a snapshot in time of our current understanding of future technologies.

April 2016 - Article Using Dynamic Models to Support Inferences of Insider Threat Risk

Topics: Insider Threat

Authors: Paul J. Sticha (Human Resources Research Organization), Elise T. Axelrad (Human Resources Research Organization)

In this paper, the authors present a system dynamics model that incorporates psychological factors to simulate the pathway to insider attack.

April 2016 - Article Compliance Signaling Games: Toward Modeling the Deterrence of Insider Threats

Topics: Insider Threat

Authors: William Casey, Jose A. Morales, Evan Wright, Quanyan Zhu (New York University), Bud Mishra (New York University)

In this paper, the authors analyze how the dynamics of compliance games illuminate the effectiveness or risks of an organizational policy.

April 2016 - Article Inadvertent Leaks: Exploration via Agent-Based Dynamic Network Simulation

Topics: Insider Threat

Authors: Kathleen Carley (Carnegie Mellon School of Computer Science), Geoffrey P. Morgan (Carnegie Mellon School of Computer Science)

In this paper, the authors describe the results of using their network model to simulate the flow of sensitive information in organizations.

April 2016 - Article An Agent-Based Approach to Modeling Insider Threat

Topics: Insider Threat

Authors: John A. Sokolowski (Old Dominion University), Catherine M. Banks (Old Dominion University), Thomas J. Dover (Federal Bureau of Investigation)

In this paper, the authors describe the modeling of the potential of an organization to develop an insider threat given certain attributes of its culture.

April 2016 - Article Introduction to the Special Issue on Insider Threat Modeling and Simulation

Topics: Insider Threat

Authors: Andrew P. Moore, Kirk A. Kennedy (Federal Bureau of Investigation), Thomas J. Dover (Federal Bureau of Investigation)

In this publication, the authors introduce the area of insider threat modeling and simulation generally, and discuss the range of methods used in the research papers of the Special Issue.

April 2016 - Conference Paper Creating Software Modernization Roadmaps: The Architecture Options Workshop

Topics: Software Architecture

Authors: Neil Ernst, Mary Popeck, Felix Bachmann, Patrick Donohoe

This paper introduces the Architecture Options Workshop, which addresses the problems of moving from identified system risks to potential design options.

April 2016 - Conference Paper Missed Architectural Dependencies: The Elephant in the Room

Topics: Software Architecture

Authors: Robert Nord, Raghvinder Sangwan, Julien Delange, Peter H. Feiler, Luke Thomas (Indiana University–Purdue University), Ipek Ozkaya

This paper presents an in-depth study of a safety-critical system that underwent major changes as a result of missed architectural dependencies.

March 2016 - Webinar Using Network Flow to Gain Cyber Situational Awareness

Topics: Network Situational Awareness

Authors: Sid Faber

During this webinar we discussed the foundations of cyber situational awareness and how to apply situational awareness concepts to the cyber domain.

March 2016 - Webinar Context Enabled Computing

Topics: Cyber-Physical Systems, Pervasive Mobile Computing

Authors: Jeff Boleng, Marc Novakouski

In this webinar, we covered a wide variety of research activities associated with our efforts to better leverage context for information delivery and sensor tasking.

March 2016 - Podcast Effective Reduction of Avoidable Complexity in Embedded Systems

Topics: Software Architecture

Authors: Julien Delange

Dr. Julien Delange discusses the Effective Reduction of Avoidable Complexity in Embedded Systems (ERACES) project, which aims to identify and remove complexity in software models.

March 2016 - Podcast Toward Efficient and Effective Software Sustainment

Topics: Acquisition Support

Authors: Mike Phillips

Mike Phillips discusses effective sustainment engineering efforts in the Army and Air Force, using examples from across their software engineering centers and how they tie in to SEI research.

March 2016 - Podcast Quality Attribute Refinement and Allocation

Topics: Software Architecture

Authors: Neil Ernst

Dr. Neil Ernst discusses industry practices such as slicing and ratcheting used to develop business capabilities and suggests approaches to enable large-scale iteration.

March 2016 - White Paper Malware Capability Development Patterns Respond to Defenses: Two Case Studies

Topics: Malware Analysis

Authors: Kyle O'Meara, Deana Shick, Jonathan Spring, Ed Stoner

In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.

March 2016 - Webinar Training Test

Authors: Shane McGraw, David McGrew (Cisco Systems, Inc.)

Brief Description

February 2016 - Podcast Is Java More Secure Than C?

Topics: Secure Coding

Authors: David Svoboda

In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

February 2016 - Technical Report Cyber-Foraging for Improving Survivability of Mobile Systems

Topics: Pervasive Mobile Computing

Authors: Sebastián Echeverría (Universidad de los Andes), Grace Lewis, James Root, Ben W. Bradshaw

This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.

February 2016 - Presentation Measuring What Matters

Topics: Cybersecurity Engineering, Measurement and Analysis

Authors: Lisa R. Young

In this presentation, Lisa Young discusses how to measure the things that matter to your business.

February 2016 - Video SEI Cyber Minute: Secure Coding Certificates

Authors: Robert Schiela

Bob Schiela discusses the "CERT Secure Coding Certificates."

February 2016 - Podcast Identifying the Architectural Roots of Vulnerabilities

Topics: Software Architecture, Vulnerability Analysis

Authors: Rick Kazman, Carol Woody

In this podcast, Rick Kazman and Carol Woody discuss an approach for identifying architecture debt in a large-scale industrial software project by modeling software architecture as design rule spaces.

February 2016 - Podcast Build Security In Maturity Model (BSIMM) – Practices from Seventy Eight Organizations

Topics: Software Assurance, Secure Coding, Cybersecurity Engineering

Authors: Gary McGraw, Lisa R. Young

In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations.

January 2016 - Video SEI Cyber Minute: CMU CISO Executive Certificate

Authors: Summer C. Fowler

Summer Craze Fowler discusses the CMU CISO Executive Certificate.

January 2016 - Webinar DevOps Security

Topics: Cybersecurity Engineering

Authors: Timothy Palko, Chris Taschner

In this presentation, Tim Palko and Chris Taschner explore some of the security-related topics and expectations that can be addressed when planning and changing your process to accommodate DevOps practices.

January 2016 - Webinar A Taxonomy of Testing Types

Topics: Acquisition Support

Authors: Donald Firesmith

Watch Donald Firesmith discuss a taxonomy of testing types, thereby clarifying the grand scope of testing and enabling the attendee to better select the appropriate types of testing to for their specific needs.

January 2016 - Presentation The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing

Topics: Network Situational Awareness

Authors: Jeremiah O'Connor (OpenDNS), Thibault Reuille (OpenDNS)

This presentation focuses on how to build a scalable machine learning infrastructure in real-time.

January 2016 - Presentation Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My

Topics: Network Situational Awareness

Authors: Aaron Bossert (Cray, Inc.)

This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.

January 2016 - Presentation Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting

Topics: Network Situational Awareness

Authors: Jonzy Jones (University of Utah)

This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.

January 2016 - Presentation Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk)

Topics: Network Situational Awareness

Authors: David Zito (Northrop Grumman Information Systems)

The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.

January 2016 - Presentation Classifying Encrypted Traffic with TLS-Aware Telemetry

Topics: Network Situational Awareness

Authors: Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.), Alison Kendler (Cisco Systems, Inc.)

In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.

January 2016 - Podcast An Interview with Grady Booch

Topics: Performance and Dependability

Authors: Grady Booch

During a recent visit to the SEI, Grady Booch, chief scientist for IBM and author of the Unified Modeling Language, sat down for an interview with SEI Fellow Nancy Mead for the SEI Podcast Series.

January 2016 - Article CYBURGH, PA: Using Technology Wisely to Protect Your Organization

Authors: Greg Porter (Heinz College at Carnegie Mellon University)

In this teQ Magazine article, Greg Porter discusses the role technology plays in solving today's cybersecurity challenges.

January 2016 - Article CYBURGH, PA: Solving the Workforce Shortfall in Cybersecurity

Topics: Cyber Risk and Resilience Management, Workforce Development

Authors: Christopher May

In this teQ Magazine article, Chris May discusses how the cybersecurity workforce shortage hampers our ability to deal with cyberattacks and data breaches.

January 2016 - Article CYBURGH, PA: Using Process to Tame Technology

Topics: Cyber Risk and Resilience Management

Authors: Matthew J. Butkovic

In this teQ Magazine article, Matt Butkovic discusses the role process plays solving today's cybersecurity challenges.

January 2016 - Presentation Making the Most of a Lot [of Data]: Netflow in US-CERT Operations

Topics: Network Situational Awareness

Authors: Chad Hein (Phia, LLC)

In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.

January 2016 - Presentation Intelligence Driven Malware Analysis (IDMA) Malicious Profiling

Topics: Network Situational Awareness

Authors: Casey Kahsen (Northrop Grumman Corporation)

This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.

January 2016 - Presentation Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format

Topics: Network Situational Awareness

Authors: Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic)

In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.

January 2016 - Presentation Gosh Wow, Volusia Networks!

Topics: Network Situational Awareness

Authors: Brian Whiting

This FloCon 2016 presentation describes network operations at Volusia County, Florida.

January 2016 - Presentation Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis

Topics: Network Situational Awareness

Authors: Jason Trost (ThreatStream, Inc.)

In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.

January 2016 - Presentation Detecting Traffic to Recently Unparked Domains with Analysis Pipeline

Topics: Network Situational Awareness

Authors: Daniel Ruef

In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.

January 2016 - Presentation Data Fusion: Enhancing NetFlow Graph Analytics

Topics: Network Situational Awareness

Authors: Emilie Purvine, Bryan Olsen (Pacific Northwest National Laboratory), Cliff Joslyn (Pacific Northwest National Laboratory)

In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.

January 2016 - Presentation Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware

Topics: Network Situational Awareness

Authors: Mark Mager

In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.

January 2016 - Presentation Better Reporting Guidelines for Better Data

Topics: Network Situational Awareness

Authors: Christopher Washington (Department of Homeland Security), Brian Allen (US-CERT)

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

January 2016 - Presentation A Meaningful Metric for IPv4 Addresses

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

January 2016 - Presentation Suricata Tutorial

Topics: Network Situational Awareness

Authors: Victor Julien, Eric Leblond

This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.

January 2016 - Presentation Using Domain Name Registrant Information to Identify Malicious Domains

Topics: Network Situational Awareness

Authors: Mark Langston

In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.

January 2016 - Presentation Understanding Network Traffic Through Intraflow Data

Topics: Network Situational Awareness

Authors: David McGrew (Cisco Systems, Inc.), Blake Anderson (Cisco Systems, Inc.)

In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.

January 2016 - Presentation Sources and Applications of Performance and Security-Augmented Flow Data

Topics: Network Situational Awareness

Authors: Avi Freedman (Kentik Technologies)

This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.

January 2016 - Presentation Situational Awareness Threat Report (SATR)

Topics: Network Situational Awareness

Authors: Stacie Green (Northrop Grumann Corporation), Casey Kahsen (Northrop Grumman Corporation)

This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.

January 2016 - Presentation Role Model Transformations for Flow Analysis in Cyberdefense

Topics: Network Situational Awareness

Authors: John Gerth (Stanford University)

In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.

January 2016 - Presentation Planning Curricula for the Network Traffic Analyst of 2018-2020

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall

This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.

January 2016 - Presentation New DNS Traffic Analysis Techniques to Identify Global Internet Threats

Topics: Network Situational Awareness

Authors: Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS)

In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.

January 2016 - Presentation Network Monitoring and Deceptive Defenses

Topics: Network Situational Awareness

Authors: Michael Collins (RedJack), Brian Satira (Noblis)

In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.

January 2016 - Presentation Netflow in Daily Information Security Operations

Topics: Network Situational Awareness

Authors: Mike Pochan

In this FloCon 2016 presentation, the author describes how the SEI utilizes free netflow collection and analysis tools to strengthen its enterprise security posture.

January 2016 - Presentation Monitoring and Classification of Active IPv6 Addresses

Topics: Network Situational Awareness

Authors: David Plonka (Akamai)

In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.

January 2016 - Presentation Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

January 2016 - Presentation Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead

Topics: Network Situational Awareness

Authors: Dr. Peter M. Fonash (Department of Homeland Security, CS&C)

This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

January 2016 - Presentation Network Traffic Analysis - SiLK

Topics: Network Situational Awareness

Authors: Paul Krystosek, Matthew Heckathorn

This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.

January 2016 - Podcast The SEI Fellows Series: Nancy Mead

Topics: Workforce Development, Performance and Dependability

Authors: Nancy R. Mead

This podcast, featuring an interview with Dr. Nancy Mead, is the first in a series highlighting interviews with SEI Fellows.

January 2016 - Article Reducing Friction in Software Development

Topics: Software Architecture

Authors: Paris Avgeriou (University of Groningen, The Netherlands), Philippe Kruchten, Robert Nord, Ipek Ozkaya, Carolyn Seaman (University of Maryland Baltimore County)

Getting ahead of the software quality and innovation curve will involve establishing technical-debt management as a core software engineering practice.

January 2016 - Article What Makes an Architect Successful?

Topics: Software Architecture

Authors: John Klein

A proposed model identifies the skills that a successful software architect needs at each phase of a development effort and helps explain common failure patterns.

December 2015 - White Paper DoD Software Factbook

Topics: Acquisition Support, Measurement and Analysis

Authors: Brad Clark, James McCurley, David Zubrow

This DoD Factbook is an initial analysis of software engineering data from the perspective of policy and management questions about software projects.

December 2015 - Special Report Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System

Topics: Software Architecture

Authors: Peter H. Feiler

This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.

December 2015 - Special Report Requirements and Architecture Specification of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System

Topics: Software Architecture

Authors: Peter H. Feiler

This report describes a method for capturing information from requirements documents in AADL and the draft Requirement Definition & Analysis Language Annex.

December 2015 - Special Report Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System

Topics: Software Architecture

Authors: Peter H. Feiler, John J. Hudak

This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.

December 2015 - Conference Paper Model Checking with Multi-threaded IC3 Portfolios

Authors: Sagar Chaki, Derrick Karimi

This paper presents three variants of multi-threaded IC3s for model checking hardware, differing by degree of synchronization and aggressiveness of proof checking.

December 2015 - Podcast Structuring the Chief Information Security Officer Organization

Authors: Nader Mehravari, Julia H. Allen, Lisa R. Young

In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations.

December 2015 - Technical Report Extending AADL for Security Design Assurance of Cyber-Physical Systems

Topics: Cyber-Physical Systems

Authors: Robert J. Ellison, Allen D. Householder, John J. Hudak, Rick Kazman, Carol Woody

This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of an automotive electronics system.

December 2015 - White Paper Cybersecurity Considerations for Vehicles

Topics: Cybersecurity Engineering

Authors: Mark Sherman, Jens Palluch (Method Park)

In this paper the authors discuss the number of ECUs and software in modern vehicles and the need for cybersecurity to include vehicles.

December 2015 - Conference Paper Dynamic Parallelism for Simple and Efficient GPU Graph Algorithms

Authors: Peter Zhang (Indiana University), Eric Holk (Indiana University), John Matty, Samantha Misurda, Marcin Zalewski (Indiana University), Jonathan Chu, Scott McMillan, Andrew Lumsdaine (Indiana University)

Presented at the 2015 Supercomputing Conference, this paper shows that dynamic parallelism enables relatively high-performance graph algorithms for GPUs.

December 2015 - Special Report Intelligence Preparation for Operational Resilience (IPOR)

Topics: Cyber Risk and Resilience Management

Authors: Douglas Gray

The author describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).

December 2015 - Technical Report Evaluating and Mitigating the Impact of Complexity in Software Models

Topics: Software Architecture

Authors: Julien Delange, Jim McHale, John J. Hudak, William Nichols, Min-Young Nam

This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.

December 2015 - Conference Paper Blacklist Ecosystem Analysis

Topics: Cybersecurity Engineering

Authors: Leigh B. Metcalf, Jonathan Spring

In this paper, the authors compare the contents of 86 Internet blacklists to provide a view of the whole ecosystem of blocking network touch points and blacklists.

November 2015 - Webinar Cyber-Vulnerabilities in Aviation Today

Topics: Cyber-Physical Systems, Cyber Risk and Resilience Management, Vulnerability Analysis

Authors: Robert Behler

SEI Chief Operating Officer, Robert F. Behler discusses Cyber-Vulnerabilities in Aviation Today.

November 2015 - Webinar Web Traffic Analysis with CERT Tapioca

Topics: Vulnerability Analysis

Authors: Will Dormann

Will Dormann discusses a tool that shows whether a connection to the web is secure and what information is being transmitted.

November 2015 - Special Report Cyber + Culture Early Warning Study

Authors: Char Sample

This study was designed to profile cyber actors, and to examine the time interval between cyber and kinetic events in order to gain greater insights into nation-state cyber responses to kinetic events.

November 2015 - Webinar Enhancing Mobile Device Security

Topics: Cybersecurity Engineering, Pervasive Mobile Computing

Authors: Jose A. Morales

Jose Morales discusses mobile device security enhancements with defensive and offensive uses.

November 2015 - Webinar Generalized Automated Cyber-Readiness Evaluator (ACE)

Topics: Workforce Development

Authors: Rotem D. Guttman

Rotem Guttman discusses how mission-readiness can be assessed at a DoD scale.

November 2015 - Webinar Finding Related Malware Samples Using Run-Time Features

Topics: Malware Analysis

Authors: Rhiannon Weaver

Rhiannon Weaver discusses how a small subset of features from dynamic malware analysis can help to uncover possible relationships among files and to direct static reverse engineering efforts.

November 2015 - Webinar Resilience Panel Discussion

Topics: Cyber Risk and Resilience Management

Authors: Matthew J. Butkovic, Katie C. Stewart

CERT researchers discuss risk management and resilience.

November 2015 - Webinar DevOps Panel Discussion

Topics: Cybersecurity Engineering

Authors: Kevin Fall, Hasan Yasar, Joseph D. Yankel

CERT researchers discuss DevOps and its relationship to cybersecurity and the dynamic threat.

November 2015 - Webinar Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering, Network Situational Awareness

Authors: Lori Flynn, William Klieber

Will Klieber and Lori Flynn discuss undesired flows of sensitive information within and between Android apps.

November 2015 - Webinar CERT® Alignment with Cyber COI Challenges and Gaps

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering, Vulnerability Analysis

Authors: Greg Shannon

Greg Shannon discusses the CERT Division's current work associated with cyber community of interest (COI).

November 2015 - Presentation Keynote: A Case Study of Toyota Unintended Acceleration and Software Safety

Authors: Philip Koopman (Carnegie Mellon University)

This talk will outline key events in the still-ongoing Toyota unintended acceleration story and pull together the technical issues that have been discovered by NASA and other experts.

November 2015 - Presentation Keynote: Gaps in Science and Technology Activities for the IT Acquisition of Business Systems

Authors: Arun Seraphin

In this presentation, Mr. Seraphin summarizes congressional concerns about gaps in science and technology activities related to the IT acquisition of business systems.

November 2015 - Presentation Keynote: Speed with Discipline

Authors: Tim Rudolph

This presentation describes an approach for achieving software security assurance while keeping the desired pace of releasing new capabilities.

November 2015 - Presentation Experiences in Migrations of Legacy Systems

Authors: William G. Wood, Michael J. Gagliardi, Philip Bianco

This presentation describes a rational way for modernizing a legacy system using system architectural concepts to develop architectural options, create a scorecard, apply the scorecard, and present the results with recommendations to decision makers.

November 2015 - Presentation Moving to the IC Cloud

Authors: Eric Werner

This presentation explores up-and-coming cloud technologies used by members of the intelligence community along with some of the challenges and opportunities they present.

November 2015 - Presentation Busting Silos & Red Tape: DevOps in Federal Government

Authors: Aaron Volkmann

In this presentation, the authors describe how they helped shift a government stakeholder's thinking through coaching and initiating DevOps in the organization's operational and development environments.

November 2015 - Presentation Contracting Officer’s Representative (COR) Interactive SharePoint Wiki

Authors: James Smith, Andrew Boyd

This presentation shows the creation of a single point of reference consisting of a curated set of DoD and local documents, templates, and checklists to aid the COR and promote information sharing and collaboration.

November 2015 - Presentation Open Systems Architecture: Progress and Challenges

Authors: Forrest Shull, Harry L. Levinson, Thomas DuBois (The Boeing Company), Michael S. Bandor, Douglas Schmidt (Vanderbilt University), Michael McLendon

Panel members discussed OSA from several perspectives, including technical engineering, policy, contracting, and science and technology research.

November 2015 - Presentation Building Secure Software for Mission Critical Systems (2015)

Authors: Mark Sherman

This presentation explores the expanding landscape of vulnerabilities that accompanies an increasing reliance on software and examines key steps to help mitigate the increased risk.

November 2015 - Presentation Managing Software and System Complexity

Authors: Sarah Sheard

This presentation discusses the research the SEI is doing to determine what characteristics of avionics systems can be measured to help evaluate whether a system is capable of being certified as safe.

November 2015 - Presentation Performance Metrics That Matter: Eliminating Surprises in Agile Projects

Authors: Girish Seshagiri (Ishpi Information Technologies, Inc)

This presentation focuses on how the government can experience true agility with quality. It describes the challenges the author's organization faced using agile and how they were successfully overcome.

November 2015 - Presentation Technical Debt: Why Should You Care?

Authors: Ipek Ozkaya, Robert Nord

This presentation explores common fallacies about technical debt and includes possible actions that development teams can take to better manage it.

November 2015 - Presentation Government As the Integrator: Why, Why Not, and How?

Authors: William E. Novak, James Smith

This presentation identifies many of the factors that determine whether government as the integrator (GATI) is more likely to be successful in certain domains and circumstances.

November 2015 - Presentation What Happens and How: Analyzing the Results of 13 Acquisition Program Assessments

Authors: William E. Novak, Forrest Shull

This presentation explains a set of recurring dynamics that drive the key high-level findings of independent technical assessments and provides qualitative models of each adverse behavior.

November 2015 - Presentation Dashing All the Way: Defining the Best Dashboard for Your Program

Authors: Tom Merendino, Michael S. Bandor, Robert Ferguson

This presentation shows a program dashboard representation used in some Air Force programs to aggregate the data being reported and includes methods that provide some insight into schedule risk.

November 2015 - Presentation Tactical Cloudlets: Moving Cloud Computing to the Tactical Edge

Authors: Grace Lewis, James Root, Dan J. Klinedinst, Keegan M. Williams, Ben W. Bradshaw, Sebastián Echeverría (Universidad de los Andes)

This presentation explains the tactical cloudlet concept and describes an implementation targeted at promoting the survivability of mobile systems.

November 2015 - Presentation A Systematic Method for Big Data Technology Selection

Authors: John Klein

This talk discusses why prototyping is necessary for evaluating big data technology and how the LEAP4BD method provides a systematic framework for technology evaluation.

November 2015 - Presentation Scaling Agile Methods for Major Defense Programs: Frameworks and Methods in Use Today

Authors: Will Hayes, Mary Ann Lapham

This presentation addresses what is meant by scaling, contextual drivers for implementation choices, and the agile frameworks available for use today.

November 2015 - Presentation Measurement and Analysis in the Real World: Tools for Cleaning Messy Data

Authors: Software Engineering Institute

This presentation includes a brief demonstration of tools created by SEI staff that help scan, analyze, and prepare data to be used on a weekly metrics report.

November 2015 - Presentation A Defect Prioritization Method Based on the Risk Priority Number

Authors: Will Hayes, Robert Ferguson, Julie B. Cohen

This presentation presents a defect-prioritization method based on a risk priority number, which will help program offices establish priorities for updating systems.

November 2015 - Presentation Implementing Product Development Flow: The Key to Managing Large Scale Agile Development

Authors: Will Hayes

In this presentation, you will learn about the sound principles and engineering-minded tradeoffs that occur when agile methods are applied successfully.

November 2015 - Presentation SoS Architectures - Identifying Architecture, Engineering and Capability Challenges Early in the Lifecycle

Authors: Michael J. Gagliardi, Timothy Morrow, William G. Wood

The SEI has applied its Mission Thread Workshop (MTW) approach on a variety of system of systems (SoS) architectures in DoD organizations. This talk presents the MTW in the context of a DoD mission-critical SoS example.

November 2015 - Presentation Paying Due Diligence to Software Architecture in Acquisition

Authors: Michael J. Gagliardi, Timothy Morrow

This presentation describes approaches that the SEI has used with program offices to adopt software architecture and quality attribute practices in acquisition contexts.

November 2015 - Presentation Common System and Software Testing Pitfalls

Authors: Donald Firesmith

This presentation discusses a taxonomy of 167 testing anti-patterns that the author analyzed and fully documented, describing each pitfall and providing recommendations for avoiding them and mitigating their harm.

November 2015 - Presentation From Virtual System Integration to Incremental Lifecycle Assurance

Authors: Peter H. Feiler

This presentation discusses problems associated with the increasing complexity of software systems that are threatening industry's ability to build the next generation of safety-critical embedded systems.

November 2015 - Presentation Keynote: SEI Research Program

Authors: Kevin Fall

This presentation summarizes the SEI's research program, including topics in software development, vulnerability discovery, digital forensics, malware analysis, embedded systems, formal methods, cyber training, and risk management.

November 2015 - Presentation A Case Study: Experiences with Agile and Lean Principles

Authors: Jeff Davenport

This case study tells the story of the development of a critical IT system in the U.S. federal government and is written so that other government entities can benefit from the implementation experiences.

November 2015 - Presentation Intellectual Property Rights: Why You Should Care and How to Manage Them

Authors: Julie B. Cohen, Eileen Wrubel

This presentation discusses strategies and language for addressing IP rights throughout the acquisition lifecycle.

November 2015 - Presentation The Joint Fire Science Program (JFSP) and the Interagency Fuels Treatment Decision Support System (IFTDSS)

Authors: Steve Palmquist, John H. Cissel (Joint Fire Science Program)

This presentation describes how the interagency Joint Fire Science Program developed and assessed the Interagency Fuel Treatment Decision Support System to meet the needs of the wildland fire community for fuel-treatment planning.

November 2015 - Presentation Elicitation of Unstated Needs

Authors: Mary Beth Chrissis, Robert W. Stoddard, Michael D. Konrad

This presentation covers the KJ method and additional extensions that allow KJ to be used in a virtual environment (KJ+). The results of a KJ+ case study and two brief exercises are included.

November 2015 - Presentation Engineering High-Assurance Software for Distributed Adaptive Real-Time Systems

Authors: Mark H. Klein, Sagar Chaki, Dionisio de Niz

This presentation describes an evidence-based approach for producing high-assurance DART software involving multiple layers of the CPS stack.

November 2015 - Presentation Providing Information Superiority to Small Tactical Units

Authors: Jeff Boleng

This presentation discusses the Information Security to the Edge (ISE) system built by the Advanced Mobile Systems Initiative at the Carnegie Mellon Software Engineering Institute.

