Julia H. Allen
Software Engineering Institute
Julia Allen is an SEI alumni employee.
Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor of Science in Computer Science (University of Michigan) and a Master of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).
Publications by Julia H. Allen
-
CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience
July 08, 2016 • Book
Richard A. CaralliJulia H. AllenDavid W. White
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.
read -
Structuring the Chief Information Security Officer Organization
April 14, 2016 • Webinar
Julia H. AllenNader Mehravari
This webinar described a CISO organizational structure and functions for a typical large, diverse organization using input from CISOs, policies, frameworks, maturity models, standards, and codes of practice.
watch -
Structuring the Chief Information Security Officer Organization
December 23, 2015 • Podcast
Nader MehravariJulia H. AllenLisa R. Young
In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations.
learn more -
Structuring the Chief Information Security Officer Organization
October 06, 2015 • Technical Note
Julia H. AllenGregory Crabb (U.S. Postal Inspection Service)Pamela D. Curtis
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
read -
Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution
September 16, 2015 • Technical Report
Douglas GrayBrian D. WisniewskiJulia H. Allen
This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to help enable their success.
read -
Capturing the Expertise of Cybersecurity Incident Handlers
August 27, 2015 • Podcast
Samuel J. PerlRichard O. YoungJulia H. Allen
In this podcast, Dr. Richard Young, a professor with CMU, and Sam Perl, a member of the CERT Division, discuss their research on how expert cybersecurity incident handlers react when faced with an incident.
learn more -
CERT Cyber Risk Insurance Symposium Overview
April 09, 2015 • Audio
Summer C. FowlerJames J. CebulaJulia H. Allen
In this interview, Summer Fowler and Jim Cebula provide an overview of the May 2015 CERT Cyber Risk Insurance Symposium.
listen -
Supply Chain Risk Management: Managing Third Party and External Dependency Risk
March 26, 2015 • Podcast
John HallerMatthew J. ButkovicJulia H. Allen
In this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."
learn more -
Defining a Maturity Scale for Governing Operational Resilience
March 19, 2015 • Technical Note
Katie C. StewartJulia H. AllenAudrey J. Dorofee
Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
read -
A Workshop on Measuring What Matters
February 20, 2015 • Podcast
Lisa R. YoungMichelle A. ValdezKatie C. Stewart
This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop, and identifying improvements for future offerings.
learn more -
A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
February 10, 2015 • Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenPamela D. Curtis
This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.
read -
Measuring What Matters Workshop Report
February 09, 2015 • Technical Note
Katie C. StewartJulia H. AllenMichelle A. Valdez
This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
read -
Cyber Insurance and Its Role in Mitigating Cybersecurity Risk
January 08, 2015 • Podcast
James J. CebulaDavid W. WhiteJulia H. Allen
In this podcast, Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.
learn more -
A Taxonomy of Operational Risks for Cyber Security
October 07, 2014 • Podcast
James J. CebulaJulia H. Allen
In this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.
learn more -
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)
September 18, 2014 • Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.
read -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)
September 18, 2014 • Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.
read -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)
September 18, 2014 • Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.
read -
United States Postal Inspection Service (USPIS)
June 17, 2014 • Webinar
Julia H. Allen
Watch Julia Allen discuss the United States Postal Inspection Service (USPIS) (Case Study) from the SEI Virtual Event, CERT® Operational Resilience: Manage, Protect and Sustain
watch -
Characterizing and Prioritizing Malicious Code
May 29, 2014 • Podcast
Jose A. MoralesJulia H. Allen
In this podcast, Jose Morales discusses how to prioritize malware samples, helping analysts to identify the most destructive malware to examine first.
learn more -
Comparing IT Risk Assessment and Analysis Methods
March 25, 2014 • Podcast
Ben TomhaveErik HeidtJulia H. Allen
In this podcast, the presenters discuss IT risk assessment and analysis, and comparison factors for selecting methods that are a good fit for your organization.
learn more -
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
February 11, 2014 • Podcast
Jason Christopher (U.S. Department of Energy)Nader MehravariJulia H. Allen
ES-C2M2 helps improve the operational resilience of the U.S. power grid.