November 2015 - Presentation Edge Analytics: Analysis of Social Media to Support Tactical Users

Authors: William Anderson, Keegan M. Williams

This presentation explores the architecture and implementation of Edge Analytics, discusses field trials, and presents findings from analyzing Twitter data related to the 2012 attack on the U.S. Diplomatic Mission in Benghazi.

November 2015 - Presentation Designing the Infrastructure for an Enterprise IT System

Authors: William E. Novak, Patrick R. Place

This presentation discusses five issues faced by government organizations embarking on the development of enterprise-wide IT systems that integrate and modernize legacy system functions.

November 2015 - Presentation Agile Acquisition and FITARA

Authors: John Weiler

This presentation describes the FITARA Roadmap for Sustainable IT Reform, a decision analytics maturity model for measuring business value and risk of commercial IT.

November 2015 - Podcast How Cyber Insurance Is Driving Risk and Technology Management

Topics: Cyber Risk and Resilience Management

Authors: Chip Block, Lisa R. Young

In this podcast, Chip Block, Vice President at Evolver, discusses the growth of the cyber insurance industry and how it is beginning to drive the way that organizations manage risk and invest in technologies.

October 2015 - Poster Design Pattern Recovery from Malware Binaries Poster (SEI 2015 Research Review)

Authors: Samuel M. Weber

This poster displays three tools for static analysis.

October 2015 - Poster Vulnerability Discovery Poster (SEI 2015 Research Review)

Authors: Edward J. Schwartz

A poster for the 2015 Research Review presentation on discovering vulnerabilities in software.

October 2015 - Poster Verifying Distributed Adaptive Real-Time (DART) Systems Poster (SEI 2015 Research Review)

Authors: Sagar Chaki, Dionisio de Niz

This poster describes the authors' research efforts in verifying distributed adaptive real-time systems.

October 2015 - Poster Runtime Assurance for Big Data Systems Poster (SEI 2015 Research Review)

Authors: John Klein

This 2015 Research Review presentation describes research into the unique assurance requirements and conditions of Big Data systems.

October 2015 - Poster Quantifying Uncertainty in Early Lifecycle Cost Estimation Poster (SEI 2015 Research Review)

Authors: Robert W. Stoddard

The QUELCE method continues to be refined. This poster describes recent developments.

October 2015 - Poster Open Source AADL Workbench for Virtual System Integration Poster (SEI 2015 Research Review)

Authors: Peter H. Feiler, Lutz Wrage

Explores a solution for the limitations of traditional system development development lifecycle methods

October 2015 - Poster Machine Learning for Big Data System Acquisition Poster (SEI 2015 Research Review)

Authors: John Klein

Tackles the question, "Can we automatically identify relevant document pages that contain the knowledge required for a curator to populate the knowledge base?"

October 2015 - Poster Incremental Lifecycle Assurance of Critical Systems Poster (SEI 2015 Research Review)

Authors: Peter H. Feiler

This poster explores ways to improve critical system assurance.

October 2015 - Poster Increase Adoption of Secure Coding Standards Poster (SEI 2015 Research Review)

Authors: Daniel Plakosh

Recent work to promote adoption of secure coding standards includes a web application to improve analyst productivity and 25 new rules for C++

October 2015 - Poster Improving Software Sustainability through Data-Driven Technical Debt Management Poster (SEI 2015 Research Review)

Authors: Ipek Ozkaya, Robert Nord

This work aims to improve sustainment decision making by identifying technical debt indicators and building correlations between them and project measures.

October 2015 - Poster Human-Computer Decision Systems Poster (SEI 2015 Research Review)

Authors: Brian Lindauer

Describes work to use learning theory advances to account for persistent human expert teams and experiments to improve the human-computer decision syste

October 2015 - Poster Graph Algorithms on Future Architectures Poster (SEI 2015 Research Review)

Authors: Scott McMillan

Delves into whether primitives and operations can be defined to separate graph analytic application development and complexity of underlying hardware concern

October 2015 - Poster Generalized Automated Cyber-Readiness Evaluator Poster (SEI 2015 Research Review)

Authors: Rotem D. Guttman

Describes work to enable this approach to cyber-readiness evaluation: train as you fight and evalute at you fight

October 2015 - Poster Extending AADL for Security Design Assurance of the Internet of Things Poster (SEI 2015 Research Review)

Authors: Rick Kazman, Carol Woody

This poster describes a project that aims to extend AADL to better address security in the architecture

October 2015 - Poster Effective Reduction of Avoidable Complexity in Embedded Systems Poster (SEI 2015 Research Review)

Authors: Julien Delange

Examines the need for software complexity management, in particular ways to detect complexity in models and improve model design

October 2015 - Poster Effecting Large-Scale Adaptive Swarms through Intelligent Collaboration Poster (SEI 2015 Research Review)

Authors: James Edmondson

The goal of this project is to work toward making the controlling of autonomous systems scalable, effective, and predictable

October 2015 - Poster Edge-Enabled Tactical Systems Poster (SEI 2015 Research Review)

Authors: Jeff Boleng, Grace Lewis

EETS adapts cutting-edge technologies and builds prototypes of assured, efficient, and rapidly-fieldable systems to enhance decision support for tactical users

October 2015 - Poster Cyber Security via Signaling Games Poster (SEI 2015 Research Review)

Authors: William Casey

Looks at how we can establish trust, manage risk, and mitigate deceptive cyber-attacks when decision-making is constrained

October 2015 - Poster API Usability and Security Poster (SEI 2015 Research Review)

Authors: Samuel M. Weber

This poster describes an effort to develop and empirically test API design principles.

October 2015 - Poster Agile in Government Poster (SEI 2015 Research Review)

Authors: Mary Ann Lapham, Suzanne Miller

Describes challenges and SEI work in aligning Agile practices with governmen requirements

October 2015 - Poster Insider Threat Mitigation Posters (SEI 2015 Research Review)

Authors: William R. Claycomb, Andrew P. Moore

Two posters on insider threat research: Social network dynamics and holes in dynamic networks

October 2015 - White Paper Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls

Topics: Insider Threat

Authors: Andrew P. Moore, William E. Novak, Matthew L. Collins, Randall F. Trzeciak, Michael C. Theis

In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.

October 2015 - Presentation Cybersecurity via Signaling Games

Authors: William Casey

A Research Review 2015 presentation on using signaling games in cybersecurity

October 2015 - Presentation Vulnerability Discovery (2015)

Authors: Edward J. Schwartz

A 2015 Research Review presentation on discovering vulnerabilities in software.

October 2015 - Presentation API Usability and Security

Authors: Samuel M. Weber

This 2005 Research Review presentation describes an effort to develop and empirically test API design principles.

October 2015 - Presentation Design Pattern Recovery from Malware Binaries

Authors: Cory Cohen

This 2015 Research Review presentation explores the challenges posed by automated binary analysis.

October 2015 - Presentation Cybersecurity Session Opening Remarks

Authors: Roman Danyliw

This 2015 Research Review presentation opened the program's cybersecurity session, providing an overview of the segment's featured presentations.

October 2015 - Presentation Verifying Distributed Adaptive Real-Time (DART) Systems

Authors: Sagar Chaki, Dionisio de Niz

This 2015 Research Review presentation describes the authors' research efforts in verifying distributed adaptive real-time systems.

October 2015 - Presentation Incremental Lifecycle Assurance of Critical Systems (2015)

Authors: Peter H. Feiler

This 2015 Research Review presentation explores the author's research into ways to improve critical system assurance.

October 2015 - Presentation Runtime Assurance for Big Data Systems

Authors: John Klein

This 2015 Research Review presentation describes research into the unique assurance requirements and conditions of Big Data systems.

October 2015 - Presentation Parallel Software Model Checking

Authors: Sagar Chaki

In this 2015 Research Review presentation, the author describes his research efforts into scaling up software model checking—a fundamental challenge in the field.

October 2015 - Presentation Verification and Validation Session Opening Remarks

Authors: Linda M. Northrop

This presentation was delivered as the opening remarks for the Verification and Validation session of the 2015 Research Review. It introduces the subjects covered during the session.

October 2015 - Presentation Insider Threat Mitigation

Authors: William R. Claycomb, Andrew P. Moore

Explores hypothesis that over time, insider social networks exhibit weakening of internal connections and strengthening of external connections to adversaries

October 2015 - Presentation Human-Computer Decision Systems

Authors: Brian Lindauer

Describes work to use learning theory advances to account for persistent human expert teams and experiments to improve the human-computer decision system

October 2015 - Presentation Generalized Automated Cyber-Readiness Evaluator

Authors: Rotem D. Guttman

Describes work to enable this approach to cyber-readiness evaluation: train as you fight and evalute at you fight

October 2015 - Presentation Human Factors Session Opening Remarks

Authors: Christopher May

Critical issues include mission readiness certification, limitations of capacity to analyze large data sets, leaks of sensitive and classified information

October 2015 - Presentation Effecting Large-Scale Adaptive Swarms Through Intelligent Collaboration

Authors: James Edmondson

The goal of this project is to work toward making the controlling of autonomous systems scalable, effective, and predictable

October 2015 - Presentation Edge-Enabled Tactical Systems

Authors: Grace Lewis, Jeff Boleng

EETS adapts cutting-edge technologies and builds prototypes of assured, efficient, and rapidly fieldable systems to enhance decision support for tactical users

October 2015 - Presentation Graph Algorithms on Future Architectures

Authors: Scott McMillan

Delves into whether primitives and operations can be defined to separate graph analytic application development and complexity of underlying hardware concern

October 2015 - Presentation Increase Adoption of Secure Coding Standards

Authors: Daniel Plakosh

Recent work to promote adoption of secure coding standards includes a web application to improve analyst productivity and 25 new rules for C++

October 2015 - Presentation Extending AADL for Security Design Assurance of the Internet of Things

Authors: Carol Woody, Rick Kazman

This project aims to extend AADL to better address security in the architecture

October 2015 - Presentation Open Source AADL Workbench for Virtual System Integration

Authors: Peter H. Feiler

The AADL Workbench includes tools for modeling, analysis, and usability capabilities. It also incorporates tools such as Resolute and Ocarina.

October 2015 - Presentation Effective Reduction of Avoidable Complexity in Embedded Systems

Authors: Julien Delange

Examines the need for software complexity management, in particular ways to detect complexity in models and improve model design

October 2015 - Presentation Assured Design Session Opening Remarks

Authors: John B. Goodenough

Explores a definition of assured design as having justified confidence that a (software-reliant) system design has particular properties

October 2015 - Presentation Improving Software Sustainability Through Data-Driven Technical Debt Management

Authors: Ipek Ozkaya, Robert Nord

This work aims to improve sustainment decision making by identifying technical debt indicators and building correlations between them and project measures.

October 2015 - Presentation Quantifying Uncertainty for Early Lifecycle Cost Estimation:FY15 Results

Authors: Robert W. Stoddard

The QUELCE method continues to be refined. This slide set describes recent developments.

October 2015 - Presentation Machine Learning for Big Data Systems Acquisition

Authors: John Klein

Tackles the question, "Can we automatically identify relevant document pages that contain the knowledge required for a curator to populate the knowledge base?"

October 2015 - Presentation Agile in Government: Validating Success Enablers and Inhibitors

Authors: Mary Ann Lapham, Suzanne Miller

Describes recent developments in a project to provide DoD and government agencies with actionable Agile guidance within the constraints of DoDI 5000.02

October 2015 - Presentation Acquisition & Management Session Opening Remarks

Authors: Anita Carleton

Software acquisiton & management R&D investigates ways to assure functionality, timely delivery, lowered risk, and affordability.

October 2015 - Podcast A Field Study of Technical Debt

Topics: Software Architecture

Authors: Neil Ernst

In this podcast, Dr. Neil Ernst discusses the findings of a recent field study to assess the state of the practice and current thinking regarding technical debt and guide the development of a technical debt timeline.

October 2015 - Presentation SEI Research Review 2015: CTO Opening Remarks

Authors: Kevin Fall

Overview of the intent of the Research Review and the talks included in its sessions

October 2015 - Technical Note Structuring the Chief Information Security Officer Organization

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen, Gregory Crabb (U.S. Postal Inspection Service), Pamela D. Curtis, Brendan Fitzpatrick, Nader Mehravari, David Tobar

The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.

October 2015 - Presentation Towards a Prioritization of Code Debt: A Code Smell Intensity Index

Authors: Francesca Arcelli Fontana (University of Milano Bicocca), Vincenzo Ferme (University of Milano–Bicocca), Marco Zanoni (University of Milano Bicocca), Riccardo Roveda (University of Milano–Bicocca)

This presentation provides an Intensity Index to determine the most critical instances of code smells, a source of technical debt in software, to aid in their removal.

October 2015 - Presentation Technical Debt of Standardized Test Software

Authors: Kristóf Szabados (Eötvös Loránd University), Attila Kovács (Eötvös Loránd University)

Technical debt investigations have become more important in the software development industry; the same challenges are valid for automated test systems.

October 2015 - Presentation A Framework to Aid in Decision Making for Technical Debt Management

Authors: Carlos Fernández-Sánchez (Technical University of Madrid), Agustín Yagüe (Technical University of Madrid), Juan Garbajosa (Technical University of Madrid)

This presentation introduces a framework to aid in decision making for technical debt management, classified into groups and stakeholders' points of view.

October 2015 - Presentation The Restructuring and Refinancing of Technical Debt

Authors: Raul Zablah (University of Pennsylvania), Chris Murphy (University of Pennsylvania)

This presentation looks at technical debt as a leverage product that is contingent on the liquidity of the debtor to more effectively assess the incurment of debt.

October 2015 - Presentation Estimating the Breaking Point for Technical Debt

Authors: Alexander Chatzigeorgiou (University of Groningen), Apostolos Ampatzoglou (University of Groningen), Areti Ampatzoglou (University of Groningen), Theodoros Amanatidis (University of Groningen)

The interest on technical debt can sum to an amount larger than the effort to repay the initial debt; this presentation describes an approach for estimating this point.

October 2015 - Presentation A Contextualized Vocabulary Model for Identifying Technical Debt in Code Comments

Authors: Mário André (Federal University of Bahia), André Batista (Federal University of Sergipe), Manoel Mendonça (Fraunhofer Project Center at UFBA), Rodrigo O. Spínola (Universidade Salvador)

This presentation describes a study of two large open-source software projects and proposes a model to support identifying technical debt with code comment analysis.

October 2015 - Presentation Towards an Open-Source Tool for Measuring and Visualizing the Interest of Technical Debt

Authors: Davide Falessi (California Polytechnic State University), Andreas Reichel (Mannheim University of Applied Sciences)

This work advances the measurement and visualization of interest on technical debt and introduces MIND, an open-source tool that supports quantification of interest.

October 2015 - Presentation Detecting and Quantifying Different Types of Self-Admitted Technical Debt

Authors: Everton da S. Maldonado (Concordia University), Emad Shihab (Concordia University)

This presentation examines source-code comments to detect and categorize types of technical debt and proposes four simple filtering heuristics to detect them.

October 2015 - Podcast How the University of Pittsburgh Is Using the NIST Cybersecurity Framework

Topics: Cyber Risk and Resilience Management

Authors: Sean Sweeney (University of Pittsburgh), Lisa R. Young

In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (PITT), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework).

October 2015 - Article Smartphone Security

Topics: Secure Coding

Authors: Lori Flynn, William Klieber

In this article, the authors discuss various smartphone security issues and present tools and strategies to address them.

September 2015 - Presentation NIST Cybersecurity Framework

Topics: Cybersecurity Engineering

Authors: Sean Sweeney (University of Pittsburgh)

In this presentation, Sean Sweeney discusses NIST Cybersecurity Framework.

September 2015 - Podcast A Software Assurance Curriculum for Future Engineers

Topics: Software Assurance

Authors: Nancy R. Mead

In this podcast, Nancy Mead discusses how, with support from Department of Homeland Security, SEI researchers developed software assurance curricula and programs for graduate, undergraduate, and community colleges.

September 2015 - Technical Report Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution

Topics: Cybersecurity Engineering

Authors: Douglas Gray, Brian D. Wisniewski, Julia H. Allen, Constantine Cois (Heinz College, Carnegie Mellon University), Anne Connell, Erik Ebel (Veris Group), William Gulley (Veris Group), Michael Riley (Veris Group), Robert W. Stoddard, Marie Vaughn (Veris Group)

This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to help enable their success.

September 2015 - White Paper Secure Coding Analysis of an AADL Code Generator's Runtime System

Topics: Cybersecurity Engineering

Authors: David Keaton

This paper describes a secure coding analysis of the PolyORB-HI-C runtime system used by C language code output from the Ocarina AADL code generator.

September 2015 - Podcast Four Types of Shift Left Testing

Topics: Acquisition Support

Authors: Donald Firesmith

In this podcast, Donald Firesmith explains the importance of shift left testing and defines four approaches using variants of the classic V model to illustrate them.

September 2015 - Conference Paper High Assurance for Distributed Cyber Physical Systems

Authors: Scott Hissam, Sagar Chaki, Gabriel Moreno

This short paper introduces our architecture and approach to engineering a DART system so that we achieve high assurance in its runtime behavior against a set of formally specified requirements.

September 2015 - Educational Material Secure Software Design and Programming Course Materials

Topics: Cybersecurity Engineering, Software Assurance

Authors: David A. Wheeler (George Mason University)

These course materials are for the Secure Software Design and Programming graduate course offered at George Mason University.

September 2015 - Article Model-Based Engineering for Supply Chain Risk Management

Topics: Cybersecurity Engineering, Risk and Opportunity Management, Acquisition Support

Authors: Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this article, the authors discuss how model-based engineering (MBE) offers a means to design, develop, analyze, and maintain a complex system architecture.

August 2015 - Conference Paper Measure It? Manage It? Ignore It? Software Practitioners and Technical Debt

Topics: Software Architecture

Authors: Neil Ernst, Stephany Bellomo, Ipek Ozkaya, Robert Nord, Ian Gorton

This paper reports on a survey of 1,831 software engineers and architects, and follow-up interviews of seven software engineers, to determine the most important sources of technical debt.

August 2015 - Podcast Toward Speed and Simplicity: Creating a Software Library for Graph Analytics

Topics: Cyber-Physical Systems

Authors: Scott McMillan, Eric Werner

In this podcast, Scott McMillan and Eric Werner of the SEI's Emerging Technology Center discuss work to create a software library for graph analytics that would take advantage of more powerful heterogeneous supercomputers.

August 2015 - Podcast Capturing the Expertise of Cybersecurity Incident Handlers

Topics: Incident Management

Authors: Samuel J. Perl, Richard O. Young, Julia H. Allen

In this podcast, Dr. Richard Young, a professor with CMU, and Sam Perl, a member of the CERT Division, discuss their research on how expert cybersecurity incident handlers react when faced with an incident.

August 2015 - Conference Paper Using Malware Analysis to Improve Security Requirements on Future Systems

Topics: Software Assurance, Cybersecurity Engineering

Authors: Nancy R. Mead, Jose A. Morales

In this paper, the authors propose to improve how security requirements are identified.

August 2015 - Webinar Culture Shock: Unlocking DevOps with Collaboration and Communication

Topics: Cybersecurity Engineering

Authors: Todd Waits, Aaron Volkmann

Watch a discussion about ways to shift organizational culture to achieve DevOps. We highlighted communication tools and movements, such as ChatOps.

August 2015 - Presentation How We Discovered Thousands of Vulnerable Android Apps in 1 Day

Topics: Vulnerability Analysis

Authors: Joji Montelibano, Will Dormann

In this presentation, we will describe our methodology in discovering these vulnerabilities, and recommend mitigation strategies for both developers and users.

August 2015 - Presentation Vulnerability Coordination and Concurrency

Topics: Vulnerability Analysis

Authors: Allen D. Householder

In this talk, the presenter will describe the process of coordinating vulnerability disclosures, why it's hard, and some of the pitfalls and hidden complexities we have encountered.

August 2015 - Presentation Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats.

Topics: Vulnerability Analysis

Authors: Allen D. Householder

In this talk, we will trace the origin and evolution of a physical-world vulnerability that dates to the late 19th century, and explore whether "building security in" is even always an available option.

August 2015 - Technical Note Contracting for Agile Software Development in the Department of Defense: An Introduction

Topics: Acquisition Support

Authors: Eileen Wrubel, Jon Gross

This technical note addresses effective contracting for Agile software development and offers a primer on Agile based on a contracting officer's goals.

August 2015 - Podcast Improving Quality Using Architecture Fault Analysis with Confidence Arguments

Topics: Software Architecture

Authors: Peter H. Feiler

The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design have been addressed adequately.

July 2015 - Podcast A Taxonomy of Testing Types

Topics: Acquisition Support

Authors: Donald Firesmith

In this podcast, Donald Firesmith introduces a taxonomy of testing types to help testing stakeholders understand and select those that are best for their specific programs.

July 2015 - Presentation Video Games as a Training Tool to Prepare the Next Generation of Cyber Warriors

Topics: Workforce Development

Authors: Christopher Herr, Dennis M. Allen

In this paper, the characteristics of a potential cybersecurity video game are presented. Several current cybersecurity games were reviewed and key attributes and shortcomings of these games were identified.

July 2015 - Conference Paper Social Network Dynamics of Insider Threats: A Preliminary Model

Authors: Andrew P. Moore, Kathleen Carley (Carnegie Mellon School of Computer Science), Matthew L. Collins, Neal Altman (Carnegie Mellon University)

This paper describes a system dynamics model of insider espionage social networks. The model focuses on two forms of social capital: expectations and social norms.

July 2015 - White Paper CND Equities Strategy

Topics: Vulnerability Analysis, Network Situational Awareness

Authors: Jonathan Spring, Ed Stoner

In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.

July 2015 - White Paper Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items

Topics: Vulnerability Analysis

Authors: Allen D. Householder, Art Manion

In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.

July 2015 - Podcast Reducing Complexity in Software & Systems

Topics: Performance and Dependability

Authors: Sarah Sheard

In this podcast, Sarah Sheard discusses research to investigate the nature of complexity, how it manifests in software-reliant systems such as avionics, how to measure it, and how to tell when too much complexity might lead to safety problems.

June 2015 - Webinar What DevOps Is Not!

Topics: Cybersecurity Engineering

Authors: Hasan Yasar

In this webinar, we'll talk about DevOps, its common misconceptions and roadblocks, and how you can use DevOps to help your organization reach new heights of efficiency and productivity.

June 2015 - Podcast Designing Security Into Software-Reliant Systems

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts

In this podcast, CERT researcher Christopher Alberts introduces the SERA Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

June 2015 - Presentation VRDX-SIG: Global Vulnerability Identification

Topics: Vulnerability Analysis

Authors: Art Manion, Takayuki Uchiyama, Masato Terada

Read about the results of the VRDX-SIG, a group chartered to develop recommendations for identifying, tracking, and exchanging information across disparate vulnerability databases.

June 2015 - Podcast Agile Methods in Air Force Sustainment

Topics: Acquisition Support

Authors: Eileen Wrubel

This podcast Eileen Wrubel highlights research examining Agile techniques in the software sustainment arena—specifically Air Force programs.

June 2015 - Technical Report Enabling Incremental Iterative Development at Scale: Quality Attribute Refinement and Allocation in Practice

Topics: Software Architecture

Authors: Neil Ernst, Stephany Bellomo, Robert Nord, Ipek Ozkaya

This report describes industry practices used to develop business capabilities and suggests approaches to enable large-scale iterative development, or agile at scale.

June 2015 - Video Anatomy of Another Java Zero-Day Exploit

Topics: Secure Coding

Authors: David Svoboda

In this video, David Svoboda demonstrates a public expoit that attacked an unpatched Java Virtual Machine.

May 2015 - Conference Paper Global Adversarial Capability Modeling

Authors: Jonathan Spring, Sarah Kern, Alec Summers

Jonathan Spring, Sarah Kern, and Alec Summers propose a model of global capability advancement, the adversarial capability chain (ACC).

May 2015 - Podcast Defect Prioritization With the Risk Priority Number

Topics: Acquisition Support, Vulnerability Analysis

Authors: Will Hayes, Julie B. Cohen

In this podcast, Will Hayes and Julie Cohen discuss a generalized technique that could be used with any type of system to assist the program office in addressing and resolving the conflicting views and creating a better value system for defining releases.

May 2015 - Conference Paper A Course-Based Usability Analysis of Cilk Plus and OpenMP

Topics: Secure Coding

Authors: Michael Coblenz (Carnegie Mellon School of Computer Science), Robert C. Seacord, Brad Myers, Joshua Sunshine (Institute for Software Research), Jonathan Aldrich

In this paper, the authors compare Cilk Plus and OpenMP to evaluate the design tradeoffs in the usability and security of these two approaches.

May 2015 - Book DevOps: A Software Architect's Perspective

Topics: Software Architecture

Authors: Len Bass, Ingo Weber (National ICT Australia), Liming Zhu (National ICT Australia)

DevOps promises to accelerate release of new software features and improve monitoring of systems in production, but its implications for architecture are often ignored.

May 2015 - Presentation Comparing the Applicability of Complexity Measurements for Simulink Models During Integration

Authors: Jan Schröder (University of Gothenburg), Christian Berger (University of Gothenburg), Thomas Herpel (Automotive Safety Technologies GmbH), Miroslaw Staron (University of Gothenburg)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation A Metric-Based Approach to Managing Architecture-Related Impediments in Product Development Flow: An Industry Case Study from Cisco

Authors: Ken Power (Cisco Systems), Kieran Conboy (National University of Galway)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Architecture-Based Quality Attribute Synergies and Conflicts

Authors: Barry Boehm (University of California, Los Angeles)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation An Analysis of Techniques and Methods for Technical Debt Management: A Reflection from the Architecture

Authors: Carlos Fernandez-Sanchez (Technical University of Madrid), Juan Garbajosa (Technical University of Madrid), Carlos Vidal (Technical University of Madrid), Agustin Yague (Technical University of Madrid)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Metrics for Architectural Synthesis and Evaluation: Use Cases and Compilation by Viewpoint

Authors: Olaf Zimmermann (Hochschule für Technik Rapperswil, University of Applied Sciences of Eastern Switzerland)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Exploring the Stability of Software with Time-Series Cross-Sectional Data

Authors: Jukka Ruohonen (University of Turku), Sami Hyrynsalmi (University of Turku), Ville Leppänen (University of Turku)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Using Metric Time Lines for Identifying Architecture Shortcomings in Process Execution Architectures

Authors: Daniel Lübke (Leibniz Universität Hannover)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Toward Assessing Software Architecture Quality by Exploiting Code Smell Relations

Authors: Francesca Arcelli Fontana (University of Milano–Bicocca), Vincenzo Ferme (University of Milano–Bicocca), Marco Zanoni (University of Milano–Bicocca)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Presentation Evolution of Object-Oriented Coupling Metrics: A Sampling of 25 Years of Research

Authors: Ana Nicolaesc (RWTH Aachen University), Horst Lichter (RWTH Aachen University), Yi Xu (RWTH Aachen University)

This presentation was part of the Second International Workshop on Software Architecture Metrics, held at the 37th International Conference on Software Engineering.

May 2015 - Podcast SEI-HCII Collaboration Explores Context-Aware Computing for Soldiers

Topics: Pervasive Mobile Computing

Authors: Jeff Boleng, Dr. Anind Dey

Dr. Jeff Boleng and Dr. Anind Dey discuss joint research to understand the mission, role, and task of dismounted soldiers using context derived from sensors on them and their mobile devices.

May 2015 - Technical Report State of Practice Report: Essential Technical and Nontechnical Issues Related to Designing SoS Platform Architectures

Topics: System of Systems, Software Architecture

Authors: Sholom G. Cohen, John Klein

This report analyzes the state of the practice in system-of-systems (SoS) development, based on 12 interviews of leading SoS developers in the DoD and industry.

May 2015 - Conference Paper Architecture Knowledge for Evaluating Scalable Databases

Topics: Software Architecture

Authors: Ian Gorton, John Klein, Albert Nurgaliev (Carnegie Mellon University)

This paper presents a feature taxonomy that enables comparison and evaluation of distributed database platforms and demonstrates it with nine database technologies.

May 2015 - Conference Paper Joint Common Architecture (JCA) Demonstration Architecture-Centric Virtual Integration Process (ACVIP) Shadow Effort

Topics: Software Architecture

Authors: Alex Boydston (U.S. Army ADD/JMR), Peter H. Feiler, Steve Vestal (Adventium Labs, Inc.), Bruce Lewis (U.S. Army SED)

The U.S. Army is investigating a new approach to model-based engineering called the Architecture-Centric Virtual Integration Process, based on the SAE Standard for AADL.

May 2015 - Conference Paper Design Assistant for NoSQL Technology Selection

Topics: Software Architecture

Authors: John Klein, Ian Gorton

This paper presents a knowledge model, its implementation in a semantic platform, and a populated knowledge base for big data system architects choosing a NoSQL database.

May 2015 - Webinar Approaching Security from an "Architecture First" Perspective

Topics: Software Architecture

Authors: Rick Kazman

In this talk we report on three case studies of real-world projects—two industrial and one open-source—where we attempted to measure the consequences of various architectural approaches to security.

May 2015 - Webinar Trends and New Directions in Software Architecture

Topics: Software Architecture, Pervasive Mobile Computing, Service-Oriented Architecture, Ultra-Large-Scale Systems

Authors: Linda M. Northrop

This talk shares a perspective on the trends influencing the need for change, the related architectural challenges, and the applicable research and practices.

April 2015 - Presentation Agilizing the Architecture Department

Authors: Eltjo Poort (CGI)

This presentation reports experiences implementing Risk- and Cost-Driven Architecture (RCDA) at a major European transportation infrastructure organization.

April 2015 - Presentation The Architectural Analysis for Security (AAFS) Method

Authors: Jungwoo Ryoo (Pennsylvania State University), Rick Kazman (University of Hawaii)

This talk proposes several ways to evaluate the security readiness of an architecture: vulnerability-, tactics-, and pattern-based architectural analysis techniques.

April 2015 - Presentation Making Better Architectural Choices with the Architecture Valuation Framework

Authors: Voytek Janisz (Progressive Insurance)

This talk discusses the Architecture Valuation Framework, the approach to implementing it, and its applicability to the target architecture definition process.

April 2015 - Presentation Locating the Architectural Roots of Technical Debt

Authors: Rick Kazman (University of Hawaii), Yuanfang Cai (Drexel University), Serhiy Haziyev (SoftServe, Inc.), Volodymyr Fedak (Softserve, Inc.)

This talk presents a case study of identifying architecture debts in a large-scale industrial software project by modeling software architecture as design rule spaces.

April 2015 - Presentation Enterprise Applications Health Improvement Program

Authors: Eswaran Thandi (no affiliation)

This presentation introduces a program called the Application Wellness Clinic that organizations can use to strengthen an application's stability and longevity.

April 2015 - Presentation Maturing Agile Teams and Driving Quality Through Architecture Principles

Authors: Amine Chigani, Yun Freund (GE Software)

This experience report shares insights from an effort to standardize on QA practices and tools with development teams and a customer who were new to agile development.

April 2015 - Presentation Taming Big Balls of Mud with Agile, Diligence, and Hard Work

Authors: Joseph Yoder (The Refactory, Inc.)

This session examines the paradoxes that underlie Big Ball of Mud (BBoM) architectures, what causes them, why they are so prominent, and how to keep code clean.

April 2015 - Presentation My Silver Toolbox

Authors: Michael Keeling (IBM Watson Group)

Six presenters discuss the concept of a Silver Toolbox, approaches to adopting and teaching software engineering methods, and what it takes to be a software architect.

April 2015 - Presentation Programming in the 1960s: A Personal History

Authors: Len Bass (no affiliation)

This talk is for those who want to visit the computer museum but haven't yet had the time. Len Bass describes what life was like for programmers in the 1960s.

April 2015 - Presentation Understanding Quality Goals

Authors: David Gelperin (ClearSpecs Enterprises)

The software architect's challenge is to help developers understand quality attributes for project needs. Quality Assumption Reviews help meet this challenge.

April 2015 - Presentation Leading Change: Engaging Critical Stakeholders for Project Success

Authors: Marisa Sanchez (Marisa Sanchez Consulting)

Software architects are change leaders, but first they must engage stakeholders. This talk presents a three-step process for stakeholder engagement.

April 2015 - Presentation Exploiting Fast and Slow Thinking

Authors: Rebecca Wirfs-Brock

In this session, Rebecca Wirf discusses how fast and slow thinking affects your decision making.

April 2015 - Technical Note Emerging Technology Domains Risk Survey

Topics: Pervasive Mobile Computing

Authors: Christopher King, Jonathan Chu, Andrew O. Mellinger

This report provides a snapshot in time of our current understanding of future technologies.

April 2015 - Presentation Using Hazard Analysis to Make Early Architecture Decisions for an Autonomous Automotive Application

Authors: Joakim Fröberg (Mälardalen University)

This session shows how use cases, activity diagrams, and overview function block diagrams can be defined early and act as input to a preliminary hazard analysis, which in turn provides valuable input to early decisions about partitioning and redundancy.

April 2015 - Presentation When and Where to Apply the Family of Architecture-Centric Methods

Authors: Timothy Morrow, Michael J. Gagliardi, William G. Wood

This talk covers the family of architecture-centric methods that we have developed and used with DoD and commercial customers to clarify requirements and identify risks.

April 2015 - Presentation Systems Characterization: An Approach to Modernizing Disparate Legacy Systems

Authors: Jane Orsulak (Raytheon), Julie Kent (Raytheon)

This talk presents a systems architecture view for finding the most cost-effective means to update large-scale systems with fluctuating operational requirements.

April 2015 - Presentation Does Your Cloud Solution Look Like a Mushroom?

Authors: Kim Carter (BinaryMist Limited)

This presentation covers high-level ideas about cloud solutions, pros and cons about "The Cloud," security issues, and whether to use the cloud or build infrastructure.

April 2015 - Presentation Living a Nightmare, Dreaming a Dream: A Drupal Deployment Dilemma

Authors: Gail E. Harris (TVOntario)

This talk presents a deployment modernization that involved organizational changes, motivating key individuals, and introducing new development practices and technologies.

April 2015 - Presentation Never Again Offline?! Experiences in the Outstanding Role of Data in a Large-Scale Mobile App Ecosystem

Authors: Matthias Naab (Fraunhofer IESE), Ralf Carbon (John Deere), Susanne Braun (Fraunhofer IESE)

This presentation shares experiences from an innovation project of John Deere and Fraunhofer IESE to develop a mobile app ecosystem with its own cloud backend.

April 2015 - Presentation Architecting Hybrid Cloud Solutions with Watson Developer Cloud

Authors: Will Chaparro (IBM Watson Group)

This presentation describes hybrid cloud solutions created using IBM's Watson cognitive services, architectural patterns and codes, and pros and cons of the hybrid approach.

April 2015 - Presentation Why They Just Don't Get It: Communicating Architecture to Business Stakeholders

Authors: Jochem Schulenklopper (Inspearit), Eelco Rommes (Inspearit/Cibit Academy)

This talk presents techniques for creating architecture visualizations that are attractive, informative, and easy for nontechnical audiences to understand.

April 2015 - Presentation Quality Requirements on a Shoestring

Authors: Thijmen de Gooijer (ABB Corporate Research)

This talk presents an extension of the Mini-Quality Attribute Workshop (mini-QAW) format that can be used as a tool for smaller, low-risk, or iterative projects.

April 2015 - Presentation Keeping the Beat: Rhythm and Trust in Architecture

Authors: David Kane (Santeon Group)

This presentation argues that rhythm is important for establishing trust in architecture and architects and presents ideas for establishing an effective rhythm.

April 2015 - Presentation Cost-Benefit Analysis in Technical Debt Reduction

Authors: Andriy Shapochka (SoftServe, Inc.)

This presentation proposes an approach proven by a real-world case study using quality attribute scenarios to analyze technical debt and cost-benefit analysis to reduce it.

April 2015 - Presentation Open Medical Record System Plus (OpenMRS+): OpenMRS for Non-Communicable Diseases

Authors: Gloria Ingabire (Carnegie Mellon University)

This presentation describes the role of the Open-Source Medical Record System in Rwandan health care for HIV/AIDS and tuberculosis services and how to expand its use.

April 2015 - Presentation Open Systems Architecture: Progress and Challenges (SATURN 2015)

Authors: Douglas Schmidt (Vanderbilt University)

This panel discussion focuses on open systems architecture, the progress made so far, the remaining challenges, and strategies for addressing those challenges.

April 2015 - Presentation Applying Ontologies to Software Architecture

Authors: Mike Bennett (EDM Council)

This session explores the practicalities of building and maintaining complex ontologies of domains and applying them to architect software solutions.

April 2015 - Presentation Software Architecture as Code

Authors: Simon Brown (Coding the Architecture)

This session looks at how to resolve the conflict between software architecture and code through architecturally evident coding styles and architecture models as code.

April 2015 - Presentation QA to AQ: Shifting from Quality Assurance to Agile Quality

Authors: Joseph Yoder (The Refactory, Inc.), Rebecca Wirfs-Brock (Wirfs-­Brock Associates)

This presentation shows how to interject quality specification, design, and testing efforts into a software architecture project and be more agile about it.

April 2015 - Presentation Architecting Public-Facing Website Software for High Concurrent User Load

Authors: Derrick Lau (no affiliation)

This session covers lessons learned by analyzing the problems of an existing public-facing website and developing enterprise architectural patterns to solve them.

April 2015 - Presentation Smart Decisions: An Architecture Design Game

Authors: Serhiy Haziyev (SoftServe, Inc.), Olha Hrytsay (SoftServe, Inc.), Rick Kazman (University of Hawaii), Humberto Cervantes (Universidad Autonoma Metropolitana–Iztapalapa)

This presentation teaches the challenging process of designing an architecture for a Big Data Analytics System using a game called Smart Decisions.

April 2015 - Presentation The Business Side of a Software Architect

Authors: Tomer Peretz (Orbotech Ltd.)

A software architects' ability to understand the business environment and identify lack of alignment between software requirements and business drivers is essential.

April 2015 - Presentation Sustainably Supporting Data Variability

Authors: Atzmon Hen-Tov (Pontis), Jordan Menzin (Boston Health Economics), Joseph Yoder (The Refactory, Inc.), Rebecca Wirfs-Brock

A challenge in building complex, data-intensive systems is how to sustainably support data variation, schema, and feature evolution. Three speakers share experiences.

April 2015 - Presentation DevOps Essentials for Software Architects

Authors: Len Bass (no affiliation)

DevOps is a set of practices intended to reduce the time between committing a change to a system and placing that change into normal production, while ensuring high quality.

April 2015 - Presentation Design Thinking Is for You

Authors: Ariadna Font Llitjós (IBM), Jeff Patton (Jeff Patton & Associates), Jonathan Berger (Pivotal Labs)

User Experience and Design is no longer an isolated function or a step in the software development process but a way of working that puts users at the center.

April 2015 - Presentation From Monolith to Microservices: A Leadership Perspective on Legacy Application Modernization

Authors: Einar Landre (Statoil ASA), Jørn Ølmheim (Statoil), Harald Wesenberg (Statoil)

This talk shares leadership challenges of modernizing legacy systems, illustrated by a 20-year-old custom-made client/server application with 3.5 million lines of code.

April 2015 - Presentation Maximize Your Business Impact as an Architect

Authors: Eltjo Poort (CGI)

This presentation covers key principles by which architects can prioritize architectural concerns and decisions based on economic arguments.

April 2015 - Presentation ADD 3.0: Rethinking Drivers and Decisions in the Design Process

Authors: Humberto Cervantes (Universidad Autonoma Metropolitana–Iztapalapa), Rick Kazman (University of Hawaii)

This tutorial introduces ADD 3.0, explains the key changes that made to its previous version, and illustrates the design method with a detailed case study.

April 2015 - Presentation The Value of Architecture and Architects

Authors: Shrikant Palkar (Costco Wholesale)

In this presentation, Shrikant Palkar of Costco Wholesale reviews how architects can achieve value through both design decisions and strategic involvement.

April 2015 - Presentation Keynote: Progress Toward an Engineering Discipline of Software

Authors: Mary Shaw

Mary Shaw discusses the evolution of software engineering, drawing on civil engineering and software architecture for examples that show the progressive codification of informal knowledge toward rigorous models and tools.

April 2015 - Presentation Injection, Modularity, and Testing: An Architecturally Interesting Intersection

Authors: George Fairbanks (Google)

Dependency injection, code modularity, and testing often seem like staid, even boring, topics, but there are surprises when you put all three together.

April 2015 - Presentation Building Smarter Microservices with Scale-Oriented Architecture

Authors: Ryan Park (Runscope), Neil Mansilla (Runscope)

Designing an architecture around microservices connected through HTTP APIs can help companies scale, from platform to product and people dimensions.

April 2015 - Presentation What Coderetreats Have Taught Us About Design

Authors: Jim Hurne (IBM Watson Group), Joseph Kramer (IBM Watson Group)

This talk presents our story of using coderetreats at IBM to share knowledge, build teams, and foster a sense of craftsmanship across organizational boundaries.

April 2015 - Presentation A Partner Is Good to Have, but Difficult to Be

Authors: David Kane (Santeon Group), Dave Dikel (InSysCo)

This workshop illustrates the importance of partnering skills in the context of software architecture for increasing stakeholders' engagement and trust.

April 2015 - Presentation Systems of Action: A Stack Model for Capability Classification

Authors: Einar Landre (Statoil), Jørn Ølmheim (Statoil)

Statoil has studied how to best develop systems of action. This talk presents a stack model defining a capability hierarchy used to position applicable technologies.

April 2015 - Presentation Introduction to Architecture-Centric Design Thinking

Authors: Michael Keeling (IBM Watson Group)

This talk covers the foundation of user-focused design theory and describes practical methods for applying design thinking in the context of software architecture.

April 2015 - Presentation Improving Architectural Refactoring Using Kanban and the Mikado Method

Authors: Paul Boos (Santeon Group)

This presentation covers the Mikado Method and how it works, explores the issues and the Kanban backlog, and overviews why Kanban a good fit for maintenance.

April 2015 - Podcast An Introduction to Context-Aware Computing

Topics: Pervasive Mobile Computing

Authors: Dr. Anind Dey, Dr. Jeff Boleng

Dr. Anind Dey and Dr. Jeff Boleng introduce context-aware computing and explore issues related to sensor-fueled data in the internet of things.

April 2015 - Audio CERT Cyber Risk Insurance Symposium Overview

Topics: Cyber Risk and Resilience Management

Authors: Summer C. Fowler, James J. Cebula, Julia H. Allen

In this interview, Summer Fowler and Jim Cebula provide an overview of the May 2015 CERT Cyber Risk Insurance Symposium.

April 2015 - Podcast Data Driven Software Assurance

Topics: Software Assurance, Vulnerability Analysis

Authors: Michael D. Konrad, Art Manion

In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.

April 2015 - Conference Paper Industry/University Collaboration in Software Engineering Education: Refreshing and Retuning Our Strategies

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a panel session that explored strategies for industry/university collaboration in software engineering education.

April 2015 - White Paper SCALe Analysis of JasPer Codebase

Topics: Secure Coding

Authors: David Svoboda

In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.

March 2015 - Podcast Applying Agile in the DoD: Twelfth Principle

Topics: Acquisition Support

Authors: Suzanne Miller, Mary Ann Lapham

In this episode, Suzanne Miller and Mary Ann Lapham explore the application of the 12th Agile principle in the Department of Defense.

March 2015 - Podcast Supply Chain Risk Management: Managing Third Party and External Dependency Risk

Topics: Cyber Risk and Resilience Management

Authors: John Haller, Matthew J. Butkovic, Julia H. Allen

In this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."

March 2015 - Technical Note Model-Driven Engineering: Automatic Code Generation and Beyond

Topics: Software Architecture, Acquisition Support

Authors: John Klein, Harry L. Levinson, Jay Marchetti

This report offers guidance on selecting, analyzing, and evaluating model-driven engineering tools for automatic code generation in acquired systems.

March 2015 - Technical Note Defining a Maturity Scale for Governing Operational Resilience

Topics: Cyber Risk and Resilience Management

Authors: Katie C. Stewart, Julia H. Allen, Audrey J. Dorofee, Michelle A. Valdez, Lisa R. Young

Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.

March 2015 - White Paper SEI SPRUCE Project: Curating Recommended Practices for Software Producibility

Topics: Software Architecture, Measurement and Analysis, Cyber Risk and Resilience Management

Authors: Michael D. Konrad, B. Craig Meyers, Tamara Marshall-Keim, Gerald W. Miller, Bill Pollak

This paper describes the Systems and Software Producibility Collaboration Environment (SPRUCE) project and the resulting recommended practices on five software topics.

March 2015 - Podcast Introduction to the Mission Thread Workshop

Topics: System of Systems, Software Architecture

Authors: Michael J. Gagliardi

In this podcast, Mike Gagliardi introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems.

March 2015 - Technical Report Improving Quality Using Architecture Fault Analysis with Confidence Arguments

Topics: Software Architecture

Authors: Peter H. Feiler, Charles B. Weinstock, John B. Goodenough, Julien Delange, Ari Z. Klein, Neil Ernst

The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design have been addressed adequately.

March 2015 - Technical Report Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets

Topics: Secure Coding

Authors: Jonathan Burket, Lori Flynn, Will Klieber, Jonathan Lim, Wei Shen, William Snavely

In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.

March 2015 - Article The Practice and Future of Release Engineering: A Roundtable with Three Release Engineers

Topics: Software Architecture

Authors: Bram Adams (École Polytechnique de Montréal), Stephany Bellomo, Christian Bird (Microsoft Research), Tamara Marshall-Keim, Foutse Khomh (École Polytechnique de Montréal), Kim Moir (Mozilla)

This introduction to a special issue on release engineering overviews the challenges that release engineers face, featuring highlights from interviews with three practitioners.

February 2015 - Podcast Applying Agile in the DoD: Eleventh Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this podcast, the tenth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the eleventh principle:

February 2015 - Technical Report Eliminative Argumentation: A Basis for Arguing Confidence in System Properties

Topics: Software Architecture, Software Assurance

Authors: John B. Goodenough, Charles B. Weinstock, Ari Z. Klein

This report defines the concept of eliminative argumentation and provides a basis for assessing how much confidence one should have in an assurance case argument.

February 2015 - Presentation The IEEE Cybersecurity Initiative — Accelerating Innovation in Security & Privacy Technologies (Presentation)

Authors: Greg Shannon

In this presentation, Greg Shannon discusses the goals of the IEEE Cybersecurity Initiative (CybSI).

February 2015 - Article The IEEE Cybersecurity Initiative — Accelerating Innovation in Security & Privacy Technologies (Video)

Authors: Greg Shannon

In this video, Greg Shannon discusses the goals of the IEEE Cybersecurity Initiative (CybSI).

February 2015 - Podcast A Workshop on Measuring What Matters

Topics: Measurement and Analysis

Authors: Lisa R. Young, Michelle A. Valdez, Katie C. Stewart, Julia H. Allen

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop and identifying improvements for future offerings.

February 2015 - Webinar Advancing Cyber Intelligence Practices Through the SEI's Consortium

Topics: Cyber Risk and Resilience Management

Authors: Jay McAllister, Melissa Ludwick

Sound cyber intelligence practices can help organizations prevent or mitigate major security breaches. For several years, researchers at the SEI have been examining methodologies, processes, technology, and training to help organizations.

February 2015 - Podcast Applying Agile in the DoD: Tenth Principle

Topics: Acquisition Support

Authors: Suzanne Miller, Mary Ann Lapham

In this podcast, part of an ongoing series, Mary Ann Lapham and Suzanne Miller discuss the application of the tenth Agile principle: Simplicity—the art of maximizing the amount of work done done—is essential.

February 2015 - Technical Note A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors

Topics: Cyber Risk and Resilience Management

Authors: Greg Crabb (United States Postal Service), Julia H. Allen, Pamela D. Curtis, Nader Mehravari

This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.

February 2015 - Technical Note Measuring What Matters Workshop Report

Topics: Risk and Opportunity Management, Cyber Risk and Resilience Management

Authors: Katie C. Stewart, Julia H. Allen, Michelle A. Valdez, Lisa R. Young

This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.

February 2015 - Technical Report A Dynamic Model of Sustainment Investment

Topics: Process Improvement, Measurement and Analysis

Authors: Sarah Sheard, Robert Ferguson, Andrew P. Moore, Mike Phillips

This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.

January 2015 - Conference Paper Runtime Performance Challenges in Big Data Systems

Topics: Software Architecture, Measurement and Analysis

Authors: John Klein, Ian Gorton

This paper presents a reference architecture for big data systems. It uses a model-driven engineering toolkit to generate architecture-aware monitors and application-specific visualizations.

January 2015 - Podcast Predicting Software Assurance Using Quality and Reliability Measures

Topics: Software Assurance

Authors: William Nichols, Carol Woody

In this podcast, the authors discuss how a combination of software development and quality techniques can improve software security.

January 2015 - Webinar Tactical Cloudlets: Moving Cloud Computing to the Edge

Topics: Pervasive Mobile Computing, Software Architecture

Authors: Grace Lewis

This webinar presents the tactical cloudlet concept and experimentation results for five different cloudlet provisioning mechanisms.

January 2015 - Podcast Applying Agile in the DoD: Ninth Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this episode, Suzanne Miller and Mary Ann Lapham discuss the application of the ninth Agile principle, "Continuous attention to technical excellence and good design enhances Agile."

January 2015 - Video Flocon 2015 Close-Out Talk

Topics: Network Situational Awareness

Authors: Michael Jacobs

In this video, Mike Jacobs summarizes the presentations from FloCon 2015 and announces the date and location for FloCon 2016.

January 2015 - Video Global Situational Awareness with Free Tools

Topics: Network Situational Awareness

Authors: Dennis M. Allen

In this video, Dennis Allen shows how global situational awareness helps organizations get threat indicators, understand risks, and correlate events.

January 2015 - Presentation Statistical Model for Simulation of Normal User Traffic

Topics: Network Situational Awareness

Authors: Jan Stiborek (Cisco Systems, Inc.)

In this presentation, Jan proposes three techniques to generate NetFlow/IPFIX records that mimic the traffic of a real user.

January 2015 - Video Why to Measure: Economics and Data in Security Policy

Topics: Network Situational Awareness

Authors: Allan Friedman (George Washington University)

In this video from FloCon 2015, Allan Friedman gives a keynote presentation titled "Why to Measure: Economics and Data in Security Policy."

January 2015 - Presentation Increasing the Insight from Network Flows--Connecting Science to Operational Reality

Topics: Network Situational Awareness

Authors: Grant Babb (Intel Corporation)

In this presentation, Grant outlines an approach that increases the insight that network flows can provide.

January 2015 - Presentation Graph Based Role Mining Techniques for Cyber Security

Topics: Network Situational Awareness

Authors: Kiri Oler (Pacific Northwest National Laboratory), Sutanay Choudhury (Pacific Northwest National Laboratory)

In this talk, Kiri proposes tailoring existing role-mining techniques to enterprise networks where the network graph is derived from NetFlow data captured by the enterprise.

January 2015 - Presentation Enterprise Data Storage and Analysis on Apache Spark

Topics: Network Situational Awareness

Authors: Tim Barr (Cray, Inc.)

In this presentation, Tim explores a formalized architecture utilizing Apache Spark to address data storage challenges.

January 2015 - Video Flocon 2015 Welcome Talk

Topics: Network Situational Awareness

Authors: Jonathan Spring

In this video, Jonathan Spring introduces FloCon 2015, which took place in Portland, Oregon in January 2015.

January 2015 - Presentation Flow Storage Revisited: Is It Time to Re-Architect Flow Storage and Processing Systems?

Topics: Network Situational Awareness

Authors: John McHugh

In this talk, John presents the results of experiments using a modest data set comprising on the order of a billion flow records.

January 2015 - Presentation Network Flow Analysis in Information Security Strategy

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall

In this presentation from FloCon 2015, Tim Shimeall describes a series of analytics keyed to the strategies they support.

January 2015 - Presentation Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations

Topics: Network Situational Awareness

Authors: Jesus Ramirez Pichardo (Banco de Mexico), Jesus Vazquez Gomez (Banco de Mexico)

In this presentation, the authors discuss Preventive Digital Forensics, which is a modification to traditional digital forensics methods.

January 2015 - Presentation Approaching Intelligent Analysis for Attribution and Tracking the Lifecycle of Threats

Authors: Timur D. Snoke

In this presentation, Timur Snoke proposes combining the threat assessment native to the Cyber Kill Chain and the attribution capability of the Diamond model.

January 2015 - Presentation StreamWorks – A System for Real-Time Graph Pattern Matching on Network Traffic

Topics: Network Situational Awareness

Authors: George Chin (Pacific Northwest National Laboratory), Sutanay Choudhury (Pacific Northwest National Laboratory), Khushbu Agarwal (Pacific Northwest National Laboratory)

In this presentation, the authors describe the emerging graph pattern approach and the system design of StreamWorks and demonstrate its emerging threat detection capabilities.

January 2015 - Presentation Monitoring Virtual Networks

Topics: Network Situational Awareness

Authors: George Warnagiris

In this presentation, George Warnagiris describes implementations of three virtualized networks and examines trends in virtual networking.