learn more -
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using the CERT® Resilience Management Model
January 17, 2014 • Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenNader Mehravari
In this report, the authors describe how to improve the resilience of U.S. Postal Service products and services
read -
A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure
January 17, 2014 • Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenPamela D. Curtis
In this report, the authors describe a method of identifying physical security gaps in international mail processing centers and similar facilities.
read -
Raising the Bar - Mainstreaming CERT C Secure Coding Rules
January 07, 2014 • Podcast
Robert C. SeacordJulia H. Allen
In this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.
learn more -
Using the Cyber Resilience Review to Help Critical Infrastructures Better Manage Operational Resilience
November 26, 2013 • Podcast
Kevin Dillon (Department of Homeland Security)Matthew J. ButkovicJulia H. Allen
In this podcast, the presenters explain how CRRs allow critical infrastructure owners to compare their cybersecurity performance with their peers.
learn more -
Why Use Maturity Models to Improve Cybersecurity: Key Concepts, Principles, and Definitions
August 27, 2013 • Podcast
Richard A. CaralliJulia H. Allen
In this podcast, Rich Caralli explains how maturity models provide measurable value in improving an organization's cybersecurity capabilities.
learn more -
Development of a Master of Software Assurance Reference Curriculum - 2013 IJSSE
July 31, 2013 • White Paper
Andrew J. Kornecki (Embry-Riddle Aeronautical University)James McDonald (Monmouth University)Julia H. Allen
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes
read -
DevOps - Transform Development and Operations for Fast, Secure Deployments
July 30, 2013 • Podcast
Gene Kim (IP Services and ITPI)Julia H. Allen
In this podcast, Gene Kim explains how the "release early, release often" approach significantly improves software performance, stability, and security.
learn more -
Risk-Centered Practices
July 02, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen discusses the role that risk management and risk assessment play in choosing which security practices to implement.
read -
Navigating the Security Practice Landscape
July 02, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen presents a summary of ten leading sources of security practice definition and implementation guidance.
read -
Plan, Do, Check, Act
July 02, 2013 • White Paper
Julia H. Allen
In this paper, Ken van Wyk provides a primer on the most commonly used tools for traditional penetration testing.
read -
Managing Disruptive Events - CERT-RMM Experience Reports
June 11, 2013 • Podcast
Nader MehravariJulia H. Allen
In this podcast, the participants describe four experience reports that demonstrate how the CERT-RMM can be applied to manage operational risks.
learn more -
Maturity of Practice
May 23, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen identifies indicators that organizations are addressing security as a governance and management concern, at the enterprise level.
read -
Integrating Security and IT
May 21, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen describes the key relationship between IT processes and security controls.
read -
How Much Security Is Enough?
May 21, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen provides guidelines for answering this question, including means for determining adequate security based on risk.
read -
Governance and Management References
May 14, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen provides references related to governance and management.
read -
Framing Security as a Governance and Management Concern: Risks and Opportunities
May 14, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen describes six "assets" or requirements of being in business that can be compromised by insufficient security investment.
read -
Deployment and Operations References
May 14, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen provides a list of references related to deployment and operations.
read -
Deploying and Operating Secure Systems
May 14, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen provides a brief overview of deployment and operations security issues and advice for using related practices.
read -
Software Security Engineering: A Guide for Project Managers (white paper)
May 13, 2013 • White Paper
Gary McGrawJulia H. AllenNancy R. Mead
In this guide, the authors discuss our reliance on software and systems that use the internet or internet-exposed private networks.
read -
Security Is Not Just a Technical Issue
May 13, 2013 • White Paper
Julia H. Allen
In this paper, Julia Allen defines the scope of governance concern as they apply to security.
read -
Using a Malware Ontology to Make Progress Towards a Science of Cybersecurity
May 09, 2013 • Podcast
Dave MundieJulia H. Allen
In this podcast, Dave Mundie explains why a common language is essential to developing a shared understanding to better analyze malicious code.
learn more -
Securing Mobile Devices aka BYOD
March 26, 2013 • Podcast
Joe MayesJulia H. Allen
In this podcast, Joe Mayes discusses how to ensure the security of personal mobile devices that have access to enterprise networks.
learn more -
Mitigating Insider Threat - New and Improved Practices Fourth Edition
February 28, 2013 • Podcast
George SilowashLori FlynnJulia H. Allen
In this podcast, participants explain how 371 cases of insider attacks led to 4 new and 15 updated best practices for mitigating insider threats.