January 2015 - Presentation SSH Compromise Detection Using NetFlow/IPFIX

Topics: Network Situational Awareness

Authors: Rick Hofstede (University of Twente), Luuk Hendriks (University of Twente)

In this presentation, the authors discuss IDS SSHCure, the first network-based IDS that detects whether an attack has resulted in a compromise.

January 2015 - Presentation Indicator Expansion with Analysis Pipeline

Topics: Network Situational Awareness

Authors: Daniel Ruef

In this presentation, given at FloCon 2015, Dan Ruef discusses indicator expansion.

January 2015 - Presentation Using Vantage to Manage Complex Sensor Networks

Topics: Network Situational Awareness

Authors: Michael Collins (RedJack)

In this talk, Michael Collins introduces a systematic methodology for analyzing the vantage of sensor systems.

January 2015 - Presentation Modeling the Active and Idle Durations of Network Hosts

Topics: Network Situational Awareness

Authors: Soumyo D. Moitra

In this presentation, Soumyo discusses the distributions of active and idle durations of network hosts using flow data.

January 2015 - Presentation Encounter Complexes For Clustering Network Flow

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf

In this presentation, Leigh defines and demonstrates an encounter complex for analyzing network flow.

January 2015 - Presentation Locality: A Semi-Formal Flow Dimension

Topics: Network Situational Awareness

Authors: John Gerth (Stanford University)

In this talk, John Gerth discusses "locality," a semi-formal dimension of a flow derived from attributes of the address pairs.

January 2015 - Presentation Advances in Semantically Augmented Flow Data for Dynamic Impact Assessment, Response Selection, and Alert Prioritization

Topics: Network Situational Awareness

Authors: Nik Kinkel (The Ames Laboratory), Harris T. Lin (The Ames Laboratory), Chris Strasburg (The Ames Laboratory)

In this talk, the authors discuss strategies for optimizing the addition of semantic information to flow data to enable it to be used in real time.

January 2015 - Presentation Elasticsearch, Logstash, and Kibana (ELK)

Topics: Network Situational Awareness

Authors: Dwight S. Beaver, Sean Hutchison

In this presentation, the authors describe how they deployed ELK, the system architecture overview, and the operational analytics that ELK can create.

January 2015 - Presentation Finding a Needle in a PCAP

Topics: Network Situational Awareness

Authors: Emily Sarneso

In this presentation, Emily describes the available features in Yet Another Flowmeter (YAF) for indexing large PCAP files with flow.

January 2015 - Presentation Discrete Mathematical Approaches to Traffic Graph Analysis

Topics: Network Situational Awareness

Authors: Cliff Joslyn (Pacific Northwest National Laboratory), Wendy Cowley (Pacific Northwest National Laboratory), Emilie Hogan (Pacific Northwest National Laboratory), Bryan Olsen (Pacific Northwest National Laboratory)

In this presentation, the authors discuss NetFlow multigraphs and graph statistics and provide characterizations of IP interaction during simulated attacks.

January 2015 - Presentation Semantic Representations of Network Flow: A Proposed Standard with the What, the Why, and the How

Topics: Network Situational Awareness

Authors: Eric Dull (Yarc Data), Rachel Kartch, Robert Techentin (Mayo Clinic)

In this presentation, the authors discuss a proposed standard representation of network flow data, discuss RDF and SPARQL, give examples, and solicit feedback.

January 2015 - Presentation Network Flow Analysis at SCinet

Topics: Network Situational Awareness

Authors: Eric Dull (Yarc Data), Steven Reinhardt (Cray, Inc.)

In this presentation, the authors share the workflow and architecture of SC14 and and outline plans for analytic improvement at SC15.

January 2015 - Article A Method and Case Study for Using Malware Analysis to Improve Security Requirements

Topics: Software Assurance, Cybersecurity Engineering

Authors: Nancy R. Mead, Jose A. Morales, Gregory Paul Alice

In this article, the authors propose to enhance software development lifecycle models by implementing a process for including use cases based on previous cyberattacks.

January 2015 - Podcast Cyber Insurance and Its Role in Mitigating Cybersecurity Risk

Topics: Cyber Risk and Resilience Management

Authors: James J. Cebula, David W. White, Julia H. Allen

In this podcast, Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.

January 2015 - White Paper Blacklist Ecosystem Analysis Update: 2014

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf, Jonathan Spring

This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.

December 2014 - Technical Note Predicting Software Assurance Using Quality and Reliability Measures

Topics: Cybersecurity Engineering, Software Assurance, Measurement and Analysis

Authors: Carol Woody, Robert J. Ellison, William Nichols

In this report, the authors discuss how a combination of software development and quality techniques can improve software security.

December 2014 - Podcast AADL and Dassault Aviation

Topics: Software Architecture

Authors: Thierry Cornilleau (Dassault Aviation), Peter H. Feiler

In this podcast, Peter Feiler and Thierry Cornilleau discuss their experiences with the Architecture Analysis and Design Language.

December 2014 - Technical Report Regional Use of Social Networking Tools

Topics: Network Situational Awareness

Authors: Kate Meeuf

This paper explores the regional use of social networking services (SNSs) to determine if participation with a subset of SNSs can be applied to identify a user's country of origin.

December 2014 - Webinar Risk Priority Number (RPN) – A Method for Software Defect Report Analysis

Topics: Measurement and Analysis, Risk and Opportunity Management

Authors: Will Hayes, Julie B. Cohen

This webinar will explain the component used in RPN and how it can help a program select between competing defects to best utilize constrained resources to help lower overall system risk.

December 2014 - Webinar Lessons in External Dependency and Supply Chain Risk Management

Topics: Cyber Risk and Resilience Management

Authors: John Haller, Matthew J. Butkovic

In this webinar, John Haller and Matthew Butkovic of the CERT Division of the Software Engineering Institute will discuss real-world incidents, including recent industrial control system attacks and incidents affecting Department of Defense capabilities.

December 2014 - White Paper Domain Parking: Not as Malicious as Expected

Topics: Cybersecurity Engineering

Authors: Leigh B. Metcalf, Jonathan Spring

In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be indicative of malicious behavior.

December 2014 - Technical Note Pattern-Based Design of Insider Threat Programs

Topics: Insider Threat

Authors: Andrew P. Moore, Matthew L. Collins, Dave Mundie, Robin Ruefle, David McIntire

In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.

December 2014 - Podcast Tactical Cloudlets

Topics: Pervasive Mobile Computing

Authors: Grace Lewis, Suzanne Miller

In this podcast, Grace Lewis discusses five approaches that her team developed and tested for using tactical cloudlets as a strategy for providing infrastructure to support computation offload and data staging at the tactical edge.

December 2014 - Technical Note Introduction to the Security Engineering Risk Analysis (SERA) Framework

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, Audrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

November 2014 - Podcast Agile Software Teams and How They Engage with Systems Engineering on DoD Acquisition Programs

Topics: Acquisition Support

Authors: Eileen Wrubel, Suzanne Miller

In this podcast, Eileen Wrubel and Suzanne Miller discuss issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.

November 2014 - Conference Paper An Incident Management Ontology

Topics: Incident Management

Authors: Dave Mundie, Robin Ruefle, Audrey J. Dorofee, John McCloud, Samuel J. Perl, Matthew L. Collins

In this paper, the authors describe the shortcomings of the incident management meta-model and how an incident management ontology addresses those shortcomings.

November 2014 - Conference Paper An Ontology for Insider Threat Indicators

Topics: Insider Threat

Authors: Daniel L. Costa, Matthew L. Collins, Samuel J. Perl, Michael J. Albrethsen, George Silowash, Derrick Spooner

In this paper, the authors describe their ongoing development of an insider threat indicator ontology.

November 2014 - Technical Note Using Malware Analysis to Tailor SQUARE for Mobile Platforms

Topics: Cybersecurity Engineering, Malware Analysis

Authors: Gregory Paul Alice, Nancy R. Mead

This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.

November 2014 - Podcast Coding with AADL

Topics: Software Architecture

Authors: Julien Delange, Suzanne Miller

In this podcast, Julien Delange summarizes different perspectives on research related to code generation from software architecture models.

November 2014 - Webinar Architecture Analysis with AADL

Topics: Software Architecture, Performance and Dependability

Authors: Julien Delange

This webinar introduces the Architecture Analysis and Design Language (AADL), the architecture modeling language used to specify safety-critical systems. We show its use in the Open Source AADL Tool Environment (OSATE).

November 2014 - Presentation Under N: Acceptance to Delivery in N Hours

Authors: Umashankar Velusamy (Verizon Communications, Inc.)

This TSP Symposium 2014 presentation describes the Under-N methodology, a framework to uncover hidden capabilities and deliver a business need in an absolute time.

November 2014 - Presentation TSP-PACE: Process and Capability Evaluation, an Experience Report

Authors: Antonio Mejorado (Tecnológico de Monterrey University), Rafael Salazar (Tecnológico de Monterrey University), William Nichols

This TSP Symposium 2014 presentation presents results of TSP evaluations in PACE pilots and describes how they support organizational improvement and national benchmarking.

November 2014 - Presentation TSP History and Evolution at Cadence Design Systems

Authors: Elias Fallon (Cadence Design Systems, Inc.)

This TSP Symposium 2014 presentation describes how Cadence applied the principles of TSP to develop an approach called Cadence Development Engineer Training (CaDET).

November 2014 - Presentation The Impact of the PSP on Software Quality: Eliminating the Learning Effect Threat Through a Controlled Experiment

Authors: Fernanda Grazioli (Universidad de la República), Diego Vallespir (Universidad de la República), Silvana Moreno (Universidad de la República), Leticia Perez-Queiruga (Universidad de la República)

This TSP Symposium 2014 presentation provides results indicating that the Personal Software Process is the most plausible cause of software quality improvements.

November 2014 - Presentation Software Architecture Decision-Making Techniques

Authors: Elizabeth Correa (Verizon)

This TSP Symposium 2014 presentation explains that many architects suffer from analysis paralysis and provides techniques to apply to software design decisions.

November 2014 - Presentation Scrum: Creating Great Products and Critical Systems – What to Worry About, What’s Missing, and How to Fix It

Authors: Neil Potter (The Process Group)

This TSP Symposium 2014 presentation enumerates the problems to look out for in Scrum/Agile implementations and provides example corrective actions.

November 2014 - Presentation Insider Threats in the Software Development Life Cycle

Authors: Daniel L. Costa, Randall F. Trzeciak

This TSP Symposium 2014 presentation uncovers patterns from cases in which insiders exploited vulnerabilities in software development processes to harm their organizations.

November 2014 - Presentation Evolving Postmortems as Teams Evolve Through TxP

Authors: Brad Hodgins (NAVAIR)

This TSP Symposium 2014 presentation introduces graphs effective in presenting analysis results at various levels of evolution as a team works toward becoming a TxP team.

November 2014 - Presentation Architecture Best Practices for Project and Technical Leaders

Authors: Felix Bachmann, Jim McHale, Timothy Morrow

This TSP Symposium 2014 presentation describes a set of architecture best practices based on commercial and government experiences in software development.

November 2014 - Presentation An Extension of the PSP PROBE Process to Help Students Make More Reliable Estimates in Early Stages of PSP Training

Authors: Yoshihiro Akiyama (Next Process, Inc.)

This TSP Symposium 2014 presentation overviews how to reduce students' over- or underestimates in new program development by extending the PSP PROBE process.

November 2014 - Presentation Information Flow: The Secret to Successful Teamwork

Authors: Jesse Schell (Schell Games)

In this TSP Symposium 2014 keynote presentation, Jesse Schell explains what he has learned from professional game development that helps teams succeed or causes them to fail.

November 2014 - Presentation Using PSP/TSP in a Performance Review

Authors: Larry Whitford (Beckman Coulter), Nicole Flohr (Beckman Coulter)

This TSP Symposium 2014 presentation explores the use of PSP/TSP data in the developers' and testers' performance reviews on two TSP projects and results to date.

November 2014 - Presentation TSP in Non-implementation Phases: An Experience in How Disciplined Measurement Has Helped Overcome Obstacles in Deploying TSP in Mexican Organizations

Authors: Blanca Gil (Software Industry Excellence Center de Mexico)

This TSP Symposium 2014 presentation shares the challenges faced in several TSP implementations and how these projects enabled cultural change in the organizations.

November 2014 - Presentation The Executive View: Beyond the Methodology

Authors: David VanEpps (Acxiom)

This TSP Symposium 2014 presentation describes using CMMI methodology and Team Software Process training to solve critical business problems.

November 2014 - Presentation Tales from the Quality Journey

Authors: Darryl Davis (Davis Systems)

This TSP Symposium 2014 presentation shares quality management insights from 31 years in product development, manufacturing, management, and process improvement.

November 2014 - Presentation SEMPRE: The TSP Software Engineering Measured Performance Repository

Authors: William Nichols, Yasutaka Shirai (Toshiba)

This TSP Symposium 2014 presentation introduces data collected via the Process Dashboard tool and provides some initial benchmark statistics for project planning.

November 2014 - Presentation Introduction to Software Product Lines

Authors: Patrick Donohoe

This TSP Symposium 2014 presentation introduces software product line development, essential activities and underlying practices, and costs and benefits of adoption.

November 2014 - Presentation Common System and Software Testing Pitfalls (2014)

Authors: Donald Firesmith

This TSP Symposium 2014 presentation describes a taxonomy of 145 testing pitfalls in 21 categories, documented by causes, consequences, and recommendations.

November 2014 - Presentation A Zero-Depth Entry to Using TSP: How TSP Turned Around the Smart Grid Maturity Model Project

Authors: Julia L. Mullaney, Summer C. Fowler

This TSP Symposium 2014 presentation describes how basic Team Software Process principles were used to bring the Smart Grid Maturity Model project under control.

November 2014 - Presentation An Incremental Life-Cycle Assurance Strategy for Critical System Certification

Authors: Peter H. Feiler

This TSP Symposium 2014 presentation describes an architecture-led incremental assurance strategy that addresses mission- and safety-critical software-reliant systems.

November 2014 - Presentation Advanced Modeling of Teaming Data to Enable Superior Team Performance

Authors: Robert W. Stoddard, Dan Bennett (Hill Air Force Base), David Webb (Hill Air Force Base), Rushby Craig (Hill Air Force Base), Lance Moore (Hill Air Force Base)

This TSP Symposium 2014 presentation describes data analyzed using statistical analysis and modern structural equation modeling (SEM) to enhance team performance.

November 2014 - Presentation The ACE (Accurate Confident Estimating) Process

Authors: Carl Wyrwa (Beckman Coulter)

This TSP Symposium 2014 presentation introduces the ACE Process, which provides a structured approach teams can use to develop an Accurate and Confident Estimates.

November 2014 - Presentation Wild, Wild West—How to Corral All Your Developers into Creating Secure Code

Authors: Jonathan Beck (PNC Financial Services Group)

This TSP Symposium 2014 keynote discusses the challenges facing CISOs when they are ensuring that their organizations implement secure coding practices.

November 2014 - Article Case Study of Toyota Unintended Acceleration and Software Safety

Authors: Philip Koopman (Carnegie Mellon University)

In this TSP Symposium 2014 keynote presentation, CMU's Philip Koopman outlines key events and technical issues in the Toyota Unintended Acceleration story.

November 2014 - Presentation A Vendor Development Program: Smart Clients Are a Success Factor

Authors: Francisco Aleman (Delaware Software)

This TSP Symposium 2014 presentation introduces the Performance and Capability Evaluation (PACE) framework, to transform outsourcing companies into business partners.

November 2014 - Conference Paper Taking the Team Meeting to the Next Level

Authors: David Saint-Amand (NAVAIR)

This TSP Symposium 2014 paper reviews the development of an effective and efficient tool for encouraging participation and capturing information at team status meetings.

October 2014 - Article Dynamics of Software Sustainment

Topics: Measurement and Analysis

Authors: Sarah Sheard, Robert Ferguson, Mike Phillips, Andrew P. Moore

This paper describes the development of a dynamic economic model of sustainment to predict the consequences of funding decisions within sustainment organizations.

October 2014 - Podcast The State of Agile

Topics: Acquisition Support

Authors: Alistair Cockburn, Suzanne Miller

In this podcast, Alistair Cockburn, an Agile pioneer and one of the original signers of the Agile Manifesto, and SEI principal researcher Suzanne Miller discuss the current state of Agile adoption.

October 2014 - Conference Paper Evolutionary Improvements of Cross-Cutting Concerns: Performance in Practice

Topics: Software Architecture

Authors: Stephany Bellomo, Neil Ernst, Robert Nord, Ipek Ozkaya

This paper describes two key challenges of incrementally evolving cross-cutting concerns such as performance during incremental software development.

October 2014 - Presentation The Business Case for Systems Engineering: Comparison of Defense-Domain and Non-Defense Projects

Topics: Measurement and Analysis

Authors: Joseph P. Elm

This NDIA Systems Engineering Conference presentation summarizes analysis of data collected from the 2011 Systems Engineering (SE) Effectiveness Survey.

October 2014 - Technical Note A Method for Aligning Acquisition Strategies and Software Architectures

Topics: Acquisition Support

Authors: Lisa Brownsword, Cecilia Albert, David J. Carney, Patrick R. Place

This report describes the third year of the SEI's research into aligning acquisition strategies and software architecture.

October 2014 - Poster Security Engineering Risk Analysis Project

Topics: Cybersecurity Engineering, Risk and Opportunity Management

Authors: Carol Woody

In this poster, the Security Engineering Risk Analysis Project is illustrated, including causes of security design weaknesses and the use of risk analysis.

October 2014 - Poster Quality and Software Assurance Project

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody

In this poster, a Quality and Software Assurance Project is illustrated, including highlights of a literature review, a workflow, and working hypothesis.

October 2014 - Poster Deep Focus: Increasing User “Depth of Field” to Improve Threat Detection

Topics: Science of Cybersecurity, Insider Threat

Authors: William R. Claycomb, Roy Maxion (Carnegie Mellon CyLab)

In this poster, a CERT Threat Detection Project is illustrated, including the problem, goals, approach, and data collection methods.

October 2014 - Poster Insider Threat Mitigation Project

Topics: Insider Threat

Authors: Kathleen Carley (Carnegie Mellon School of Computer Science), Neal Altman, Geoff Morgan (Carnegie Mellon School of Computer Science), Matt Benigni (Carnegie Mellon School of Computer Science), Matthew L. Collins, Andrew P. Moore, William R. Claycomb

In this poster, the approach taken by the Insider Threat Mitigation Project is illustrated, including ego-centered and email-centered analyses.

October 2014 - Article Discovery of C++ Data Structures from Binaries

Topics: Network Situational Awareness

Authors: Dan Quinlan (Lawrence Livermore National Laboratory), Cory Cohen

In this article, the authors present the techniques to identify C++ data structures in binary executables.

October 2014 - Article Supervised Learning for Provenance-Similarity of Binaries

Topics: Malware Analysis

Authors: Sagar Chaki, Cory Cohen, Arie Gurfinkel

In this article, the authors present a notion of similarity based on provenance; two binaries are similar if they are compiled from the same source code with the same compilers.

October 2014 - Article A Scalable Search Index for Binary Files

Topics: Malware Analysis

Authors: Wesley Jin, Chuck Hines, Cory Cohen, Priya Narasimhan (Carnegie Mellon University)

In this article, the authors present a scalable architecture for searching and indexing terabyte-size collections of binary files.

October 2014 - Article Binary Function Clustering using Semantic Hashes

Topics: Malware Analysis

Authors: Wesley Jin, Sagar Chaki, Cory Cohen, Arie Gurfinkel, Jeff Havrilla, Chuck Hines, Priya Narasimhan (Carnegie Mellon University)

In this article, the authors present an alternative to pair wise comparisons based on "hashing” that captures the semantics of functions as semantic hashes.

October 2014 - Article Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

Topics: Malware Analysis

Authors: Wesley Jin, Cory Cohen, Jeff Gennari, Chuck Hines, Sagar Chaki, Arie Gurfinkel, Jeff Havrilla, Priya Narasimhan (Carnegie Mellon University)

In this article, the authors present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class.

October 2014 - Technical Note Agile Methods in Air Force Sustainment: Status and Outlook

Topics: Acquisition Support

Authors: Colleen Regan, Mary Ann Lapham, Eileen Wrubel, Stephen Beck, Michael S. Bandor

This paper examines using Agile techniques in the software sustainment arena—specifically Air Force programs. The intended audience is the staff of DoD programs and related personnel who intend to use Agile methods during software sustainment.

October 2014 - Article C/C++ Thread Safety Analysis

Topics: Secure Coding

Authors: DeLesley Hutchins (Google, Inc.), Aaron Ballman, Dean F. Sutherland

In this paper, the authors describe Clang Thread Safety Analysis, a tool that uses annotations to enforce thread safety policies in C and C++ programs.

October 2014 - Special Report Development of an Intellectual Property Strategy: Research Notes to Support Department of Defense Programs

Topics: Acquisition Support

Authors: Charlene Gross

This report is intended to help program managers understand categories of intellectual property, various intellectual property challenges, and approaches to assessing the license rights that the program needs for long-term execution and sustainment.

October 2014 - Presentation Design Research in the Context of Federal Law Enforcement

Authors: Barbora Batokova, Todd Waits, Anne Connell

In this presentation, the authors discuss the design research methods used to develop a hardware and software solution for paper-based evidence processing.

October 2014 - Conference Paper Design Research in the Context of Federal Law Enforcement

Topics: Cybersecurity Engineering, Digital Intelligence and Investigation

Authors: Barbora Batokova, Todd Waits, Anne Connell

In this paper, the authors discuss the design research methods used to develop a hardware and software solution for paper-based evidence processing.

October 2014 - Technical Report AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

Topics: Software Architecture

Authors: Julien Delange, Peter H. Feiler, David P. Gluch, John J. Hudak

This report describes how the Architecture Analysis and Design Language (AADL) Error Model Annex supports the safety-assessment methods in SAE Standard ARP4761.

October 2014 - Podcast Applying Agile in the DoD: Eighth Principle

Topics: Acquisition Support

Authors: Suzanne Miller, Mary Ann Lapham

In this episode, the eighth in a series exploring Agile principles across the DoD, Suzanne Miller and Mary Ann Lapham discuss the eighth Agile principle.

October 2014 - Podcast A Taxonomy of Operational Risks for Cyber Security

Topics: Cyber Risk and Resilience Management

Authors: James J. Cebula, Julia H. Allen

In this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.

October 2014 - Presentation Quantifying the Effectiveness of Systems Engineering

Topics: Measurement and Analysis

Authors: Joseph P. Elm

This Metrocon Conference presentation summarizes the results of a survey to quantify the connection between systems engineering best practices and performance outcomes.

September 2014 - Presentation A Framework for Estimating Interest on Technical Debt by Monitoring Developer Activity Related to Code Comprehension

Authors: Vallary Singh (University of Delaware), Will Snipes (ABB Corporate Research), Nicholas Kraft (ABB Coporate Research)

This presentation describes research to quantify technical debt by defining and calculating class-based comprehension effort metrics computed from developer logs.

September 2014 - Presentation Towards an Ontology of Terms on Technical Debt

Authors: Nicolli S. R. Alves (Universidade Salvador), Leilane F. Ribeiro (Universidade Salvador), Vivyane Caires (Universidade Salvador), Thiago S. Mendes (Frauhofer Project Center for Software and System Engineering at UFBA), Rodrigo O. Spínola (Universidade Salvador)

This presentation discusses an ontology of terms for technical debt that classifies debt by the activity of the development process in which the debt was associated.

September 2014 - Presentation Technical Debt and the Effect of Agile Software Development Practices on It: An Industry Practitioner Survey

Authors: Johannes Holvitie (Turku Center for Computer Science), Ville Leppänen (Turku Center for Computer Science), Sami Hyrynsalmi (University of Turku)

The presentation presents the results of three research questions about using agile development methods to manage technical debt in software development environments.

September 2014 - Presentation Are All Methods in Your Data Access Objects (DAOs) in the Right Place? A Preliminary Study

Authors: Mauricio Aniche (University of São Paulo), Gustavo Oliva (University of São Paulo), Marco Gerosa (University of Delaware)

This presentation describes a way to identify methods that have been placed in wrong or ambiguous data access objects and provides results from three projects.

September 2014 - Presentation When-to-Release Software Product Decisions in Consideration of Technical Debt

Authors: Jason Ho (University of Calgary), Guenther Ruhe (University of Calgary)

This presentation explains “when-to-release” planning as the problem of determining the release date to maximize release value and minimize technical debt.

September 2014 - Presentation Welcome to the Sixth International Workshop on Managing Technical Debt

Authors: Carolyn Seaman (University of Maryland Baltimore County)

This presentation introduces the Sixth International Workshop on Managing Technical Debt to discuss research and practitioner progress on managing technical debt.

September 2014 - Presentation Explicating, Understanding, and Managing Technical Debt from Self-Driving Miniature Car Projects

Authors: Md. Abdullah Al Mamun (Chalmers University of Technology), Christian Berger (University of Gothenburg), Jörgen Hansson (University of Skovde)

This presentation describes the evolution of technical debt in developing self-driving miniature cars to reduce debt and have more reusable, maintainable software.

September 2014 - Podcast Agile Metrics

Topics: Acquisition Support

Authors: Will Hayes, Suzanne Miller

In this podcast Will Hayes and Suzanne Miller discuss research intended to aid U. S. Department of Defense acquisition professionals in the use of Agile software development methods.

September 2014 - Technical Note CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen, Greg Crabb (United States Postal Service), Pamela D. Curtis, Sam Lin, Nader Mehravari, Dawn Wilkes

This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.

September 2014 - Technical Note CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen, Greg Crabb (United States Postal Service), Pamela D. Curtis, Nader Mehravari, David W. White

This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.

September 2014 - Technical Note CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen, Greg Crabb (United States Postal Service), Pamela D. Curtis, Nader Mehravari, David W. White

This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.

September 2014 - Technical Report Smart Collection and Storage Method for Network Traffic Data

Topics: Network Situational Awareness

Authors: Angela Horneman, Nathan Dell

This report discusses considerations and decisions to be made when designing a tiered network data storage solution.

September 2014 - Podcast Four Principles for Engineering Scalable, Big Data Systems

Topics: Software Architecture

Authors: Ian Gorton, Suzanne Miller

In this podcast, Ian Gorton describes four general principles that hold for any scalable, big data system.

September 2014 - Article Toward Realistic Modeling Criteria of Games in Internet Security

Authors: Jonathan Spring

In this article, Jonathan Spring discusses game theory and security as it relates to computers and the Internet.

August 2014 - Podcast An Appraisal of Systems Engineering: Defense v. Non-Defense

Topics: Measurement and Analysis

Authors: Joseph P. Elm

In this podcast, Joseph P. Elm analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.

August 2014 - Presentation Eliciting Unstated Requirements

Topics: Measurement and Analysis

Authors: Nancy R. Mead, Michael D. Konrad, Robert W. Stoddard

The tutorial presents the traditional KJ method for eliciting unstated user needs and extensions made to allow KJ to be used in a virtual environment.

August 2014 - Conference Paper Optimizing Seed Selection for Fuzzing

Authors: Alexandre Rebert (Carnegie Mellon University and ForAllSecure, Inc.), Sang Kil Cha (Carnegie Mellon University), Thanassis Avgerinos (Carnegie Mellon University), Jonathan M. Foote, David Warren, Gustavo Grieco (CIFASIS-CONICET), David Brumley (Carnegie Mellon University)

In this paper, we focus on how to mathematically formulate and reason about one critical aspect in fuzzing: how best to pick seed files to maximize the total number of bugs found during a fuzz campaign.

August 2014 - Article The Long "Taile" of Typosquatting Domain Names

Authors: Janos Szurdi, Balazs Kocso, Gabor Cseh , Jonathan Spring, Mark Felegyhazi, Chris Kanich

In this USENIX 2014 paper, the authors describe a methodology to improve existing solutions in identifying typosquatting domains and their monetization strategies.

August 2014 - Presentation Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

Authors: James Edmondson

This presentation summarizes the challenges surrounding Group Autonomy for Mobile Systems and how SEI research is addressing them.

August 2014 - Technical Report A Systematic Approach for Assessing Workforce Readiness

Topics: Incident Management

Authors: Christopher J. Alberts, David McIntire

In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.

August 2014 - Special Report Assuring Software Reliability

Topics: Acquisition Support

Authors: Robert J. Ellison

This report describes ways to incorporate the analysis of the potential impact of software failures--regardless of their cause--into development and acquisition practices through the use of software assurance.

August 2014 - Technical Note Patterns and Practices for Future Architectures

Topics: Ultra-Large-Scale Systems

Authors: Eric Werner, Scott McMillan, Jonathan Chu

This report discusses best practices and patterns that will make high-performance graph analytics on new and emerging architectures more accessible to users.

August 2014 - Podcast HTML5 for Mobile Apps at the Edge

Topics: Pervasive Mobile Computing

Authors: Grace Lewis, Suzanne Miller

In this podcast, Grace Lewis discusses research that explores the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in the battlefield.

August 2014 - White Paper Abuse of Customer Premise Equipment and Recommended Actions

Topics: Malware Analysis, Vulnerability Analysis

Authors: Paul Vixie, Chris Hallenbeck, Jonathan Spring

In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).

August 2014 - Presentation Abuse of CPE Devices and Recommended Fixes

Topics: Malware Analysis, Vulnerability Analysis

Authors: Paul Vixie, Chris Hallenbeck, Jonathan Spring

In this Black Hat 2014 presentation, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).

July 2014 - Technical Note Performance of Compiler-Assisted Memory Safety Checking

Topics: Secure Coding

Authors: David Keaton, Robert C. Seacord

This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely available.

July 2014 - Conference Paper SiLK: A Tool Suite for Unsampled Network Flow Analysis at Scale

Topics: Network Situational Awareness

Authors: Mark Thomas, Leigh B. Metcalf, Jonathan Spring, Paul Krystosek, Katherine Prevost

In this paper, the authors discuss SiLK, a tool suite created to analyze high-volume data sources without sampling.

July 2014 - Podcast Applying Agile in the DoD: Seventh Principle

Topics: Acquisition Support

Authors: Suzanne Miller, Mary Ann Lapham

In this podcast, Suzanne Miller and Mary Ann Lapham explore the application of the seventh Agile principle in the Department of Defense, working software is the primary measure of progress.

July 2014 - Webinar Software Architecture for Big Data Systems

Topics: Software Architecture

Authors: Ian Gorton

Watch Ian Gorton discuss software architecture for big data systems.

July 2014 - Webinar Architectural Implications of DevOps

Topics: Software Architecture

Authors: Stephany Bellomo

Watch Stephany Bellomo discuss the architectural implications of DevOps.

July 2014 - Presentation 2014 State of Cybercrime Survey Presentation

Topics: Insider Threat

Authors: CERT Insider Threat Center

In this presentation, CSO Magazine, USSS, the CERT Division of the SEI, and PwC provide results of the 2014 U.S. State of Cybercrime Survey.

July 2014 - Technical Note Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector

Authors: CERT Insider Threat Team

This report analyzes unintentional insider threat cases of phishing and other social engineering attacks involving malware.

July 2014 - Podcast AADL and Edgewater

Topics: Software Architecture

Authors: Serban Gheorghe (Edgewater Computer Systems, Inc.), Peter H. Feiler, Suzanne Miller

In this podcast, Peter Feiler and Serban Gheorghe of Edgewater discuss their work on the Architecture Analysis and Design Language.

July 2014 - Conference Paper Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector

Topics: Insider Threat

Authors: Jeremy R. Strozer, Matthew L. Collins, Tracy Cassidy

In this paper, the authors provide documented research to advance the understanding of the unintentional insider threat (UIT) that results from phishing and other social engineering cases, specifically those involving malicious software (malware).

July 2014 - Technical Note Evaluation of the Applicability of HTML5 for Mobile Applications in Resource-Constrained Edge Environments

Topics: Pervasive Mobile Computing

Authors: Bryan Yan (Carnegie Mellon University – Institute for Software Research), Grace Lewis

This technical note presents an analysis of the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in battlefield or natural disaster situations.

July 2014 - Technical Note Agile Software Teams: How They Engage with Systems Engineering on DoD Acquisition Programs

Topics: Acquisition Support

Authors: Eileen Wrubel, Suzanne Miller, Mary Ann Lapham, Timothy A. Chick

This technical note addresses issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.

July 2014 - Webinar The Smart Grid Maturity Model Around the World

Topics: Smart Grid Maturity Model, Cyber Risk and Resilience Management

Authors: Jeffrey H. Ferris (IBM)

This webinar will introduce the Smart Grid Maturity Model (SGMM), a management tool designed to help any utility, anywhere, plan its journey toward grid modernization-no customization required.

July 2014 - Article Exploring a Mechanistic Approach to Experimentation in Computing

Topics: Science of Cybersecurity, Measurement and Analysis

Authors: Jonathan Spring,

In this article, the authors describe the benefits of applying the mechanistic approach in philosophy of science to experimentation in computing.

June 2014 - Webinar When Measurement Benefits the Measured

Topics: Measurement and Analysis, TSP

Authors: Mark Kasunic, William Nichols

During this webinar, we shared the performance results of over 100 software teams that have carefully tracked their schedule performance and the quality of their work.

June 2014 - Technical Note Improving the Automated Detection and Analysis of Secure Coding Violations

Topics: Secure Coding

Authors: Daniel Plakosh, Robert C. Seacord, Robert W. Stoddard, David Svoboda, David Zubrow

This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.

June 2014 - Podcast Security and Wireless Emergency Alerts

Topics: Cybersecurity Engineering

Authors: Christopher Alberts, Carol Woody, Suzanne Miller

In this podcast Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks.

June 2014 - Conference Paper Toward Design Decisions to Enable Deployability: Empirical Study of Three Projects Reaching for the Continuous Delivery Holy Grail

Topics: Software Architecture

Authors: Stephany Bellomo, Neil Ernst, Robert Nord, Rick Kazman

This paper summarizes three project teams' deployability goals and the architectural decisions they made to enable deployability while practicing continuous delivery.

June 2014 - Webinar CERT® RMM User Panel Discussion: USPIS, DHS, DoE, SunGard, & Lockheed Martin

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: Matthew J. Butkovic

Watch the CERT® RMM User Panel discuss their experiences implementing RMM from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar Department of Homeland Security Cyber Resilience Review (Case Study)

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: Matthew J. Butkovic

Watch Matthew Butkovic discuss the "Department of Homeland Security Cyber Resilience Review (Case Study)" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar United States Postal Inspection Service (USPIS)

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: Julia H. Allen

Watch Julia Allen discuss the United States Postal Inspection Service (USPIS) (Case Study) from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar Recent Federal Policies Affecting the Cybersecurity and Resiliency Landscape

Topics: Cyber Risk and Resilience Management, Process Improvement, Risk and Opportunity Management

Authors: Nader Mehravari

Watch Nader Mehravari discuss "Recent Federal Policies Affecting the Cybersecurity and Resiliency Landscape" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management, Smart Grid Maturity Model

Authors: James F. Stevens

Watch James Stevens discuss the "Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar Overview of the CERT® Resilience Management Model (CERT®-RMM)

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: James J. Cebula

Watch James Cebula discuss the "Overview of the CERT® Resilience Management Model" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain

June 2014 - Webinar ABCs of Operational Resilience

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: Nader Mehravari

Watch Nader Mehravari discuss the "ABCs of Operational Resilience" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain.

June 2014 - Webinar Cybersecurity Update

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: John Haller

Watch John Haller discuss the "Cybersecurity Update" from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain.

June 2014 - Webinar Everything You Always Wanted to Know About Maturity Models

Topics: Cyber Risk and Resilience Management, Risk and Opportunity Management

Authors: Nader Mehravari

Watch Nader Mehravari discuss “Everything You Always Wanted to Know About Maturity Models” from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain.

June 2014 - Podcast Safety and Behavior Specification Using the Architecture Analysis and Design Language

Topics: Software Architecture

Authors: Julien Delange, Suzanne Miller

Julien Delange discusses two extensions to the Architecture Analysis and Design Language: the behavior annex and the error-model annex.

June 2014 - Technical Note CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2

Topics: Cyber Risk and Resilience Management

Authors: Kevin G. Partridge, Mary Popeck, Lisa R. Young

This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.

June 2014 - Special Report The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects

Topics: Measurement and Analysis

Authors: Joseph P. Elm, Dennis Goldenson

This report analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.

June 2014 - Conference Paper Architectural Dependency Analysis to Understand Rework Costs for Safety-Critical Systems

Topics: Software Architecture

Authors: Robert Nord, Ipek Ozkaya, Raghvinder Sangwan (Pennsylvania State University), Ronald Koontz (Boeing Company)

This paper describes the need for a thorough understanding and analysis of architectural dependencies to minimize the cost of testing and technology upgrades.

June 2014 - Technical Report Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study

Topics: Risk and Opportunity Management, Cyber Risk and Resilience Management, Workforce Development, Malware Analysis, Science of Cybersecurity

Authors: Jennifer Cowley

This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.

May 2014 - Conference Paper Agile in Distress: Architecture to the Rescue

Topics: Software Architecture

Authors: Robert Nord, Ipek Ozkaya, Philippe Kruchten

For large-scale software-development endeavors, agility is enabled by architecture, and vice versa, and architecture supports high-priority business features.

May 2014 - Technical Note An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)

Topics: Incident Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Robin Ruefle, Mark Zajicek

The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.

May 2014 - Podcast Applying Agile in the DoD: Sixth Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this podcast, Suzanne Miller and Mary Ann Lapham discuss the application of the sixth Agile principle in the Department of Defense.

May 2014 - Podcast Characterizing and Prioritizing Malicious Code

Topics: Malware Analysis

Authors: Jose A. Morales, Julia H. Allen

In this podcast, Jose Morales discusses how to prioritize malware samples, helping analysts to identify the most destructive malware to examine first.

May 2014 - Collection Insider Threat Certificate Programs

Topics: Insider Threat

Authors: CERT Insider Threat Center

These brochures summarize the CERT Insider Threat Center's three certificate programs: Program Manager, Vulnerability Assessor, and Program Evaluator.

May 2014 - Brochure Insider Threat Program Evaluator Certificate

Topics: Insider Threat

Authors: CERT Insider Threat Center

This brochure summarizes the CERT Insider Threat Center's Insider Threat Program Evaluator certificate program.

May 2014 - Brochure Insider Threat Vulnerability Assessor Certificate

Topics: Insider Threat

Authors: CERT Insider Threat Center

This brochure summarizes the CERT Insider Threat Center's Insider Threat Vulnerability Assessor certificate program.

May 2014 - Brochure Insider Threat Program Manager Certificate

Topics: Insider Threat

Authors: CERT Insider Threat Center

This brochure summarizes the CERT Insider Threat Center's Insider Threat Program Manager certificate program.

May 2014 - Technical Note A Taxonomy of Operational Cyber Security Risks Version 2

Topics: Insider Threat, Cybersecurity Engineering, Cyber Risk and Resilience Management

Authors: James J. Cebula, Mary Popeck, Lisa R. Young

This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.

May 2014 - Brochure Analyzing Timing of Multicore-Software Scheduling--A New Way that Makes It Simple

Authors: Bjorn Andersson

Discusses the challenges of analyzing the timing of contention for resources in the memory system of multicore processors.

May 2014 - Podcast Using Quality Attributes to Improve Acquisition

Topics: Acquisition Support

Authors: Patrick Place, Suzanne Miller

In this podcast, Patrick Place describes research aimed at determining how acquisition quality attributes can be expressed and used to facilitate alignment among the software architecture and acquisition strategy.

May 2014 - Technical Note An Evaluation of A-SQUARE for COTS Acquisition

Topics: Cybersecurity Engineering

Authors: Sidhartha Mani, Nancy R. Mead

An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.

May 2014 - Webinar Heartbleed: Analysis, Thoughts, and Actions

Topics: Network Situational Awareness, Secure Coding

Authors: Will Dormann, Robert Floodeen, Brent Kennedy, William Nichols, Jason McCormick, Robert C. Seacord

Panelists discussed the impact of Heartbleed, methods to mitigate the vulnerability, and ways to prevent crises like this in the future.

May 2014 - Technical Report Investigating Advanced Persistent Threat 1 (APT1)

Topics: Measurement and Analysis

Authors: Deana Shick, Angela Horneman

This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.

May 2014 - White Paper Precise Static Analysis of Taint Flow for Android Application Sets

Topics: Secure Coding

Authors: Amar S. Bhosale (No Affiliation)

This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.

May 2014 - Technical Report Data-Driven Software Assurance: A Research Study

Topics: Software Assurance, Performance and Dependability, Process Improvement, Measurement and Analysis

Authors: Michael D. Konrad, Art Manion, Andrew P. Moore, Julia L. Mullaney, William Nichols, Michael F. Orlando, Erin Harper

In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.

May 2014 - Article Distribution, Data, Deployment: Software Architecture Convergence in Big Data Systems

Topics: Software Architecture

Authors: Ian Gorton, John Klein

This paper describes the challenges of big data systems for software architects, including harmonizing designs across the software, data, and deployment architectures.

May 2014 - Presentation Transparency: An Architecture Principle for Socio-Technical Ecosystems

Authors: Felix Bachmann, Linda M. Northrop

Presentation at SATURN 2014. The authors report efforts to increase productivity in a collaboration environment by increasing transparency using automated support.

May 2014 - Presentation Understanding Reference Models and Reference Architectures

Authors: Chris Armstrong (Armstrong Process Group, Inc.)

Presentation at SATURN 2014. The speaker presents industry-standard best practices for using reference models for categorizing architecture content.

May 2014 - Presentation Engineering Velocity: Continuous Delivery at Netflix

Authors: Dianne Marsh (Netflix)

Presentation at SATURN 2014. This talk describes components of Netflix's continuous delivery platform--much of which is open source--and how Netflix tests resiliency.

May 2014 - Presentation The New Era of Integrated Software Delivery with DevOps

Authors: Sujatha Perepa (IBM)

Presentation at SATURN 2014. In the era of Big Data, cloud computing, and mobile technologies, we must embrace innovative methods of software delivery, such as DevOps.

May 2014 - Presentation Is Your Team Instrument Rated (Or: Deploying 89,000 Times a Day)

Authors: J. Paul Reed (Release Engineering Approaches)

Presentation at SATURN 2014. This talk examines a large operational system—the airspace system—as an analogy to implementing a DevOps culture in the software industry.

May 2014 - Presentation Software Architecture Community of Practice at Raytheon

Authors: Sunitha Vallabhaneni (Raytheon Intelligence), Douglas Dusseau (Raytheon), Keith Nolan (Raytheon)

Presentation at SATURN 2014. Establishing a new training program and creating an environment in which software architecture community of practices effectively form and flourish.

May 2014 - Presentation Combining Architectural Methods to Build a Reference Architecture for Ground Radar Monitoring Systems

Authors: Alejandro Bianchi (Liveware IS S.A.), Andres Diaz-Pace (UNICEN University), Leonardo Seminara (Liveware IS S.A.), Gustavo De Souza (INVAP S.E.)

Presentation at SATURN 2014. The experiences of creating a Reference Software Architecture (RSA) for an Argentine R&D company in the domain of ground radar monitoring (GRM) systems.

May 2014 - Presentation Teaching Architecture Metamodel-First

Authors: George Fairbanks (Google)

Presentation at SATURN 2014. A novel approach to teaching software architecture based on metamodels.

May 2014 - Presentation Metrics for Simplifying and Standardizing Enterprise Architecture: An Experience Report for an Oil and Gas Organization

Authors: Alexis Ocampo (Ecopetrol), Jens Heidrich (Fraunhofer Center for Experimental Software Engineering), V. Basili (University of Maryland)

Presentation at SATURN 2014. The Software Product Quality Model developed for Ecopetrol and its application and visualization on real software systems of Ecopetrol's enterprise architecture.

May 2014 - Presentation Expanding Legacy Systems Using Model-Driven Engineering (MDE)

Authors: William Smith (Northrop Grumman), Kevin Nguyen (Northrup Grummon)

Presentation at SATURN 2014. Managing technical debt while expanding the capabilities of an existing system; using MDE to reflect the combined architecture of legacy and new systems; experience, pitfalls, and results.

May 2014 - Presentation The Costing View of Architecture

Authors: Eltjo Poort (CGI)

Presentation at SATURN 2014. Delivery Breakdown View helps architects address important cost-related concerns and communicate the resolution of these concerns to stakeholders.

May 2014 - Presentation Software Architecture in the Presales Process

Authors: Humberto Cervantes (Universidad Autonoma Metropolitana-Iztapalapa)

Presentation at SATURN 2014. Architecture practices provide great value in the presales process.

May 2014 - Presentation BI/Big Data Reference Architectures and Case Studies

Authors: Serhiy Haziyev (SoftServe, Inc.), Olha Hrytsay (SoftServe, Inc.)

Presentation at SATURN 2014. Presenters explore reference architectures that address the challenges of Big Data.

May 2014 - Presentation Past, Present, and Future of APIs for Mobile and Web Apps

Authors: Ole Lensmar (SmartBear Software)

Presentation at SATURN 2014. The presenter describes technology trends in APIs and advises on technology and implementation choices for providers and consumers.

May 2014 - Presentation Integrating Enterprise Architecture

Authors: Voytek Janisz (Progressive Insurance)

Presentation at SATURN 2014. This presentation presents a practical approach to implementing integrated enterprise architecture at a large organization. Specific tools, frameworks, and languages serve only as a context for this experience-based story.

May 2014 - Presentation Impact of Architecture on Continuous Delivery

Authors: Russell Miller (SunView Software, Inc.)

Presentation at SATURN 2014. The speaker has been leading the construction of a SaaS application. This presentation highlights key lessons learned.

May 2014 - Presentation What Happens When You Break All the Rules?

Authors: Harald Wesenberg (Statoil ASA), Jorn Olmheim (Statoil), Einar Landre (Statoil ASA)

Presentation at SATURN 2014. Presenters address some questions facing software architects and use project experience to illustrate learnings.

May 2014 - Presentation Archinotes: A Global Agile Architecture Design Tool

Authors: Juan Urrego (Universidad de los Andes), Dario Correal (Universidad de los Andes)

Presentation at SATURN 2014. Demonstrates the main features of Archinotes and presents its main benefits for an organization with geographically dispersed teams.

May 2014 - Presentation Approaching Security from an "Architecture First" Perspective

Authors: Rick Kazman, Jungwoo Ryoo (Pennsylvania State University), Humberto Cervantes (Universidad Autonoma Metropolitana-Iztapalapa)

Presentation at SATURN 2014. The results of our case studies indicate that a strategic, system-wide, architectural approach to security, implemented through the partial or full adoption of security frameworks, results in the best outcome.

May 2014 - Presentation Under N: Acceptance to Delivery in N Hours (SATURN 2014)

Authors: Umashankar Velusamy (Verizon Communications, Inc.)

Presentation at SATURN 2014. Presenters discuss Under-N methodology, a framework to uncover hidden capabilities within IT applications and IT application teams.

May 2014 - Presentation Service Variability in Multi-Tenant Engineering: A Systematic Literature Review on the State of Practice, Limitations, and Prospects

Authors: Ouh Eng Lieh (National University of Singapore)

Presentation at SATURN 2014. Presenters discuss how choices regarding service architecture affect service variability and the cost of supporting a service, as well as positive and negative impacts of architectural choices on service variability.

May 2014 - Presentation Identifying and Protecting Architecturally Significant Code

Authors: Mehdi Mirakhorli (DePaul University), Jane Cleland-Huang (DePaul University)

Presentation at SATURN 2014. This talk demonstrates how software-development organizations can utilize Archie to integrate architecture awareness into their developers' daily programming and testing activities.

May 2014 - Presentation How to Incorporate Software Architecture into Your Business Model

Authors: Tim Kertis (Raytheon)

Presentation at SATURN 2014. Provides an overview of experiences and lessons learned as Raytheon, technology leader and fourth largest defense contractor in the world, takes on the challenge of incorporating software architecture into the business model.

May 2014 - Presentation Facilitating the Mini-Quality Attributes Workshop

Authors: Will Chaparro (IBM), Michael Keeling (Vivisimo)

Presentation at SATURN 2014. Presenters describe the mini-QAW, provide concrete examples, and share advice for facilitating workshops based on our experiences conducting mini-QAWs.

May 2014 - Presentation Creating a Sustainable Architecture Organization

Authors: William Beshilas (PwC)

Presentation at SATURN 2014. Presenter discusses a framework that can assess how well an architecture organization understands its environment and determine if it is meeting the needs of the organization.

May 2014 - Presentation Sink or Swim: Enhancing Pipe-and-Filter Diagrams

Authors: Ivan Gevirtz (Google)

Presentation at SATURN 2014. Presenters discuss "Sink or Swim," a specialization of the pipe-and-filter architectural style.

May 2014 - Presentation Experience of Combining QAW and Social Listening for Better Architecture

Authors: Seung Ho Nam (Samsung Korea)

Presentation at SATURN 2014. The authors involve customers in Quality Attribute Workshops by building a data analysis system for a social network service.

May 2014 - Book Chapter Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.

May 2014 - Presentation For Maximum Awesome

Authors: Joe Justice (Scrum, Inc., & Team Wikispeed)

This SATURN 2014 presenter explains how Wikispeed's 100-MPG car was built in three months through object-oriented design and Agile project management.

May 2014 - Conference Paper Android Taint Flow Analysis for App Sets

Topics: Secure Coding

Authors: Will Klieber, Lori Flynn, Amar S. Bhosale (Carnegie Mellon Heinz School), Limin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering), Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering)

This paper describes a new static taint flow analysis that precisely tracks both inter-component and intra-component data flow in a set of Android applications.

April 2014 - White Paper ALTernatives to Signatures (ALTS)

Topics: Network Situational Awareness

Authors: George Jones, John Stogoski

This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.

April 2014 - Podcast Best Practices for Trust in the Wireless Emergency Alerts Service

Topics: Pervasive Mobile Computing

Authors: Robert Ellison, Carol Woody, Suzanne Miller

In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.

April 2014 - Technical Note Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management

Topics: Acquisition Support

Authors: Kenneth Nidiffer, Suzanne Miller, David J. Carney

This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.

April 2014 - White Paper The Readiness & Fit Analysis: Is Your Organization Ready for Agile?

Topics: Acquisition Support

Authors: Suzanne Miller

This paper summarizes the Readiness & Fit Analysis and describes its extension to support risk identification for organizations that are adopting agile methods.

April 2014 - Article Secure Coding in C and C++: Strings and Buffer Overflows

Topics: Secure Coding

Authors: Robert C. Seacord

In this sample chapter, Robert Seacord discusses mitigation strategies that can be used to help eliminate vulnerabilities resulting from buffer overflows.

April 2014 - Article Accessing Shared Atomic Objects from within a Signal Handler in C

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord describes how to safely access shared objects from a signal handler.

April 2014 - Book The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition

Topics: Secure Coding

Authors: Robert C. Seacord

In this book, Robert Seacord provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99.

April 2014 - Article Secure Coding in C and C++: An Interview with Robert Seacord

Topics: Secure Coding

Authors: Robert C. Seacord, Danny Kalev (No Affiliation)

In this article, Danny Kalev talks to Robert Seacord about the new edition of his book, dangerous features in C11, and advice for making your code more secure.

April 2014 - Technical Report International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany

Topics: Insider Threat

Authors: Lori Flynn, Carly L. Huth, Palma Buttles-Valdez, Michael C. Theis, George Silowash, Tracy Cassidy, Travis Wright (Carnegie Mellon University, Master of Science in Information Security Policy and Management Program), Randall F. Trzeciak

This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All Nations.”

April 2014 - Conference Paper Bounding Memory Interference Delay in COTS-Based Multicore Systems

Authors: Hyoseung Kim (Carnegie Mellon University), Dionisio de Niz, Bjorn Andersson, Mark H. Klein, Onur Mutlu, Ragunathan Rajkumar

This conference paper was presented at the 20th IEEE Real-Time and Embedded Technology and Application Symposium (RTAS 2014).

April 2014 - Book Introduction to Information Security: A Strategic-Based Approach

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall, Jonathan Spring

The authors provide a strategy-based introduction to providing defenses as a basis for engineering and risk-management decisions in the defense of information.

April 2014 - Conference Paper Modeling Malicious Domain Name Take-Down Dynamics: Why eCrime Pays

Topics: Network Situational Awareness

Authors: Jonathan Spring

In this paper, Jonathan Spring derives an ad-hoc model of the competition for domain names by criminals and defenders using a modification of Lanchester's equations for combat.

April 2014 - Conference Paper On Developing User Interfaces for Piloting Unmanned Systems

Topics: Pervasive Mobile Computing

Authors: James Edmondson, Gene Cahill, Anthony Rowe (Carnegie Mellon University)

This paper was first published in the proceedings of the International Worksop on Robotic Sensor Networks in April 2014.

April 2014 - Podcast Three Variations on the V Model for System and Software Testing

Topics: Acquisition Support

Authors: Don Firesmith, Suzanne Miller

In this podcast, Don Firesmith presents three variations on the V model of software or system development.

April 2014 - Presentation Why Can’t Johnny Program Securely?

Topics: Secure Coding

Authors: Robert C. Seacord

In this presentation, given at InfoSec World 2014 in April 2014, Robert Seacord discusses the challenges of coding software securely and how standards can help.

April 2014 - Brochure Advanced Mobile Systems Initiative 2014

Topics: Pervasive Mobile Computing

Authors: Edwin J. Morris, Joseph P. Elm

This brochure describes how the AMS initiative supports the mobile communication and mobile-computing needs of edge users.