learn more -
Managing Disruptive Events: Demand for an Integrated Approach to Better Manage Risk
January 31, 2013 • Podcast
Nader MehravariJulia H. Allen
In this podcast, Nader Mehravari describes how governments and markets are calling for the integration of plans for and responses to disruptive events.
learn more -
Managing Disruptive Events: Making the Case for Operational Resilience
December 19, 2012 • Podcast
Nader MehravariJulia H. Allen
In this podcast, Nader Mehravari describes how today's high-risk, global, fast, and very public business environment demands a more integrated approach.
learn more -
Analyzing Cases of Resilience Success and Failure - A Research Study
December 01, 2012 • Technical Note
Julia H. AllenPamela D. CurtisAndrew P. Moore
In this report, the authors describe research aimed at helping organizations to know the business value of implementing resilience processes and practices.
read -
Using Network Flow Data to Profile Your Network and Reduce Vulnerabilities
October 23, 2012 • Podcast
Austin WhisnantSid FaberJulia H. Allen
In this podcast, participants discuss how a network profile can help identify unintended points of entry, misconfigurations, and other weaknesses.
learn more -
How to More Effectively Manage Vulnerabilities and the Attacks that Exploit Them
September 25, 2012 • Podcast
Art ManionJulia H. Allen
In this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.
learn more -
U.S. Postal Inspection Service Use of the CERT Resilience Management Model
August 21, 2012 • Podcast
Greg Crabb (U.S. Postal Inspection Service)Julia H. Allen
In this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.
learn more -
Insights from the First CERT Resilience Management Model Users Group
July 17, 2012 • Podcast
Lisa R. YoungJulia H. Allen
In this podcast, Lisa Young explains that implementing CERT-RMM requires well-defined improvement objectives, sponsorship, and more.
learn more -
NIST Catalog of Security and Privacy Controls, Including Insider Threat
April 24, 2012 • Podcast
Ron Ross (NIST)Joji MontelibanoJulia H. Allen
In this podcast, participants discuss why security controls, including those for insider threat, are necessary to protect information and information systems.
learn more -
Report from the First CERT-RMM Users Group Workshop Series
April 01, 2012 • Technical Note
Julia H. AllenLisa R. Young
In this report, the authors describe the first CERT RMM Users Group (RUG) Workshop Series and the experiences of participating members and CERT staff.
read -
Cisco's Adoption of CERT Secure Coding Standards
February 28, 2012 • Podcast
Martin Sebor (Cisco)Julia H. Allen
In this podcast, Martin Sebor explains how implementing secure coding standards is a sound business decision.
learn more -
Deriving Software Security Measures from Information Security Standards of Practice
February 16, 2012 • White Paper
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this paper, the authors describe an approach for deriving measures of software security from common standard practices for information security.
read -
Risk-Based Measurement and Analysis: Application to Software Security
February 01, 2012 • Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
read -
How to Become a Cyber Warrior
January 31, 2012 • Podcast
Dennis M. AllenJulia H. Allen
In this podcast, Dennis Allen explains that protecting the internet and its users against cyber attacks requires more skilled cyber warriors.
learn more -
Considering Security and Privacy in the Move to Electronic Health Records
December 20, 2011 • Podcast
Deborah Lafky (Healthcare Information Technology (HIT) Security/Cybersecurity)Matthew J. ButkovicJulia H. Allen
In this podcast, participants discuss how using electronic health records bring many benefits along with security and privacy challenges.
learn more -
Using Defined Processes as a Context for Resilience Measures
December 01, 2011 • Technical Note
Julia H. AllenPamela D. CurtisLinda Parker Gates
In this report, the authors describe how implementation-level processes can provide context for identifying and defining measures of operational resilience.
read -
Measuring Operational Resilience
October 04, 2011 • Podcast
Julia H. AllenPamela D. Curtis
In this podcast, Julia Allen explains that measures of operational resilience should answer key questions, inform decisions, and affect behavior.
learn more -
Why Organizations Need a Secure Domain Name System
September 06, 2011 • Podcast
Alex NicollJulia H. Allen
Use of Domain Name System security extensions can help prevent website hijacking attacks.