April 2014 - Presentation Towards Quantitative Metrics for Architecture Models

Authors: Stephan Sehestedt, (ABB Corporate Research), Chih-Hong Cheng (ABB Corporate Research), Eric Bouwers (Software Improvement Group, Amsterdam)

This presentation was part of the First International Workshop on Software Architecture Metrics, held at the 11th Working IEEE/IFIP Conference on Software Architecture.

April 2014 - Presentation On the Challenges in Extracting Metrics from Java Bytecode

Authors: Jean-Guy Schneider (Swinburne University of Technology, Australia)

This presentation was part of the First International Workshop on Software Architecture Metrics, held at the 11th Working IEEE/IFIP Conference on Software Architecture.

April 2014 - Presentation Empirical Evaluation of the Understandability of Architectural Component Diagrams

Authors: Srdjan Stevanetic (University of Vienna, Austria), Muhammad A. Javed (University of Vienna, Austria), Uwe Zdun (University of Vienna, Austria)

This presentation was part of the First International Workshop on Software Architecture Metrics, held at the 11th Working IEEE/IFIP Conference on Software Architecture.

April 2014 - Presentation Metrics for Sustainable Software Architectures: An Industry Perspective

Authors: Aldo Dagnino (ABB Corporate Research), Will Snipes (ABB Corporate Research), Eric Harper (ABB Corporate Research)

This presentation was part of the First International Workshop on Software Architecture Metrics, held at the 11th Working IEEE/IFIP Conference on Software Architecture.

April 2014 - Presentation Welcome to SAM 2014

Topics: Software Architecture

Authors: Paris Avgeriou (University of Groningen, The Netherlands), Heiko Koziolek, Robert Nord, Ipek Ozkaya

This presentation was part of the First International Workshop on Software Architecture Metrics, held at the 11th Working IEEE/IFIP Conference on Software Architecture.

March 2014 - Article Technical Debt at the Crossroads of Research and Practice: Report on the Fifth International Workshop on Managing Technical Debt

Authors: Davide Falessi (Fraunhofer Center for Experimental Software Engineering), Philippe Kruchten, Robert Nord, Ipek Ozkaya

This article reports on the Fifth International Workshop on Managing Technical Debt, where participants shared emerging practices used in software development organizations.

March 2014 - Special Report Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators

Topics: Cybersecurity Engineering

Authors: The WEA Project Team

In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.

March 2014 - Podcast Adapting the PSP to Incorporate Verified Design by Contract

Topics: TSP

Authors: William Nichols, Suzanne Miller

In this podcast, Bill Nichols discusses a proposal for integrating the Verified Design by Contract method into PSP to reduce the number of defects present at the unit-esting phase, while preserving or improving productivity.

March 2014 - Article Preface to The CERT C Coding Standard, second edition

Topics: Secure Coding

Authors: Robert C. Seacord

In this preface, Robert Seacord introduces his book The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems.

March 2014 - News New Podcast Released: Comparing IT Risk Assessment and Analysis Methods

Topics: Cyber Risk and Resilience Management

Authors: Ben Tomhave, Erik Heidt, Julia H. Allen

In this podcast, the presenters discuss IT risk assessment and analysis, and comparison factors for selecting methods that are a good fit for your organization.

March 2014 - Podcast Comparing IT Risk Assessment and Analysis Methods

Topics: Cyber Risk and Resilience Management

Authors: Ben Tomhave, Erik Heidt, Julia H. Allen

In this podcast, the presenters discuss IT risk assessment and analysis, and comparison factors for selecting methods that are a good fit for your organization.

March 2014 - Presentation Modeling Sustainment Dynamics

Topics: Measurement and Analysis

Authors: Sarah Sheard, Andrew P. Moore, Robert Ferguson

This presentation overviews a systems dynamics simulation model that describes influences of multiple variables on the sustainment phase of a system.

March 2014 - Podcast AADL and Aerospace

Topics: Software Architecture

Authors: Myron Hecht (The Aerospace Corporation), Peter Feiler, Suzanne Miller

In this podcast, Peter Feiler and Myron Hecht discuss the use of AADL by the Aerospace Corporation.

March 2014 - Webinar Why Should Government Care about Technical Debt and Software Architecture?

Topics: Software Architecture

Authors: Ipek Ozkaya

Watch Ipek Ozkaya discuss “Why Should Government Care about Technical Debt and Software Architecture?” at the Agile for Government Summit.

March 2014 - Webinar Taking Advantage of Agile while Minimizing Risk

Topics: Process Improvement, Acquisition Support

Authors: David Zubrow

Watch Dave Zubrow discuss “Taking Advantage of Agile while Minimizing Risk” at the Agile for Government Summit.

March 2014 - Poster Cyber Engineering Solutions Group: How We Create Innovative Solutions for People

Topics: Digital Intelligence and Investigation, Cybersecurity Engineering

Authors: Barbora Batokova, Hasan Yasar

With the increasing number of projects and the expansion of our team, we needed to capture our internal process and expertise so that we could effectively communicate our approach to new team members, the larger organization and our customers.

February 2014 - Special Report Maximizing Trust in the Wireless Emergency Alerts (WEA) Service

Topics: Measurement and Analysis

Authors: Carol Woody, Robert J. Ellison

This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.

February 2014 - Podcast Assuring Open Source Software

Topics: Software Assurance

Authors: Kathryn Ambrose-Sereno, Naomi Anderson, Suzanne Miller

In this podcast, Kate Ambrose Sereno and Naomi Anderson discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software.

February 2014 - Special Report Wireless Emergency Alerts: Trust Model Simulations

Topics: Measurement and Analysis

Authors: Timothy Morrow, Robert W. Stoddard, Joseph P. Elm

This report presents four types of simulations run on the public trust model and the alert originator trust model developed for the Wireless Emergency Alerts (WEA) service, focusing on how to increase both alert originators' and the public's trust in WEA.

February 2014 - Special Report Wireless Emergency Alerts: Trust Model Technical Report

Topics: Measurement and Analysis

Authors: Robert W. Stoddard, Joseph P. Elm, James McCurley, Sarah Sheard, Tamara Marshall-Keim

This report describes a trust model to enable the Federal Emergency Management Agency to maximize the effectiveness of the Wireless Emergency Alerts (WEA) service and provides guidance for alert originators in using WEA to maximize public safety.

February 2014 - Special Report Commercial Mobile Alert Service (CMAS) Scenarios

Topics: Software Architecture

Authors: The WEA Project Team

This report provides operational and development mission threads to help emergency alert originators analyze scenarios that will aid them in adopting and integrating the Commercial Mobile Alert Service (CMAS) into their emergency management systems.

February 2014 - Technical Report Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy

Topics: Software Architecture

Authors: The WEA Project Team

This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about required CMAS operations.

February 2014 - Special Report Wireless Emergency Alerts: New York City Demonstration

Authors: Elizabeth Trocki Stark (SRA International, Inc.), Jennifer Lavan (SRA International, Inc.), Tamara Marshall-Keim, Joseph P. Elm

This report describes the adoption of the Wireless Emergency Alerts (WEA) service by the New York City Office of Emergency Management. As the first alert originator to adopt WEA, its experiences provide lessons learned for other emergency managers.

February 2014 - Special Report Best Practices in Wireless Emergency Alerts

Topics: Cyber Risk and Resilience Management

Authors: John McGregor, Joseph P. Elm, Elizabeth Trocki Stark (SRA International, Inc.), Jennifer Lavan (SRA International, Inc.), Rita C. Creel, Christopher J. Alberts, Carol Woody, Robert J. Ellison, Tamara Marshall-Keim

This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, and cybersecurity risk management.

February 2014 - Special Report Study of Integration Strategy Considerations for Wireless Emergency Alerts

Topics: Software Architecture

Authors: The WEA Project Team

This report identifies key challenges and offers recommendations for alert originators navigating the process of adopting and integrating the Wireless Emergency Alerts (WEA) service into their emergency management systems.

February 2014 - Article Modeling Software Sustainment

Authors: Robert Ferguson, Mike Phillips, Sarah Sheard

This paper describes research to develop a model that shows the results of investment decisions, allowing decision makers to make adjustments before problems occur.

February 2014 - Podcast Security Pattern Assurance through Roundtrip Engineering

Topics: Software Architecture

Authors: Rick Kazman, Suzanne Miller

In this podcast, Rick Kazman discusses these challenges and a solution he has developed for achieving system security qualities through use of patterns.

February 2014 - Presentation SCADA Resilience via Autonomous Cyber-Physical Agents

Topics: Cyber-Physical Systems

Authors: Joseph Giampapa, Gabriela Hug-Glanzmann, Soummya Kar

Slide presentation for the Ninth Annual Carnegie Mellon Conference on the Electricity Industry.

February 2014 - Technical Note Results in Relating Quality Attributes to Acquisition Strategies

Topics: Acquisition Support

Authors: Lisa Brownsword, Cecilia Albert, David J. Carney, Patrick R. Place

This technical note describes the second phase of a study that focuses on the relationships between software architecture and acquisition strategy -- more specifically, their alignment or misalignment.

February 2014 - Article How to Agilely Architect an Agile Architecture

Topics: Software Architecture

Authors: Stephany Bellomo, Philippe Kruchten, Robert Nord, Ipek Ozkaya

In this article, we present lessons learned about the characteristics of an Agile architecture that enabled an organization to develop its architecture in an Agile manner and continue to rapidly deliver features when more stringent quality attribute requi

January 2014 - Podcast Applying Agile in the DoD: Fifth Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this episode, the fifth in a series, Suzanne Miller and Mary Ann Lapham discuss the application of the fifth principle, Build projects around motivated individuals.

January 2014 - Technical Note Agile Metrics: Progress Monitoring of Agile Contractors

Authors: Will Hayes, Suzanne Miller, Mary Ann Lapham, Eileen Wrubel, Timothy A. Chick

This technical note offers a reference for those working to oversee software development on the acquisition of major systems from developers using Agile methods.

January 2014 - Technical Note Agile Methods and Request for Change (RFC): Observations from DoD Acquisition Programs

Authors: Mary Ann Lapham, Michael S. Bandor, Eileen Wrubel

This technical note looks at the evaluation and negotiation of technical proposals that reflect iterative development approaches that in turn leverage Agile methods.

January 2014 - Technical Note Unintentional Insider Threats: Social Engineering

Topics: Insider Threat

Authors: CERT Insider Threat Center

In this report, the authors explore the unintentional insider threat (UIT) that derives from social engineering.

January 2014 - Technical Note A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure

Topics: Cyber Risk and Resilience Management

Authors: Greg Crabb (United States Postal Service), Julia H. Allen, Pamela D. Curtis, Nader Mehravari

In this report, the authors describe a method of identifying physical security gaps in international mail processing centers and similar facilities.

January 2014 - Brochure CMU-SEI Edge-Enabled Tactical Systems

Authors: William Anderson

This poster describes how, in the case of warfighter ambush, sensors and cloudlets serve to locate the attackers, suppress the ambush, and enable medical and fire support.

January 2014 - Poster Designing SCADA Systems for the Self-Verifiability of Their Security and Survivability

Topics: Cyber-Physical Systems

Authors: Joseph Giampapa

This poster describes a cyber-physical and agent-based approach to detecting and recovering from a false data injection attack on a power grid supervisory control and data acquisition (SCADA) system.

January 2014 - Podcast Software Assurance Cases

Topics: Software Assurance

Authors: Charles (Chuck) Weinstock, Suzanne Miller

In this podcast, Charles Weinstock introduces assurance cases and how they can be used to assure safety, security, and reliability.

January 2014 - Brochure Edge Analytics--Real-time Analysis of Social Media

Topics: Pervasive Mobile Computing

Authors: William Anderson, Jeff Boleng

This poster illustrates how edge analytics can enable first responders to monitor open source social media in real time to enhance public safety.

January 2014 - Presentation Stucco: Situation and Threat Understanding by Correlating Contextual Observations

Topics: Network Situational Awareness

Authors: John Gerth (Stanford University), John Goodall (Secure Decisions)

This 2014 presentation shows how Stucco puts security events in context and shows how threats relate to a cyber security analyst's environment.

January 2014 - Presentation Network Security Monitoring with IPFIX and Bro

Topics: Network Situational Awareness

Authors: Randy Caldejon (No Affiliation)

In this presentation, Randy Caldejon discusses whether it's possible to create a framework for producing actionable intelligence with YAF and Bro.

January 2014 - Presentation Quilt: A System for Distributed Temporal Queries of Security Relevant Heterogeneous Data

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall, George Jones

In this presentation, Tim Shimeall and George Jones describe Quilt, a distributed data query engine that allows for a broach range of data and that supports temporal relationships.

January 2014 - Presentation Analyzing Large Flow Data Sets Using Modern Open-Source Data Search and Visualization Tools

Topics: Network Situational Awareness

Authors: Max Putas (No Affiliation)

In this presentation, Max Putas describes using common and open source tools to perform flow data analysis.

January 2014 - Presentation Network Flows, Past, Present and Future

Topics: Network Situational Awareness

Authors: Carter Bullard (QuSient LLC)

In this presentation, Carter Bullard the history and future plans for network flow concepts.

January 2014 - Presentation Advanced SiLK Analysis

Topics: Network Situational Awareness

Authors: Geoffrey T. Sanders, Timothy J. Shimeall

In this presentation, Geoff Sanders and Tim Shimeall provide analysts with knowledge and skills to create, display, and use prefix maps.

January 2014 - Presentation Network Analysis with SiLK

Topics: Network Situational Awareness

Authors: Ron Bandes

In this presentation, Ron Bandes provides an introduction to SiLK, a collection of traffic analysis tools.

January 2014 - Poster The Routing Table Tool Suite (RT-Tools): Mapping the Internet One Route at a Time or All Routes at One Time

Topics: Network Situational Awareness

Authors: Timur D. Snoke

This poster describes the Routing Table Tool Suite (RT-Tool), which displays AS network traffic based on the path analysis of aggregate routing tables.

January 2014 - Poster Finding Malicious Domains Using Shadow Server Reports

Topics: Network Situational Awareness

Authors: Brian Allen (US-CERT)

This poster, presented at FloCon 2014, discusses how to identify malicious domains using shadow server reports.

January 2014 - Poster The Rayon Tools: Visualization at the Command Line

Topics: Network Situational Awareness

Authors: Phil Groce

This poster, presented at FloCon 2014, shows how a Rayon visualization works well with the workflow model of UNIX and the shell.

January 2014 - Poster Visualization of Network Flow Data

Topics: Network Situational Awareness

Authors: Paul Krystosek

This poster, presented at FloCon 2014, introduces descriptive, retrospective analysis, and exploratory methods for visualizing data.

January 2014 - Poster A New Visualization for IPv4 Space

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf

This poster was presented at FloCon 2014, a network security conference that took place in Charleston, South Carolina, in January 2014.

January 2014 - Presentation Setting up a Network Flow Sensor for $100

Topics: Network Situational Awareness

Authors: Ron Bandes, John Badertscher, Dwight S. Beaver

This 2014 presentation describes how to build a network flow sensor using a PogoPlug server and ethernet adapter, a switch as a network tap, and a 16 GB flash drive.

January 2014 - Presentation Passive DNS Collection and Analysis - The "dnstap" Approach

Topics: Network Situational Awareness

Authors: Dr. Paul Vixie

In this 2014 keynote presentation from FloCon 2014, Dr. Paul Vixie discusses passive DNS monitoring and DNS tap, and demonstrates SIE and DNSDB.

January 2014 - Presentation 10 Years of FloCon

Topics: Network Situational Awareness

Authors: George Warnagiris

In this presentation, George Warnagiris summarizes key events and discussions from the past 10 FloCon events.

January 2014 - Poster Bandwidth and End-to-End Delay Analysis of IP and End System Multicast (ESM)

Topics: Network Situational Awareness

Authors: ,

This poster describes the process to develop models for formalizing the end-to-end delay and the bandwidth efficiency of ESM and IP multicast systems.

January 2014 - Presentation Network Flow Metadata: Very Large Scale Processing with Argus

Topics: Network Situational Awareness

Authors: Carter Bullard (QuSient LLC)

In this presentation, Carter Bullard defines network flow metadata and describes metadata support in Argus.

January 2014 - Presentation Passive Detection of Misbehaving Name Servers

Topics: Network Situational Awareness

Authors: Jonathan Spring, Leigh B. Metcalf

In this presentation, the authors discuss name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters.

January 2014 - Presentation Analyzing Flow Using Encounter Complexes

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf

In this presentation, Leigh Metcalf discusses network flow clustering and the use of encounter traces to form encounter complexes.

January 2014 - Presentation PCR - A Flow Metric for the Producer/Consumer Relationship

Topics: Network Situational Awareness

Authors: Carter Bullard (QuSient LLC), John Gerth (Stanford University)

In this presentation, Carter Bullard and John Gerth discuss data exfiltration and detection methods.

January 2014 - Presentation Analysis of Some Time-Series Metrics for Network Monitoring

Topics: Network Situational Awareness

Authors: Soumyo D. Moitra

In this presentation, Soumyo Moitra presents a method and metrics for network situational awareness.

January 2014 - Presentation Streaming Analysis: An Alternate Analysis Paradigm

Topics: Network Situational Awareness

Authors: John McHugh

In this presentation, John McHugh discusses how streaming analytics relieves the volume of stored data and decreases threat reaction time.

January 2014 - Presentation Data Fusion at Scale

Topics: Network Situational Awareness

Authors: Markus Deshon

In this presentation, Markus De Shon discusses data fusion, an automated network situation assessment process.

January 2014 - Presentation VoIP in Flow

Topics: Network Situational Awareness

Authors: Nathan Dell

In this presentation, Nathan Dell discusses VoIP in flow, and presents an analysis of VoIP communications and a lab example of data exfiltration.

January 2014 - Presentation LogStash: Yes Logging Can Be Awesome

Topics: Network Situational Awareness

Authors: James Turnbull (No Affiliation)

In this presentation, James Turnbull discusses how logging can be a core and critical part of your development and operations activities.

January 2014 - Presentation PM WIN-T TMD Fight the Network (FTN) / FAVA

Topics: Network Situational Awareness

Authors: Kevin Jacobs (U.S. Army)

In this presentation, Kevin Jacobs discusses FTN goals and its operational view, task details, and data fusion.

January 2014 - Presentation Investigating APT1

Topics: Network Situational Awareness

Authors: Deana Shick, Angela Horneman

In this presentation, the authors discuss utilizing the Internet Census 2012 data to understand how public sources tell a story about specific threat groups.

January 2014 - Presentation NetFlow Epidemiology: Tracking Negative Trust

Topics: Network Situational Awareness

Authors: John Murphy (FlowTraq), Vincent Berk (Dartmouth College)

In this presentation, the authors propose a set of NetFlow rules to minimize false positives and a heuristic by which to apply the rules in real time.

January 2014 - Presentation Semantic Flow Augmentation for the Automated Discovery of Organizational Relationships

Topics: Network Situational Awareness

Authors: Chris Strasburg (U.S. Department of Energy)

In this presentation, the authors describe semantic flow augmentation, discuss its use and features, and present ideas for future work.

January 2014 - Poster Discovering Unknown Network Activity Using Graphs and Computer Network Data

Topics: Network Situational Awareness

Authors: Eric Dull (Yarc Data)

This poster illustrates how to use broad, deep computer network data, statistics, and graph algorithms to identify and prioritize anomalous network activity.

January 2014 - Presentation Argus Instrumentation of the GLORIAD R&E Network for Improved Measurement, Monitoring and Security

Topics: Network Situational Awareness

Authors: Greg Cole (GLORIAD)

In this presentation, Greg Cole describes the improved measurement, monitoring, and security at GLORIAD.

January 2014 - Technical Note Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations

Topics: Insider Threat

Authors: Lori Flynn, Greg Porter (Heinz College at Carnegie Mellon University), Chas DiFatta (No Affiliation)

In this report, the authors discuss the countermeasures that cloud service providers use and how they understand the risks posed by insiders.

January 2014 - Special Report TSP Symposium 2013 Proceedings

Authors: Sergio Cardona (Universidad del Quindío), Silvana Moreno (Universidad de la República), William Nichols, Leticia Pérez (Universidad de la República), Mushtaq Raza (University of Porto), João Pascoal Faria (University of Porto), Diego Vallespir (Universidad de la República), Rafael Rincón (Universidad EAFIT), Fernanda Grazioli (Universidad de la República), Pedro C. Henriques (Strongstep – Innovation in Software Quality), Jim McHale

This special report contains proceedings of the 2013 TSP Symposium. The conference theme was “When Software Really Matters,” which explored the idea that when product quality is critical, high-quality practices are the best way to achieve it.

January 2014 - Podcast Raising the Bar - Mainstreaming CERT C Secure Coding Rules

Topics: Secure Coding

Authors: Robert C. Seacord, Julia H. Allen

In this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.

January 2014 - Conference Paper Pointer Ownership Model

Topics: Secure Coding

Authors: David Svoboda, Lutz Wrage

In this paper, the authors describe how the Pointer Ownership Model improves static analysis of C programs for errors involving dynamic memory management.

December 2013 - Podcast AADL and Télécom Paris Tech

Topics: Software Architecture

Authors: Etienne Borde, Peter Feiler

Real-World Applications of the Architecture Analysis and Design Language (AADL)

December 2013 - Technical Report Understanding Patterns for System-of-Systems Integration

Topics: Software Architecture

Authors: Rick Kazman, Claus Nielsen (No Affiliation), Klaus Schmid

This report discusses how a software architect can address the system-of-systems integration challenge from an architectural perspective.

December 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.

December 2013 - Podcast From Process to Performance-Based Improvement

Topics: TSP

Authors: Timothy A. Chick, Gene Miluk, Suzanne Miller

In this podcast, Tim Chick and Gene Miluk discuss methodology and outputs of the Checkpoint Diagnostic, a tool that provides organizations with actionable performance related information and analysis closely linked to business value.

December 2013 - White Paper The Topological Properties of the Local Clustering Coefficient

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf

In this paper, Leigh Metcalf examines the local clustering coefficient for and provides a new formula to generate the local clustering coefficient.

December 2013 - Video Anatomy of a Java Zero-Day Exploit

Topics: Secure Coding

Authors: David Svoboda

In this JavaOne 2013 video, David Svoboda demonstrates a public exploit that is written in pure Java using several obscure components of the Java library.

December 2013 - Technical Note Using Software Development Tools and Practices in Acquisition

Topics: Acquisition Support

Authors: Harry L. Levinson, Richard Librizzi

This technical note provides an introduction to key automation and analysis techniques.

December 2013 - White Paper Spotlight On: Programmers as Malicious Insiders–Updated and Revised

Topics: Insider Threat

Authors: Matthew L. Collins, Dawn Cappelli, Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University), Randall F. Trzeciak, Andrew P. Moore

In this paper, the authors describe the who, what, when, where, and how of attacks by insiders using programming techniques and includes case examples.

November 2013 - Technical Note Software Assurance Measurement – State of the Practice

Topics: Software Assurance, Measurement and Analysis

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.

November 2013 - Podcast An Approach to Managing the Software Engineering Challenges of Big Data

Topics: System of Systems

Authors: Ian Gorton, John Klein, Suzanne Miller

In this episode, Ian Gorton and John Klein discuss big data and the challenges it presents for software engineers. With help from fellow SEI researchers, the two have developed a lightweight risk reduction approach to help software engineers manage the ch

November 2013 - Podcast Using the Cyber Resilience Review to Help Critical Infrastructures Better Manage Operational Resilience

Topics: Cyber Risk and Resilience Management

Authors: Kevin Dillon (Department of Homeland Security), Matthew J. Butkovic, Julia H. Allen

In this podcast, the presenters explain how CRRs allow critical infrastructure owners to compare their cybersecurity performance with their peers.

November 2013 - White Paper A Defect Prioritization Method Based on the Risk Priority Number

Topics: Acquisition Support

Authors: Julie B. Cohen, Robert Ferguson, Will Hayes

This white paper provides a description of a generalized technique that could be used with any type of system to assist the program office in addressing and resolving conflicting views and creating a better value system for defining releases.

November 2013 - White Paper Agile Security - Review of Current Research and Pilot Usage

Topics: Acquisition Support

Authors: Carol Woody

This white paper was produced to focus attention on the opportunities and challenges for embedding information assurance considerations into Agile development and acquisition.

November 2013 - Conference Paper Architecture Patterns for Mobile Systems in Resource-Constrained Environments

Topics: Pervasive Mobile Computing

Authors: Grace Lewis, Soumya Simanta, Marc Novakouski, Gene Cahill, Jeff Boleng, Edwin J. Morris, James Root

This paper was presented at the 2013 Military Communications Conference

November 2013 - Technical Note Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase I

Topics: Insider Threat

Authors: Greg Porter (Heinz College at Carnegie Mellon University)

In this report, Greg Porter documents preliminary findings from interviews with cloud service providers on their insider threat controls.

November 2013 - Podcast Situational Awareness Mashups

Topics: Pervasive Mobile Computing

Authors: Soumya Simanta, Suzanne Miller

In this podcast Soumya Simanta describes research aimed at creating a software prototype that allows warfighters and first responders to rapidly integrate or mash geo-tagged situational awareness data from multiple remote data sources.

November 2013 - Article Resilience Management Through the Use of CERT-RMM and Associated Success Stories

Topics: Cyber Risk and Resilience Management

Authors: Nader Mehravari

In this paper, Nader Mehravari shares practical and successful applications of CERT-RMM from a wide variety of organizations.

November 2013 - Technical Note Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale

Topics: Cyber Risk and Resilience Management

Authors: Matthew J. Butkovic, Richard A. Caralli

In this report, the authors review the specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed.

November 2013 - Webinar Panel Discussion: Managing the Insider Threat: What Every Organization Should Know

Topics: Insider Threat

Authors: Robert Floodeen, William R. Claycomb, Andrew P. Moore, Kurt C. Wallnau, Randall F. Trzeciak, Alex Nicoll

In this webinar, a watch panel discusses Managing the Insider Threat: What Every Organization Should Know.

November 2013 - Webinar Illicit Cyber Activity Involving Fraud

Topics: Insider Threat

Authors: Randall F. Trzeciak

In this webinar, Randy Trzeciak discusses a study to develop insights and risk indicators related to malicious insider activity in the banking and finance sector.

November 2013 - Webinar Engineering Realistic Synthetic Insider Threat (Cyber-Social) Test Data

Topics: Insider Threat

Authors: Kurt C. Wallnau

In this webinar, Kurt Wallnau discusses insider threat controls and how to test systems whose dynamics are based in human nature that is only partially understood.

November 2013 - Webinar Emerging Trends

Topics: Insider Threat

Authors: William R. Claycomb, Andrew P. Moore

In this November 2013 webinar, Bill Claycomb and Andrew Moore discuss how technology in emerging trends enables new types of insider attacks.

November 2013 - Webinar Components and Considerations in Building an Insider Threat Program

Topics: Insider Threat

Authors: Carly L. Huth, Robin Ruefle

In this November 2013 webinar, Carly Huth and Robin Ruefle discuss the key components you should consider when you're developing new insider threat programs.

November 2013 - Webinar Best Practices and Controls for Mitigating Insider Threats

Topics: Insider Threat

Authors: George Silowash, Alex Nicoll

In this 2013 webinar, Alex Nicoll and George Silowash discuss how the CERT division develops, inspects, and transitions insider threat controls to the public.

November 2013 - Webinar Overview of the Threat Posed by Insiders to Critical Assets

Topics: Insider Threat

Authors: Randall F. Trzeciak, Dave Mundie

In this 2013 webinar, Randy Trzeciak and David Mundie discuss the challenges organizations face as they try to address insider threat.

October 2013 - Podcast Applying Agile in the DoD: Fourth Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this episode, the fourth in a series about the application of agile principles in the DOD, Suzanne Miller and Mary Ann Lapham discuss the application of the fourth principle, "Business people and developers must work together daily."

October 2013 - Conference Paper Test and Evaluation of Autonomous Multi-Robot Systems

Topics: Pervasive Mobile Computing

Authors: Joseph Giampapa

This powerpoint presentation was given at the NDIA Annual System Engineering Conference in October 2013.

October 2013 - Technical Note CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk

Topics: Cyber Risk and Resilience Management

Authors: Lisa R. Young, Ma-Nyahn Kromah (SunGard Availability Services)

In this report, the authors map CERT-RMM process areas to key activities in NIST Special Publication 800-66 Revision 1.

October 2013 - Conference Paper Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis

Topics: Insider Threat

Authors: Lori Flynn, Jason W. Clark, Andrew P. Moore, Matthew L. Collins, Eleni Tsamitis, Dave Mundie, David McIntire

In this paper, the authors describe four patterns of insider IT sabotage mitigation and initial results from 46 relevant cases for pattern effectiveness.

October 2013 - Podcast Architecting Systems of the Future

Topics: Cyber-Physical Systems

Authors: Eric Werner, Suzanne Miller

In this episode, Eric Werner discusses research that he and several of his colleagues are conducting to help software developers create systems for the many-core central processing units in massively parallel computing environments.

October 2013 - Presentation Management of Technical Debt: A Lockheed Martin Experience Report

Authors: Robert Eisenberg (Lockheed Martin)

This presentation was part of the Fifth International Workshop on Managing Technical Debt, held at the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2013.

October 2013 - Presentation Technical Debt: At the Intersection of Decades of Empirical Software Engineering Research

Authors: Carolyn Seaman (University of Maryland Baltimore County)

This presentation was part of the Fifth International Workshop on Managing Technical Debt, held at the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2013.

October 2013 - Presentation Technical Debt: Identification, Payment, and Restructuring

Authors: Todd Fritsche (Siemens Healthcare Health Services)

This presentation was part of the Fifth International Workshop on Managing Technical Debt, held at the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2013.

October 2013 - Presentation Take Control of Your Technical Debt

Authors: Olivier Gaudin (SonarSource)

This presentation was part of the Fifth International Workshop on Managing Technical Debt, held at the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2013.

October 2013 - Presentation Technical Liability: Extending the Technical Debt Metaphor

Authors: Murray Cantor (IBM Rational Software)

This presentation was part of the Fifth International Workshop on Managing Technical Debt, held at the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2013.

October 2013 - Technical Report Passive Detection of Misbehaving Name Servers

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf, Jonathan Spring

In this report, the authors explore name-server flux and two types of data that can reveal it.

October 2013 - Technical Note Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time

Topics: Insider Threat

Authors: Todd Lewellen, George Silowash, Daniel L. Costa

In this report, the authors describe how an insider threat control can monitor an organization's web request traffic for text-based data exfiltration.

October 2013 - Technical Report Introduction to the Mission Thread Workshop

Topics: Software Architecture, System of Systems

Authors: Michael J. Gagliardi, William G. Wood, Timothy Morrow

This report introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems. It describes the three phases of the workshop and explains the steps of each.

October 2013 - Technical Note Parallel Worlds: Agile and Waterfall Differences and Similarities

Topics: Acquisition Support

Authors: Steve Palmquist, Mary Ann Lapham, Suzanne Garcia-Miller, Timothy A. Chick, Ipek Ozkaya

This report helps readers understand Agile. The report assembles terms and concepts from both the traditional world of waterfall-based development and the Agile environment to show the many similarities and differences.

September 2013 - Article Technical Debt: Towards a Crisper Definition, Report on the 4th International Workshop on Managing Technical Debt

Authors: Philippe Kruchten, Robert Nord, Ipek Ozkaya, Davide Falessi (Fraunhofer Center for Experimental Software Engineering)

This article reports on the Fourth International Workshop on Managing Technical Debt, where participants defined technical debt and the limits of the metaphor.

September 2013 - White Paper Everything You Wanted to Know About Blacklists But Were Afraid to Ask

Topics: Network Situational Awareness

Authors: Leigh B. Metcalf, Jonathan Spring

This document compares the contents of 25 different common public-internet blacklists in order to discover any patterns in the shared entries.

September 2013 - Article Java Coding Guidelines for Reliability

Topics: Secure Coding

Authors: Fred Long (Aberystwyth University), Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

In this sample chapter, the authors describe how to avoid obscure techniques and code that is difficult to understand and maintain when programming in Java.

September 2013 - Podcast Acquisition Archetypes

Topics: Acquisition Support

Authors: William Novak, Suzanne Miller

In this episode, Bill Novak talks about his work with acquisition archetypes and how they can be used to help government programs avoid problems in software development and systems acquisition.

September 2013 - Video Don’t Be Pwned: A Short Course on Secure Programming in Java

Topics: Secure Coding

Authors: Robert C. Seacord, Dean F. Sutherland

In this JavaOne 2013 video, developers of the CERT Oracle Secure Coding Standard for Java describe exploits that compromised Java programs in the field.

September 2013 - Presentation Don’t Be Pwned: A Short Course on Secure Programming in Java

Topics: Secure Coding

Authors: Dean F. Sutherland, Robert C. Seacord, David Svoboda

In this presentation, the developers of the CERT Oracle Secure Coding Standard for Java present real exploits that have compromised Java programs in the field.

September 2013 - Presentation Java Security Architecture

Topics: Secure Coding

Authors: David Svoboda

In this presentation, given at JavaOne 2013, David Svoboda explains Java's security architecture in detail, including how it was designed to secure Web applets.

September 2013 - Conference Paper Variations on Using Propagation Costs to Measure Architecture Modifiabilty Properties

Topics: Software Architecture

Authors: Robert Nord, Ipek Ozkaya, Raghvinder Sangwan, Julien Delange, Marco Gonzalez-Rojas (University of British Columbia), Philippe Kruchten

Demonstrates how enhancing the propogation metric based on architectural metrics results in enhancements detection of modifiability properties not detectable by the propagation cost metric.

September 2013 - Presentation "Hi-Mat" Units: An Innovative TSP-Adoption Programme in South Africa

Topics: TSP

Authors: Barry Dwolatzky (University of the Witwatersrand, Johannesburg)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation How to Successfully Launch Projects with Multi-Functional Silos

Topics: TSP

Authors: Bradley Zabinski (Urban Science)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Keynote Presentation MoNeT: A Software Initiative to Boost the Mexican Securities Market

Topics: TSP

Authors: Enrique Ibarra (Mexican Stock Exchange (BMV))

Keynote presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation SEI Interactive Session: Empirical Study of Software Engineering Results

Topics: TSP

Authors: Mark Kasunic

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Coaching a Winning Team

Topics: TSP

Authors: Dan Wall (The Wall Group)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Lessons Learned in Seven Years of Teaching PSP to University Students

Topics: TSP

Authors: Rafael Salazar (Tecnológico de Monterrey)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Toward A Quantified Reflection

Topics: TSP

Authors: William Nichols

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Integrating TSP Data with External Systems: Challenges and Opportunities

Topics: TSP

Authors: David Tuma (Tuma Solutions), Elias Fallon (Cadence Design Systems, Inc.)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation 9 Digit Stakes and the Measurement Stack

Topics: TSP

Authors: Bill Curtis (CAST Softtware)

Keynote presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Demonstrating the Impact of the PSP on Software Quality and Effort: Eliminating the Programming Learning Effect

Topics: TSP

Authors: Diego Vallespir (Universidad de la República)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation The Exceptional Change Agent: Increase Your Value, Decrease Your Effort, Change Your World

Topics: TSP

Authors: Alan Willett (Oxseeker, Inc.)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Neuroscience, Zen, and the Art of Coaching for Habitual Excellence

Topics: TSP

Authors: Marsha Pomeroy-Huff (Carnegie Mellon University)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Grassroots Implementation of PSP

Topics: TSP

Authors: Jason Brady (Alliant Techsystems, Inc.)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation The Hidden Secrets of the TSP Checkpoint

Topics: TSP

Authors: Liliana Cazangiu (No Affiliation)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Success with the TSP: Improve Your Project Estimations with Statistical Analysis Tools

Topics: TSP

Authors: Michael Mowle (Urban Science), Kathy Krauskopf (Urban Science)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Using TSP to Develop and Maintain Mission Critical IT Systems

Topics: TSP

Authors: Alex Obradovic (Beckman Coulter)

Presentation given at TSP Symposium on September 17-19, 2013

September 2013 - Presentation Cultural and Computer Network Attack (CNA) Behaviors (44Con, London)

Topics: Network Situational Awareness

Authors: Char Sample

In this presentation, Char Sample and Dave Barnett discuss Hofstede's cultural dimension framework and its operationalized data.

September 2013 - Conference Paper A Notation for Describing the Steps in Indicator Expansion

Topics: Network Situational Awareness

Authors: Jonathan Spring

In this paper, Jonathan Spring proposes a method of capturing the process of indicator expansion in a deterministic yet flexible and extensible manner.

September 2013 - Podcast Human-in-the-Loop Autonomy

Topics: Pervasive Mobile Computing

Authors: James Edmonson, Suzanne Garcia-Miller

In this episode, James Edmondson discusses his research on autonomous systems, specifically robotic systems and autonomous systems for robotic systems.

September 2013 - Special Report Team Software Process (TSP) Coach Certification Guidebook

Topics: TSP, Process Improvement

Authors: Timothy A. Chick, Marsha Pomeroy-Huff

This guidebook explains the process required to become an SEI-Certified Team Software Process Associate Coach, SEI-Certified TSP Coach, or SEI-Certified TSP Mentor Coach: Entry requirements, certification process steps, and performance evaluations.

September 2013 - Special Report Team Software Process (TSP) Coach Mentoring Program Guidebook, Version 2.0

Topics: TSP, Process Improvement

Authors: Timothy A. Chick, Jim McHale, William Nichols, Marsha Pomeroy-Huff

This guidebook explains the mentoring process required to become an SEI-Certified Team Software Process (TSP) Associate Coach, SEI-Certified TSP Coach, or SEI-Certified TSP Mentor Coach.

September 2013 - Special Report TSP Performance and Capability Evaluation (PACE): Customer Guide

Topics: Process Improvement, TSP

Authors: William Nichols, Mark Kasunic, Timothy A. Chick

This guide describes the evaluation process and lists the steps organizations and programs must complete to earn a TSP-PACE certification.

September 2013 - Special Report TSP Performance and Capability Evaluation (PACE): Team Preparedness Guide

Topics: Process Improvement, TSP

Authors: William Nichols, Mark Kasunic, Timothy A. Chick

This document describes the TSP team data that teams normally produce and that are required as input to the TSP-PACE process.

September 2013 - Poster Edge Analytics - Real-Time Analysis of High-Volume Streaming Data

Topics: Cyber-Physical Systems, Pervasive Mobile Computing

Authors: Soumya Simanta, William Anderson

Description of the SEI capability in edge analytics

August 2013 - Webinar CHECKPOINT Diagnostic

Topics: Measurement and Analysis, Process Improvement, TSP

Authors: Timothy A. Chick, Gene Miluk

This webinar will introduce the methodology and outputs of SEI's latest investigative approach: the Checkpoint Diagnostic (CPD). The CPD is the foundational technology in a well-designed "Performance Improvement Program."

August 2013 - Podcast Mobile Applications for Emergency Managers

Topics: Pervasive Mobile Computing

Authors: Adam Miller (Huntingdon County, Pennsylvania, Emergency Management Agency), Bill Pollak

Learn about the SEI's Advanced Mobile Systems Team's work with the Huntingdon County, Pennsylvania, Emergency Management Agency.

August 2013 - Podcast Why Use Maturity Models to Improve Cybersecurity: Key Concepts, Principles, and Definitions

Authors: Richard A. Caralli, Julia H. Allen

In this podcast, Rich Caralli explains how maturity models provide measurable value in improving an organization's cybersecurity capabilities.

August 2013 - Technical Note Best Practices Against Insider Threats in All Nations

Topics: Insider Threat

Authors: Lori Flynn, Carly L. Huth, Randall F. Trzeciak, Palma Buttles-Valdez

In this report, the authors summarize best practices for mitigating insider threats in international contexts.

August 2013 - White Paper The Role of Computer Security Incident Response Teams in the Software Development Life Cycle

Topics: Cybersecurity Engineering, Software Assurance

Authors: Robin Ruefle

In this paper, Robin Ruefle describes how an incident management can provide input to the software development process.

August 2013 - White Paper State of Cyber Workforce Development

Topics: Workforce Development

Authors: Marie Baker

This paper summarizes the current posture of the cyber workforce and several initiatives designed to strengthen, grow, and retain cybersecurity professionals.

August 2013 - Podcast Applying Agile in the DoD: Third Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Garcia-Miller

A discussion of the application of the third Agile principle, "Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale."

August 2013 - White Paper Training and Awareness

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol A. Sledge, Ken Van Wyk (No Affiliation)

In this paper, the authors provide guidance on training and awareness opportunities in the field of software security.

August 2013 - White Paper Evidence of Assurance: Laying the Foundation for a Credible Security Case

Topics: Cybersecurity Engineering, Software Assurance

Authors: Charles B. Weinstock, Howard F. Lipson

In this paper, the authors provide examples of several of the kinds of evidence that can contribute to a security case.

August 2013 - Webinar 20+ Years of Cyber (in)Security

Authors: Richard D. Pethia

In this webinar, Rich Pethia discusses how cybersecurity has changed over the past 20 years.

August 2013 - Webinar Achieving Mission Assurance Through Resilience Management

Topics: Cyber Risk and Resilience Management, Process Improvement, Risk and Opportunity Management

Authors: Nader Mehravari

In this August 2013 webinar, Nader Mehravari discusses how to protect and sustain the mission and business operations of an organization.

August 2013 - Webinar Observations of Successful Cyber Security Operations

Topics: Cybersecurity Engineering, Vulnerability Analysis

Authors: Roman Danyliw

In this 2013 webinar, Roman Danyliw discusses how cyber security organizations react to new technologies or adversaries.

August 2013 - Webinar Responding to a Large-Scale Cybersecurity Incident

Topics: Cybersecurity Engineering, Digital Intelligence and Investigation

Authors: Christian Roylo

In this 2013 webinar, Christian Roylo discusses the role of technology in responding to large-scale cyber incidents.

August 2013 - White Paper Security and Project Management

Topics: Cybersecurity Engineering, Software Assurance

Authors: Robert J. Ellison

In this paper, Robert Ellison explains what project managers should consider because they relate to security needs.

August 2013 - White Paper An Evaluation of Cost-Benefit Using Security Requirements Prioritization Methods

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Travis Christian

In this paper, the authors provide background information on penetration testing processes and practices.

August 2013 - Book Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs

Topics: Secure Coding

Authors: Robert C. Seacord

In this book, Robert Seacord brings together expert guidelines, recommendations, and code examples to help you use Java code to perform mission-critical tasks.

August 2013 - Webinar Developing Your Cyber Workforce

Topics: Workforce Development

Authors: Christopher May

In this 2013 webinar, Chris May discusses ways to research and develop solutions approaching the cyber workforce development challenge.

August 2013 - Webinar The Cyber Security R&D Pipeline – Building Capability Through Science

Topics: Cybersecurity Engineering

Authors: Greg Shannon

In this 2013 webinar, Dr. Greg Shannon describes advances in software engineering to build systems with predictable and improved quality, cost, and schedule.

August 2013 - Technical Note Unintentional Insider Threats: A Foundational Study

Topics: Insider Threat, Science of Cybersecurity

Authors: CERT Insider Threat Team

In this report, the CERT Insider Threat team examines unintentional insider threat (UIT), a largely unrecognized problem.

July 2013 - White Paper Teaching Security Requirements Engineering Using SQUARE

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software.

July 2013 - White Paper Trustworthy Composition: The System Is Not Always the Sum of Its Parts

Topics: Cybersecurity Engineering, Software Assurance

Authors: Robert J. Ellison

In this paper, Robert Ellison surveys several profound technical problems faced by practitioners assembling and integrating secure and survivable systems.

July 2013 - White Paper Strengthening Ties Between Process and Security

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody

In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases.

July 2013 - White Paper Estimating Benefits from Investing in Secure Software Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Ashish Arora, Rahul Telang, Steven Frank

In this paper, the authors discuss the costs and benefits of incorporating security in software development and presents formulas for calculating security costs and security benefits.

July 2013 - White Paper What Measures Do Vendors Use for Software Assurance?

Topics: Cybersecurity Engineering, Acquisition Support, Software Assurance

Authors: Jeremy Epstein

In this paper, Jeremy Epstein examines what real vendors do to ensure that their products are reasonably secure.

July 2013 - White Paper The Development of a Graduate Curriculum for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Mark A. Ardis (Stevens Institute of Technology), Nancy R. Mead

In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more.

July 2013 - White Paper Secure Software Development Life Cycle Processes

Topics: Cybersecurity Engineering, Software Assurance

Authors: Noopur Davis

In this paper, Noopur Davis presents information about processes, standards, and more that support or could support secure software development.

July 2013 - Podcast DevOps - Transform Development and Operations for Fast, Secure Deployments

Authors: Gene Kim (IP Services and ITPI), Julia H. Allen

In this podcast, Gene Kim explains how the "release early, release often" approach significantly improves software performance, stability, and security.

July 2013 - Video Importance of Cybersecurity in Healthcare

Topics: Cybersecurity Engineering

Authors: Nate Silcox (Senate Communications and Technology Committee)

In this video, Nate Silcox presents how important cybersecurity is in healthcare.

July 2013 - Podcast Application Virtualization as a Strategy for Cyber Foraging

Topics: Pervasive Mobile Computing

Authors: Grace Lewis, Suzanne Miller

In this podcast, researcher Grace Lewis discusses application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning.

July 2013 - Conference Paper Understanding the Role of Constraints on Architecturally Significant Requirements

Topics: Software Architecture

Authors: Neil Ernst, Ipek Ozkaya, Robert Nord, Julien Delange, Stephany Bellomo, Ian Gorton

This paper describes a case study conducted to identify architecturally significant requirements that were impacted by tool selection.

July 2013 - Podcast Common Testing Problems: Pitfalls to Prevent and Mitigate

Topics: Acquisition Support

Authors: Donald Firesmith, Suzanne Miller

Don Firesmith discusses problems that occur during testing as well as a framework that lists potential symptoms by which each can be recognized, potential negative consequences, and potential causes, and makes recommendations for preventing them.

July 2013 - White Paper Applicability of Cultural Markers in Computer Network Attack Attribution

Topics: Network Situational Awareness

Authors: Char Sample

In this 2013 white paper, Char Sample discusses whether cultural influences leave traces in computer network attack (CAN) choices and behaviors.

July 2013 - Conference Paper Probabilistic Verification of Coordinated Multi-Robot Missions

Topics: Cyber-Physical Systems

Authors: Sagar Chaki, John M. Dolan, Joseph Giampapa

In this paper, the authors advocate, formalize, and empirically justify an approach to compute quantitative utility of robotic missions using probabilistic model checking.

July 2013 - White Paper Improving Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.

July 2013 - White Paper Scale: System Development Challenges

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors describe software assurance challenges inherent in networked systems development and propose a solution.

July 2013 - White Paper Requirements Prioritization Case Study Using AHP

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a tradeoff analysis that can select a suitable requirements prioritization method and the results of trying one method.

July 2013 - White Paper Arguing Security - Creating Security Assurance Cases

Topics: Cybersecurity Engineering, Software Assurance

Authors: Charles B. Weinstock, Howard F. Lipson, John B. Goodenough

In this paper, the authors explain an approach to documenting an assurance case for system security.

July 2013 - White Paper Requirements Elicitation Case Studies Using IBIS, JAD, and ARM

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a tradeoff analysis that can be used to select a suitable requirements elicitation method.

July 2013 - White Paper The Common Criteria

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses how Common Criteria is evaluated, it also presents a standard that is related to developing security requirements.

July 2013 - White Paper Measures and Measurement for Secure Software Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Dekkers, David Zubrow, James McCurley

In this paper, the authors discuss how measurement can be applied improve the security characteristics of the software being developed.

July 2013 - White Paper Predictive Models for Identifying Software Components Prone to Failure During Security Attacks

Topics: Cybersecurity Engineering, Software Assurance

Authors: Laurie Williams, ,

In this paper, the authors describes how the presence of security faults correlates strongly with the presence of a more general category of reliability faults.

July 2013 - White Paper Measuring the Software Security Requirements Engineering Process

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a measurement approach to security requirements engineering to analyze projects that were developed with and without SQUARE.

July 2013 - White Paper System-of-Systems Influences on Acquisition Strategy Development

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Rita C. Creel, Robert J. Ellison

In this paper, the authors discuss significant new sources of risk and recommend ways to address them.

July 2013 - White Paper Risk-Centered Practices

Authors: Julia H. Allen

In this paper, Julia Allen discusses the role that risk management and risk assessment play in choosing which security practices to implement.

July 2013 - White Paper Supply-Chain Risk Management: Incorporating Security into Software Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.

July 2013 - White Paper Prioritizing IT Controls for Effective, Measurable Security

Authors: Daniel Phelps, Gene Kim (IP Services and ITPI), Kurt Milne

In this paper, the authors summarize results from the IT Controls Performance Study conducted by the IT Process Institute.

July 2013 - White Paper Building Security into the Business Acquisition Process

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy)

In this paper, Dan Shoemaker presents the standard process for acquiring software products and services in business.

July 2013 - White Paper Navigating the Security Practice Landscape

Authors: Julia H. Allen

In this paper, Julia Allen presents a summary of ten leading sources of security practice definition and implementation guidance.

July 2013 - White Paper Assuring Software Systems Security: Life Cycle Considerations for Government Acquisitions

Topics: Cybersecurity Engineering, Acquisition Support

Authors: Rita C. Creel

In this paper, Rita Creel identifies acquirer activities and resources necessary to support contractor efforts to build secure software-intensive systems.

July 2013 - White Paper Plan, Do, Check, Act

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen

In this paper, Ken van Wyk provides a primer on the most commonly used tools for traditional penetration testing.

July 2013 - White Paper Finding a Vendor You Can Trust in the Global Marketplace

Topics: Cybersecurity Engineering, Acquisition Support, Software Assurance

Authors: Art Conklin, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors introduce the concept of standardized third-party certification of supplier process capability.

July 2013 - Technical Note Insider Threat Attributes and Mitigation Strategies

Topics: Insider Threat

Authors: George Silowash

In this report, George Silowash maps common attributes of insider threat cases to characteristics important for detecting, preventing, or mitigating the threat.

July 2013 - Article Integrate End to End Early and Often

Topics: Software Architecture, TSP

Authors: Felix Bachmann, Luis Carballo, Jim McHale, Robert Nord

This article discusses using architecture-centric engineering and the Team Software Process to develop software for a new trading engine at the Mexican Stock Exchange.

July 2013 - Presentation Modeling the Evolution of a Science Project in Software-Reliant System Acquisition Programs

Topics: Acquisition Support

Authors: Andrew P. Moore, William E. Novak

This presentation was delivered at the International Conference of the System Dynamics Society in July 2013.

June 2013 - Podcast Joint Programs and Social Dilemmas

Topics: Acquisition Support

Authors: Bill Novak

In this episode, SEI researcher Bill Novak discusses joint programs and social dilemmas, which have become increasingly common in defense acquisition, and the ways in joint program outcomes can be affected by their underlying structure.

June 2013 - Brochure Sketch of Matt Butkovic

Authors: David Biber

Sketch of att Butkovic from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Presentation Cybersecurity SLAs: Managing Requirements at Arm's Length

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering

Authors: Matthew J. Butkovic

presentation from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Video Cybersecurity HIE Roundtable Discussion

Topics: Cybersecurity Engineering, Cyber Risk and Resilience Management

Authors: Samuel A. Merrell, Lee Kim (Tucker Arensberg), Alix Goss, John Kravitz (Geisinger Health System)

This presentation at The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges was delivered on June 26, 2013.

June 2013 - Video Cybersecurity HIE Welcome and Overview

Topics: Cybersecurity Engineering, Cyber Risk and Resilience Management

Authors: Samuel A. Merrell

In this video, Sam Merrell welcomes attendees at The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges.

June 2013 - Video Medical Identity Theft, An Alarming Trend: Incident Response Considerations

Topics: Cybersecurity Engineering, Incident Management

Authors: Greg Porter

In this video, Greg Porter presents an alarming trend—medical identity theft.

June 2013 - Video Pennsylvania’s Journey for Health Information Exchange

Topics: Cybersecurity Engineering, Cyber Risk and Resilience Management

Authors: Alix Goss (Pennsylvania eHealth Partnership Authority)

This presentation at The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges was delivered on June 26, 2013.

June 2013 - Video Cyber Security Service Level Agreements

Topics: Cybersecurity Engineering

Authors: Matthew J. Butkovic

In this video, Matthew Butkovic presents information about cyber security service level agreements.

June 2013 - Video HIE Sustainability Under Cyber Security

Topics: Cybersecurity Engineering

Authors: Buddy Gillespie (DSS)

In this video, Buddy Gillespie presents about health information exchange sustainability under cybersecurity.

June 2013 - Video Principles for Establishing a Practical Cyber Security Incident Management Process in Your HIE

Topics: Cybersecurity Engineering, Cyber Risk and Resilience Management

Authors: John Houston (UPMC)

In this video, John Houston presents principles for establishing a practical cyber security incident management process.

June 2013 - Video Overview of Cyber Security Incident Management

Topics: Cybersecurity Engineering

Authors: Mark Zajicek

In this video, Mark Zajicek presents an overview of cyber security incident management.

June 2013 - Article Beyond Scrum + XP: Agile Architecture Practice

Topics: Software Architecture

Authors: Ipek Ozkaya, Robert Nord, Stephany Bellomo, Heidi Brayer

This article highlights several approaches to agile architecture that organizations have applied and provides an in-depth release planning and roadmap planning.