learn more -
Controls for Monitoring the Security of Cloud Services
August 02, 2011 • Podcast
Art ManionJonathan SpringJulia H. Allen
In this podcast, participants explain that it depends on the service model how cloud providers and customers can use controls to protect sensitive information.
learn more -
Building a Malware Analysis Capability
July 12, 2011 • Podcast
Jeff GennariJulia H. Allen
In this podcast, Jeff Gennari explains that analyzing malware is essential to assessing the damage and reducing the impact associated with ongoing infection.
learn more -
Measures for Managing Operational Resilience
July 01, 2011 • Technical Report
Julia H. AllenPamela D. Curtis
In this report, the Resilient Enterprise Management (REM) team suggests a set of top ten strategic measures for managing operational resilience.
read -
Software Assurance Curriculum Master Bibliography and Course References
June 01, 2011 • User's Guide
Julia H. AllenNancy R. MeadMark A. Ardis (Stevens Institute of Technology)
In this report, the authors provide the master bibliography that is used with the software assurance curriculum.
read -
Using the Smart Grid Maturity Model (SGMM)
May 05, 2011 • Podcast
David W. WhiteJulia H. Allen
In this podcast, David White describes how over 100 electric power utilities are using the Smart Grid Maturity Model.
learn more -
Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM
March 29, 2011 • Podcast
Ron Ross (NIST)James J. CebulaJulia H. Allen
In this podcast, participants explain why and how business leaders must address risk at the enterprise, business process, and system levels.
learn more -
Using CERT-RMM in a Software and System Assurance Context
March 24, 2011 • Presentation
Julia H. Allen
In this presentation, Julia Allen describes how organizations can employ CERT-RMM immediately to jump-start assurance considerations in early life cycle activities.
read -
Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
March 01, 2011 • Technical Report
Nancy R. MeadJulia H. AllenMark A. Ardis (Stevens Institute of Technology)
In this report, the authors provide sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.
read -
Conducting Cyber Exercises at the National Level
February 22, 2011 • Podcast
Brett Lambo (U.S. Department of Homeland Security)Matthew J. ButkovicJulia H. Allen
In this podcast, participants discuss exercises that help organizations, governments, and nations prepare for, identify, and mitigate cyber risks.
learn more -
Risk and Resilience: Considerations for Information Security Risk Assessment and Management
February 01, 2011 • Presentation
Julia H. AllenJames J. Cebula
In this presentation, the authors introduce audience members to the CERT Resilience Management Model.
read -
Indicators and Controls for Mitigating Insider Threat
January 25, 2011 • Podcast
Michael HanleyJulia H. Allen
In this podcast, Michael Hanley explains how technical controls can be effective in helping to prevent, detect, and respond to insider crimes.
learn more -
Security Measurement and Analysis
January 01, 2011 • Presentation
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this presentation, the authors describe work being performed by the SEI in the area of security measurement and analysis.
read -
How Resilient Is My Organization?
December 09, 2010 • Podcast
Richard A. CaralliDavid W. WhiteJulia H. Allen
In this podcast, Richard Caralli explains how CERT-RMM can ensure that critical assets and services perform as expected in the face of stress and disruption.
learn more -
Public-Private Partnerships: Essential for National Cyber Security
November 30, 2010 • Podcast
Samuel A. MerrellJohn HallerPhilip Huff (Arkansas Electric Cooperative Corporation)
In this podcast, participants explain that knowledge of software assurance is essential to ensure that complex systems function as intended.
learn more -
Software Assurance: A Master's Level Curriculum
October 26, 2010 • Podcast
Nancy R. MeadThomas B. Hilburn (Embry-Riddle Aeronautical University)Richard C. Linger (Oak Ridge National Laboratory)
In this podcast, participants explain how knowledge about software assurance is essential to ensure that complex systems function as intended.
learn more -
Development of a Master of Software Assurance Reference Curriculum - 2010 IJSSE
October 01, 2010 • Article
Nancy R. MeadJulia H. AllenMark A. Ardis (Stevens Institute of Technology)
In this article, the authors summarize the Master of Software Assurance curriculum project, including its history, outcomes, a core body of knowledge, and curriculum architecture.
read -
How to Develop More Secure Software - Practices from Thirty Organizations
September 28, 2010 • Podcast
Gary McGrawSammy Migues (Cigital)Julia H. Allen
In this podcast, participants discuss how organizations can benchmark their software security practices against 109 observed activities from 30 organizations.