June 2013 - Brochure Sketch of Alix Goss

Authors: David Biber

Sketch from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Brochure Sketch of Lee Kim

Authors: David Biber

Sketch from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Presentation Navigating the Waters of Incident Response and Recovery

Topics: Incident Management

Authors: David Biber

presentation from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchange.

June 2013 - Brochure Sketch of Buddy Gillespie

Authors: David Biber

Sketch from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Brochure Sketch of John Houston

Authors: David Biber

Sketch from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Brochure Sketch of Mark Zajicek

Authors: David Biber

Sketch from the June 2013 CERT Symposium on Cyber Security Incident Management for Health Information Exchanges

June 2013 - Article C Secure Coding Rules: Past, Present, and Future

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord offers a history of secure coding work and provides details about the ISO/IEC TS 17961 C Secure Coding Rules.

June 2013 - Brochure Group Autonomy for Mobile Systems

Topics: Pervasive Mobile Computing

Authors: James Edmondson

This brochure describes SEI research in the area of Group Autonomy for Mobile Systems.

June 2013 - Podcast Applying Agile in the DoD: Second Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this episode, SEI researchers discuss the application of the second Agile rinciple, “Welcome changing requirements, even late in development.

June 2013 - Presentation Cultural Markers in Attack Attribution

Topics: Network Situational Awareness

Authors: Char Sample

In this presentation, Char Sample discusses the role of flow data in cybersecurity incident response.

June 2013 - Article Silent Elimination of Bounds Checks

Topics: Secure Coding

Authors: Robert C. Seacord

In this article, Robert Seacord shows how compiler optimizations can eliminate causality in software and increase software faults, defects, and vulnerabilities.

June 2013 - Podcast Managing Disruptive Events - CERT-RMM Experience Reports

Topics: Cyber Risk and Resilience Management

Authors: Nader Mehravari, Julia H. Allen

In this podcast, the participants describe four experience reports that demonstrate how the CERT-RMM can be applied to manage operational risks.

June 2013 - White Paper Pointer Ownership Model

Topics: Secure Coding

Authors: David Svoboda

In this paper, David Svoboda describes the Pointer Ownership Model, which can statically identify classes of errors involving dynamic memory in C/C++ programs.

June 2013 - White Paper Common Software Platforms in System-of-Systems Architectures: The State of the Practice

Topics: Software Architecture, System of Systems

Authors: John Klein, Sholom G. Cohen, Rick Kazman

System-of-systems (SoS) architectures based on common software platforms have been commercially successful, but progress on creating and adopting them has been slow. This study aimed to understand technical issues for their development and adoption.

June 2013 - Technical Note Isolating Patterns of Failure in Department of Defense Acquisition

Topics: Acquisition Support

Authors: Lisa Brownsword, Cecilia Albert, David J. Carney, Patrick R. Place, Charles (Bud) Hammons, John J. Hudak

This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.

June 2013 - Special Report Socio-Adaptive Systems Challenge Problems Workshop Report

Topics: Ultra-Large-Scale Systems

Authors: Scott Hissam, Mark H. Klein, Timothy Morrow

This report presents a summary of the findings of the Socio-Adaptive Systems Challenge Problem Workshop, held in Pittsburgh, PA, on April 12-13, 2012.

May 2013 - White Paper Strengths in Security Solutions

Topics: Cybersecurity Engineering, Secure Coding

Authors: Arjuna Shunn (Microsoft), Carol Woody, Robert C. Seacord, Allen D. Householder

In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.

May 2013 - Presentation Does Scale Really Matter? Ultra-Large-Scale Systems Seven Years After the Study

Topics: Ultra-Large-Scale Systems

Authors: Linda M. Northrop

In 2006, Ultra-Large-Scale Systems: The Software Challenge of the Future documented the results of a study on ultra-large distributed systems. What has happened since the study was published? This talk shares a perspective on the post-study reality.

May 2013 - White Paper Integrating Software Assurance Knowledge into Conventional Curricula

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors discuss the results of comparing the Common Body of Knowledge for Secure Software Assurance with traditional computing disciplines.

May 2013 - White Paper Maturity of Practice

Authors: Julia H. Allen

In this paper, Julia Allen identifies indicators that organizations are addressing security as a governance and management concern, at the enterprise level.

May 2013 - Podcast Reliability Validation and Improvement Framework

Topics: Software Architecture

Authors: Peter Feiler

In this podcast, Peter Feiler discusses his recent work to improve the quality of software-reliant systems through an approach known as the Reliability Validation and Improvement Framework.

May 2013 - Conference Paper A Study of Enabling Factors for Rapid Fielding

Topics: Software Architecture

Authors: Stephany Bellomo, Robert Nord, Ipek Ozkaya

This paper summarizes the practices that practitioners interviewed from Agile projects found most valuable and provides an overarching scenario for insight into how and why these practices emerge.

May 2013 - Conference Paper Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data

Topics: Insider Threat

Authors: Joshua Glasser (ExactData, LLC), Brian Lindauer

We outline the use of synthetic data to enable progress in one research program. This asset includes links to test datasets

May 2013 - White Paper Integrating Security and IT

Topics: Cyber Risk and Resilience Management

Authors: Julia H. Allen

In this paper, Julia Allen describes the key relationship between IT processes and security controls.

May 2013 - White Paper Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going?

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy)

In this paper, Dan Shoemaker describes existing professional certifications in information assurance and emerging certifications for secure software assurance.

May 2013 - White Paper How Much Security Is Enough?

Topics: Software Assurance

Authors: Julia H. Allen

In this paper, Julia Allen provides guidelines for answering this question, including means for determining adequate security based on risk.

May 2013 - White Paper Models for Assessing the Cost and Value of Software Assurance

Authors: Antonio Drommi, Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), John Bailey, Nancy R. Mead

In this paper, the authors present IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes.

May 2013 - White Paper Adapting Penetration Testing for Software Development Purposes

Topics: Cybersecurity Engineering, Software Assurance

Authors: Ken Van Wyk (No Affiliation)

In this paper, Ken van Wyk provides background information on penetration testing processes and practices.

May 2013 - White Paper Requirements Engineering Annotated Bibliography

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead provides a bibliography of sources related to requirements engineering.

May 2013 - White Paper Defining the Discipline of Secure Software Assurance: Initial Findings from the National Software Assurance Repository

Topics: Incident Management

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead,

In this paper, the authors characterize the current state of secure software assurance work and suggest future directions.

May 2013 - White Paper Making the Business Case for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead provides an overview of the Business Case content area.

May 2013 - Conference Paper Elaboration on an Integrated Architecture and Requirement Practice

Topics: Software Architecture

Authors: Stephany Bellomo, Robert Nord, Ipek Ozkaya

This paper elaborates the practice of prototyping with quality attribute focus to gain a better understanding of how this practice works and what the benefits of the approach are.

May 2013 - Presentation Exploring Software Supply Chains from a Technical Debt Perspective

Authors: John McGregor, J. Yates Monteith (Clemson University)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation DebtFlag: Technical Debt Management with a Development Environment Integrated Tool

Authors: Johannes Holvitie (Turku Center for Computer Science), Ville Leppänen (Turku Center for Computer Science)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation Managing Technical Debt: An Industrial Case Study

Authors: Zadia Codabux (Mississippi State University), Byron J. Williams (Mississippi State University)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Technical Note Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations (2013)

Topics: Insider Threat

Authors: Matthew L. Collins, Derrick Spooner, Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak

In this report, the authors provide a snapshot of individuals involved in insider threat cases and recommends how to mitigate the risk of similar incidents.

May 2013 - Presentation Generating Precise Dependencies for Large Software

Authors: Robert Kroeger (Google), David Morgenthaler (Google), Lin Tan (University of Waterloo), Pei Wang (University of Waterloo), Jinqiu Yang (University of Waterloo)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation On the Limits of the Technical Debt Metaphor

Authors: Klaus Schmid (University of Hildesheim)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation Understanding the Impact of Technical Debt on the Capacity and Velocity of Teams and Organizations

Authors: Ken Power (Cisco Systems)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation Mapping Architectural Decay Instances to Dependency Models

Authors: Yuanfang Cai (Drexel University), Joshua Garcia (University of Southern California), Nenad Medvidovic (University of Southern California), Ran Mo (Drexel University)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Poster 2013 IEEE Symposium Quilt Poster

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall, George Jones

This poster about Quilt, a system for distributed queries of security-relevant data, was presented at the 2013 IEEE Symposium on Security and Privacy.

May 2013 - Presentation Quilt: A System for Distributed Queries of Security-Relevant Data

Topics: Network Situational Awareness

Authors: Timothy J. Shimeall, George Jones, Derrick Karimi

In this presentation, the authors describe Quilt, a system for distributed queries of security-relevant data.

May 2013 - White Paper The Software Assurance Competency Model: A Roadmap to Enhance Individual Professional Capability

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors describe a software assurance competency model that can be used by professionals to improve their software assurance skills.

May 2013 - White Paper Building a Body of Knowledge for ICT Supply Chain Risk Management

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors propose a set of Supply Chain Risk Management (SCRM) activities and practices for Information and Communication Technologies (ICT).

May 2013 - Webinar Architecting in a Complex World: Achieving Agility and Stability in Large-Scale Software Development

Topics: Software Architecture

Authors: Ipek Ozkaya

Ipek Ozkaya explores tactics about how organizations can better take advantage of software architecting for large-scale agile software-development efforts.

May 2013 - Webinar Architecting in a Complex World: Eliciting and Specifying Quality Attribute Requirements

Topics: Software Architecture

Authors: Rob Wojcik

Rob Wojcik describes the Quality Attribute Workshop, a scenario-based approach for eliciting requirements for quality attributes (non-functional system qualities such as performance, availability, and security).

May 2013 - Webinar Architecting in a Complex World: Uncovering Architectural Challenges in a System of Systems

Topics: Software Architecture, System of Systems

Authors: Michael J. Gagliardi

Mike Gagliardi describes development challenges in usability/automation, capability gaps, resource management, training, migration of legacy systems, and collaboration that they have identified from 46 Mission Thread Workshops.

May 2013 - White Paper Modeling Tools References

Topics: Cybersecurity Engineering, Software Assurance

Authors: Samuel T. Redwine

In this paper, Samuel Redwine provides references related to modeling tools.

May 2013 - White Paper Software Assurance Education Overview

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses the growing demand for skilled professionals who can build security and correct functionality into software.

May 2013 - White Paper Governance and Management References

Authors: Julia H. Allen

In this paper, Julia Allen provides references related to governance and management.

May 2013 - White Paper Getting Secure Software Assurance Knowledge into Conventional Practice

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), , Nancy R. Mead

In this paper, the authors describe three educational initiatives in support of software assurance education.

May 2013 - White Paper General Modeling Concepts

Topics: Cybersecurity Engineering, Software Assurance

Authors:

In this paper, Samuel Redwine introduces several concepts related to the Introduction to Modeling Tools for Software Security article and modeling in general.

May 2013 - White Paper A Systemic Approach for Assessing Software Supply-Chain Risk

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison

In this paper, the authors highlight the approach being implemented by SEI researchers and provides a summary of the status of this work.

May 2013 - White Paper Framing Security as a Governance and Management Concern: Risks and Opportunities

Authors: Julia H. Allen

In this paper, Julia Allen describes six "assets" or requirements of being in business that can be compromised by insufficient security investment.

May 2013 - White Paper Assembly, Integration, and Evolution Overview

Topics: Cybersecurity Engineering, Software Assurance

Authors: Howard F. Lipson

In this paper, Howard Lipson describes the objective of the Assembly, Integration & Evolution content area.

May 2013 - White Paper Deployment and Operations References

Authors: Julia H. Allen

In this paper, Julia Allen provides a list of references related to deployment and operations.

May 2013 - White Paper Deploying and Operating Secure Systems

Topics: Cybersecurity Engineering, Software Assurance

Authors: Julia H. Allen

In this paper, Julia Allen provides a brief overview of deployment and operations security issues and advice for using related practices.

May 2013 - White Paper Two Nationally Sponsored Initiatives for Disseminating Assurance Knowledge

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors describe two efforts that support national cybersecurity education goals.

May 2013 - Webinar Architecture and Design of Service-Oriented Systems (Part 2)

Topics: Service-Oriented Architecture, Software Architecture

Authors: Grace Lewis

The second part will focus on SOA infrastructure-design considerations, decomposition of an enterprise service bus (ESB) into patterns and tactics as an example of SOA infrastructure, and principles of service design.

May 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors highlight efforts underway to address our society's growing dependence on software and the need for effective software assurance.

May 2013 - White Paper Assurance Cases Overview

Topics: Cybersecurity Engineering, Software Assurance

Authors: Howard F. Lipson

In this paper, Howard Lipson introduces the concepts and benefits of developing and maintaining assurance cases for security.

May 2013 - Presentation An Architecturally Evident Coding Style

Authors: George Fairbanks (Rhino Research)

A presentation given at the SATURN 201 conference, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - White Paper It’s a Nice Idea but How Do We Get Anyone to Practice It? A Staged Model for Increasing Organizational Capability in Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy)

In this paper, Dan Shoemaker presents a standard approach to increasing the security capability of a typical IT function.

May 2013 - White Paper Software Security Engineering: A Guide for Project Managers (white paper)

Topics: Cybersecurity Engineering, Software Assurance

Authors: Gary McGraw, Julia H. Allen, Nancy R. Mead, Robert J. Ellison, Sean Barnum

In this guide, the authors discuss our reliance on software and systems that use the internet or internet-exposed private networks.

May 2013 - White Paper Requirements Elicitation Introduction

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses elicitation methods and the kind of tradeoff analysis that can be done to select a suitable one.

May 2013 - White Paper Requirements Prioritization Introduction

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses using a systematic prioritization approach to prioritize security requirements.

May 2013 - White Paper Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets

Authors: Eric Hough, Hassan Osman, Jonathan Caulkins, Nancy R. Mead

In this paper, the authors introduce a novel method of optimizing using integer programming (IP).

May 2013 - White Paper Security Is Not Just a Technical Issue

Authors: Julia H. Allen

In this paper, Julia Allen defines the scope of governance concern as they apply to security.

May 2013 - Presentation 15 Years of SOA at Credit Suisse: Lessons Learned and Remaining Challenges

Authors: Stephan Murer (Credit Suisse)

A keynote presentation given at SATURN 2013, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - Podcast Using a Malware Ontology to Make Progress Towards a Science of Cybersecurity

Topics: Malware Analysis

Authors: Dave Mundie, Julia H. Allen

In this podcast, Dave Mundie explains why a common language is essential to developing a shared understanding to better analyze malicious code.

May 2013 - Podcast The Business Case for Systems Engineering

Topics: Performance and Dependability

Authors: Joseph Elm, Suzanne Miller

Joe Elm discusses the results of a recent technical report, which establishes clear links between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs.

May 2013 - Technical Report PSP-VDC: An Adaptation of the PSP that Incorporates Verified Design by Contract

Topics: Measurement and Analysis, Process Improvement

Authors: Silvana Moreno (Universidad de la República), Álvaro Tasistro (Universidad ORT Uruguay), Diego Vallespir (Universidad de la República), William Nichols

This paper describes a proposal for integrating Verified Design by Contract into PSP in order to reduce the amount of defects present at the Unit Testing phase, while preserving or improving productivity.

May 2013 - Presentation Design Space of Modern HTML5/JavaScript Web Applications

Authors: Marcin Nowak, Cesare Pautasso

A presentation given at the SATURN 2013 conference, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - Conference Paper Towards a Quantitative Method for Assuring Coordinated Autonomy

Authors: Sagar Chaki, Joseph Giampapa

This article introduces a reliability engineering assurance approach based on probabilistic model checking.

May 2013 - Presentation Learning to Surf

Authors: Mary Poppendieck (Poppendieck.LLC)

A keynote address given at the SATURN 2013 conference, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - Presentation Games Architects Play: On Reasoning Fallacies, Cognitive Biases, and Politics

Authors: Philippe Kruchten

An invited address at the SATURN 2013 conference, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - Presentation Architectural Decisions: The State of Affairs and the Way Forward

Authors: Olaf Zimmermann

Notes from a Birds of a Feather session from SATURN 2013, held April 29 - May 3, 2013, in Minneapolis, MN.

May 2013 - Presentation Enterprise Architecture for the "Business of IT"

Authors: Charlie Betz (No Affiliation)

A presentation given at the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Enabling Software Excellence at a Hardware Company

Authors: Fredrix X. Ekdahl (ABB), John Hudepohl (ABB), Brian Robinson (ABB Corporate Research), Sascha Stoeter (ABB)

A presentation from the SATURN 2013 conference, held April 29 - May 3, 2013, in Minneapolis, Minnesota.

May 2013 - Presentation Mission Thread Workshop (MTW): Preparation and Execution

Topics: Software Architecture, System of Systems

Authors: Michael J. Gagliardi, Timothy Morrow, William G. Wood

This presentation describes the Mission Thread Workshop (MTW) and its benefits. The three phases for conducting an MTW are explained, as well as how the MTW fits into system-of-systems architecture development and analysis.

May 2013 - Article Architecting for Large-Scale Agile Development: A Risk-Driven Approach

Topics: Software Architecture

Authors: Ipek Ozkaya, Michael J. Gagliardi, Robert Nord

This article focuses on two agile architecting methods that provide rapid feedback on the state of agile team support: architecture-centric risk factors for adoption of agile development at scale and incremental architecture evaluations.

May 2013 - Presentation CloudMTD: Using Real Options to Manage Technical Debt in Cloud-Based Service Selection

Authors: Esra Alzaghoul (University of Birmingham), Rami Bahsoon (University of Birmingham)

A presentation from the Managing Technical Debt Workshop, held in May 2013 in conjunction with ICSE 2013.

May 2013 - Presentation An Emerging Set of Integrated Architecture and Agile Practices That Speed Up Delivery

Authors: Stephany Bellomo

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Agile Architecture and Design (2013)

Authors: Pradyumn Sharma (Pragati Software Pvt Ltd)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Adapting View Models as a Means for Sharing User Interface Code Between OS X and iOS

Authors: Dileepa Jayathilake (99X Technology)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation The Design Space of Modern HTML5/JavaScript Web Applications

Authors: Marcin Nowak, Cesare Pautasso

This presentation gives a tour of the architectural design-decision space for modern Web applications.

May 2013 - White Paper How You Can Help Your Utility Clients with a Critical Aspect of Smart Grid Transformation They Might be Overlooking

Topics: Smart Grid Maturity Model, Cyber Risk and Resilience Management

Authors: The SGMM Communications Team

This paper discusses how you can use the Smart Grid Maturity Model (SGMM) to benefit your utility clients.

May 2013 - White Paper Five Smart Grid Questions Every Utility Executive Should Ask

Topics: Smart Grid Maturity Model, Cyber Risk and Resilience Management

Authors: The SGMM Communications Team

This paper recommends the Smart Grid Maturity Model (SGMM), a tool utilities can use to plan and measure smart grid progress.

May 2013 - Technical Note Application Virtualization as a Strategy for Cyber Foraging in Resource-Constrained Environments

Authors: Dominik Messinger, Grace Lewis

This technical note explores application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning.

May 2013 - Presentation Using ATAM to Select the Right NoSQL Database

Authors: Dan McCreary (Kelly-McCreary & Associates)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation The Conflict Between Agile and Architecture: Myth or Reality?

Authors: Simon Brown (Coding the Architecture)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Test-Driven Non-Functionals? Test-Driven Non-Functionals!

Authors: Wilco Koorn (Xebia)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Tailoring a Method for System Architecture Analysis

Authors: Joakim Fröberg (Mälardalen University), Stig Larsson (Effective Change AB), Per-Åke Nordlander (BAE Systems AB)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Product Analysis Jump-Start Method: Consider the Big Picture Before You Sprint into Your Project

Authors: Stephen LeTourneau (Sandia National Laboratories)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Next-Gen Web Architecture for the Cloud Era

Authors: Darryl Nelson (Raytheon)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Mission Thread Workshop: Preparation and Execution

Authors: Timothy Morrow

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Leveraging Simulation to Create Better Software Systems in an Agile World

Authors: Jason Ard (Raytheon Missile Systems), Kristine Davidsen (Raytheon Missile Systems)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Lean and Mean Architecting with Risk- and Cost-Driven Architecture (RCDA)

Authors: Eltjo Poort (CGI)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Introducing Design Pattern-Based Abstraction Modeling Construct as a Software Architecture Compositional Technique

Authors: Sargon Hasso (Wolterskluwer), Robert Carlson (Illinois Institute of Technology)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation eMontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

Authors: Soumya Simanta, Gene Cahill, Edwin J. Morris

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Design and Analysis of Cyber-Physical Systems: AADL and Avionics Systems

Authors: Peter H. Feiler, Julien Delange

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Architecture Patterns for Mobile Systems in Resource-Constrained Environments

Authors: Grace Lewis, Jeff Boleng, Gene Cahill, Edwin J. Morris, Marc Novakouski, James Root, Soumya Simanta

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Architecting for User Extensibility

Authors: Russell Miller (SunView Software, Inc.)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

May 2013 - Presentation Applying Architectural Patterns for the Cloud: Lessons Learned During Pattern Mining and Application

Authors: Ralph Retter (Daimler TSS)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Modeling the Contributions of Software Architecture to the Success of an Ecosystem

Authors: John McGregor, J. Yates Monteith (Clemson University), Simone Amorim (University Federal of Bahia), Eduardo Almeida (University Federal of Bahia)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Using Architecture to Guide Cybersecurity Improvements for the Smart Grid

Topics: Cyber Risk and Resilience Management

Authors: Elizabeth Sisley (Calm Sunrise Consulting LLC)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Implementing Contextual Design in a Corporation Without a History of Using Contextual Design

Authors: Elizabeth Correa (Verizon)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation How to Implement Zero-Debt Continuous Inspection Architecture in an Agile Manner

Authors: Brian Chaplin (Chaplin Solutions)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation How to Build, Implement, and Use an Architecture Metamodel

Authors: Chris Armstrong (Armstrong Process Group, Inc.)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation BestBuy.com's Cloud Architecture

Authors: Joel Crabb (Best Buy, Inc.)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Automated Provisioning of Cloud and Cloudlet Applications

Authors: Jeff Boleng, Grace Lewis, Vignesh Shenoy (Carnegie Mellon University), Manoj Subramaniam (Carnegie Mellon University), Varun Tibrewal (Carnegie Mellon University)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Architecture-Centric Procurement

Authors: John K. Bergey, Lawrence G. Jones

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Presentation Architecting Long-Lived Systems

Authors: Einar Landre, Harald Wesenberg, Arne Wiklund (Kongsberg)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - Webinar Secure Coding - Avoiding Future Security Incidents

Topics: Secure Coding

Authors: Robert C. Seacord

In this 2013 webinar, Robert Seacord discusses secure coding as part of preventing security incidents.

April 2013 - Presentation Architecting Cyber-Physical Systems in the Age of the Industrial Internet

Authors: Benjamin E. Beckmann (GE Global Research), Amine Chigani, Thomas Citriniti (GE Global Research), Joseph Salvo (GE Global Research)

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.

April 2013 - White Paper The Perils of Treating Software as a Specialty Engineering Discipline

Topics: Acquisition Support

Authors: Keith Korzec, Tom Merendino

This paper reviews the perils of insufficiently engaging key software domain experts during program development.

April 2013 - Video A Discussion with CERT Experts: Constructing a Secure Cyber Future

Topics: Secure Coding

Authors: Robert C. Seacord

In this video, Robert Seacord discusses what the CERT Division is doing to improve secure development practices.

April 2013 - White Paper Four Pillars for Improving the Quality of Safety-Critical Software-Reliant Systems

Topics: Software Architecture

Authors: Peter H. Feiler, John B. Goodenough, Arie Gurfinkel, Charles B. Weinstock, Lutz Wrage

This white paper presents an improvement strategy comprising four pillars of an integrate-then-build practice that lead to improved quality through early defect discovery and incremental end-to-end validation and verification.

April 2013 - Podcast Applying Agile in the DoD: First Principle

Topics: Acquisition Support

Authors: Mary Ann Lapham, Suzanne Miller

In this episode, Suzanne Miller and Mary Ann Lapham discuss the application of the first Agile principle, "Our highest priority is to satisfy the customer through early and continuous delivery of valuable software."

April 2013 - Presentation Understanding the Drivers Behind Software Acquisition Program Performance

Topics: Acquisition Support

Authors: Andrew P. Moore, William E. Novak

This presentation was delivered at the April 2013 STC.

April 2013 - Podcast The Evolution of a Science Project

Topics: Acquisition Support

Authors: Andrew P. Moore, William Novak

In this podcast, Bill Novak and Andy Moore describe a recent technical report, The Evolution of a Science Project, which intends to improve acquisition staff decision-making.

March 2013 - Podcast Securing Mobile Devices aka BYOD

Authors: Joe Mayes, Julia H. Allen

In this podcast, Joe Mayes discusses how to ensure the security of personal mobile devices that have access to enterprise networks.

March 2013 - Podcast What's New With Version 2 of the AADL Standard?

Topics: Software Architecture

Authors: Peter Feiler

In this podcast, Peter Feiler discusses the latest changes to the Architecture Analysis & Design Language (AADL) standard.

March 2013 - Conference Paper Eliminative Induction: A Basis for Arguing System Confidence

Topics: Software Architecture, Software Assurance

Authors: John B. Goodenough, Charles B. Weinstock, Ari Z. Klein

In this paper, the authors explain how the principle of eliminative induction provides a basis for assessing confidence in an assurance case argument.

March 2013 - Webinar Architecture and Design of Service-Oriented Systems (Part 1)

Topics: Service-Oriented Architecture, Software Architecture

Authors: Grace Lewis

The objective of this tutorial is to provide guidance on the architecture and design of service-oriented systems. Part I covers basic concepts and impact.

March 2013 - White Paper Identifying a Shared Mental Model Among Incident Responders

Topics: Incident Management

Authors: Robert Floodeen, John Haller, Brett Tjaden

In this paper, the authors explore how effective communication might be improved by the development of a mental model internalized by the group's technical staff prior to an incident.

March 2013 - Technical Note Software Assurance Competency Model

Topics: Cybersecurity Engineering, Software Assurance

Authors: Thomas B. Hilburn (Embry-Riddle Aeronautical University), Mark A. Ardis (Stevens Institute of Technology), Glenn Johnson ((ISC)2), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Nancy R. Mead

In this report, the authors describe a model that helps create a foundation for assessing and advancing the capability of software assurance professionals.

March 2013 - Podcast The State of the Practice of Cyber Intelligence

Topics: Cyber-Physical Systems

Authors: Jay McAllister, Troy Townsend, Suzanne Miller

In this podcast, Troy Townsend and Jay McAllister discuss their findings on the state of the practice of cyber intelligence.