learn more -
Integrated Measurement and Analysis Framework for Software Security
September 01, 2010 • Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).
read -
Measuring Operational Resilience Using the CERT® Resilience Management Model
September 01, 2010 • Technical Note
Julia H. AllenNoopur Davis
In this 2010 report, the authors begin a dialogue and establish a foundation for measuring and analyzing operational resilience.
read -
Building Assured Systems Framework
September 01, 2010 • Technical Report
Nancy R. MeadJulia H. Allen
This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.
read -
Mobile Device Security: Threats, Risks, and Actions to Take
August 31, 2010 • Podcast
Jonathan FrederickJulia H. Allen
In this podcast, Jonathan Frederick explains how internet-connected mobile devices are becoming increasingly attractive targets.
learn more -
Establishing a National Computer Security Incident Response Team (CSIRT)
August 19, 2010 • Podcast
Jeffrey J. CarpenterJohn HallerJulia H. Allen
In this podcast, participants discuss how essential a national CSIRT is for protecting national and economic security and continuity.
learn more -
Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
August 01, 2010 • Technical Report
Nancy R. MeadJulia H. AllenMark A. Ardis (Stevens Institute of Technology)
In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track.
read -
Securing Industrial Control Systems
July 27, 2010 • Podcast
Art ManionJulia H. Allen
In this podcast, Julia Allen how critical it is to secure systems that control physical switches, valves, pumps, meters, and manufacturing lines.
learn more -
The Power of Fuzz Testing to Reduce Security Vulnerabilities
May 25, 2010 • Podcast
Will DormannJulia H. Allen
In this podcast, Will Dormann urges listeners to subject their software to fuzz testing to help identify and eliminate security vulnerabilities.
learn more -
CERT Resilience Management Model, Version 1.0
May 01, 2010 • Technical Report
Richard A. CaralliJulia H. AllenPamela D. Curtis
In this report, the authors present CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.
read -
Protect Your Business from Money Mules
April 27, 2010 • Podcast
Chad DoughertyJulia H. Allen
Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses.
learn more -
Train for the Unexpected
March 03, 2010 • Podcast
I Corporation)Julia H. Allen
In this podcast, Matthew Meyer explains that being able to respond effectively when faced with a disruptive event requires becoming more resilient.
learn more -
The Role of the CISO in Developing More Secure Software
March 02, 2010 • Podcast
Pravir Chandra (Fortify Software)Julia H. Allen
In this podcast, Pravir Chandra warns that CISOs must leave no room for doubt that they understand what is expected of them when developing secure software.
learn more -
Measuring Software Security
March 01, 2010 • White Paper
Julia H. Allen
This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of software security.
read -
Computer and Network Forensics: A Master's Level Curriculum
February 02, 2010 • Podcast
Kristopher RushJulia H. Allen
In this podcast, Kris Rush describes how students learn to combine multiple facets of digital forensics and draw conclusions to support investigations.
learn more -
Introducing the Smart Grid Maturity Model (SGMM)
January 12, 2010 • Podcast
Ray Jones (APQC)Julia H. Allen
In this podcast, Ray Jones explains how the SGMM provides a roadmap to guide an organization's transformation to the smart grid.
learn more -
Leveraging Security Policies and Procedures for Electronic Evidence Discovery
January 09, 2010 • Podcast
John Christiansen (Christiansen IT Law)Julia H. Allen
In this podcast, John Christiansen explains that effectively responding to e-discovery requests depends on well-defined policies, procedures, and processes.
learn more -
Integrating Privacy Practices into the Software Development Life Cycle
December 22, 2009 • Podcast
Ralph Hood (Microsoft)Kim Howell (Microsoft)Julia H. Allen
In this podcast, participants explain that addressing privacy during software development is just as important as addressing security.
learn more -
Using the Facts to Protect Enterprise Networks: CERT's NetSA Team
December 01, 2009 • Podcast
Timothy J. ShimeallJulia H. Allen
In this podcast, Timothy Shimeall describes how network defenders and business leaders can use NetSA measures to protect their networks.
learn more -
Ensuring Continuity of Operations When Business Is Disrupted
November 10, 2009 • Podcast
Ilsley Corporation)Julia H. Allen
In this podcast, Gary Daniels explains that providing critical services during times of stress depends on documented, tested business continuity plans.
learn more -
Managing Relationships with Business Partners to Achieve Operational Resiliency
October 20, 2009 • Podcast
David W. WhiteJulia H. Allen
In this podcast, David White explains why a defined, managed process for third party relationships is essential, particularly when business is disrupted.
learn more -
The Smart Grid: Managing Electrical Power Distribution and Use
September 29, 2009 • Audio
Julia H. AllenJames F. Stevens
The smart grid is the use of digital technology to modernize the power grid, which comes with some new privacy and security challenges.
listen -
The Smart Grid: Managing Electrical Power Distribution and Use
September 29, 2009 • Podcast
James F. StevensJulia H. Allen
In this podcast, James Stevens explains how using the smart grid comes with some new privacy and security challenges.
learn more -
Electronic Health Records: Challenges for Patient Privacy and Security
September 08, 2009 • Podcast
Robert Charette (ITABHI Corporation)Julia H. Allen
In this podcast, Robert Charette explains why electronic health records (EHRs) are possibly the most complicated area of IT today.
learn more -
Mitigating Insider Threat: New and Improved Practices
August 18, 2009 • Podcast
Dawn CappelliRandall F. TrzeciakAndrew P. Moore
Two hundred and eighty-two cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat.
learn more -
Rethinking Risk Management
July 07, 2009 • Podcast
Christopher J. AlbertsJulia H. Allen
In this podcast, Christopher Alberts urges business leaders to adopt new approaches to addressing risks across the life cycle and supply chain.
learn more -
The Upside and Downside of Security in the Cloud
June 16, 2009 • Podcast
Tim Mather (RSA)Julia H. Allen
In this podcast, Tim Mather advises business leaders considering cloud services to weigh the economic benefits against the security and privacy risks.
learn more -
More Targeted, Sophisticated Attacks: Where to Pay Attention
May 26, 2009 • Podcast
Martin LinderJulia H. Allen
In this podcast, Martin Linder urges business leaders to take action to better mitigate sophisticated social engineering attacks.
learn more -
Is There Value in Identifying Software Security "Never Events?"
May 05, 2009 • Podcast
Robert Charette (ITABHI Corporation)Julia H. Allen
In this podcast, Robert Charette suggests when to examine responsibilities when developing software with known, preventable errors.
learn more -
Cyber Security, Safety, and Ethics for the Net Generation
April 14, 2009 • Podcast
Rodney Petersen (EDUCAUSE)Julia H. Allen
In this podcast, Rodney Peterson explains why capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs.
learn more -
Making the Business Case for Software Assurance
April 01, 2009 • Special Report
Nancy R. MeadJulia H. AllenW. Arthur Conklin
In this report, the authors provide advice for those making a business case for building software assurance into software products during software development.
read -
An Experience-Based Maturity Model for Software Security
March 31, 2009 • Podcast
Brian Chess (Fortify Software)Sammy Migues (Cigital)Gary McGraw
In this podcast, participants discuss how observed practice, represented as a maturity model, can serve as a basis for developing more secure software.
learn more -
Mainstreaming Secure Coding Practices
March 17, 2009 • Podcast
Robert C. SeacordJulia H. Allen
In this podcast, Robert Seacord explains how requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities.
learn more -
Security: A Key Enabler of Business Innovation
March 03, 2009 • Podcast
Laura Robinson (Robinson Insight)Roland Cloutier (EMC Corporation)Julia H. Allen
In this podcast, participants describe how making security strategic to business innovation involves seven strategies.
learn more -
Better Incident Response Through Scenario Based Training
February 17, 2009 • Podcast
Christopher MayJulia H. Allen
In this podcast, Christopher May explains how teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine.
learn more -
An Alternative to Risk Management for Information and Software Security
February 03, 2009 • Podcast
Brian Chess (Fortify Software)Julia H. Allen
In this podcast, Brian Chess explain how standards, compliance, and process are better than risk management for ensuring information and software security.
learn more -
Tackling Tough Challenges: Insights from CERT’s Director Rich Pethia
January 20, 2009 • Podcast
Richard D. PethiaJulia H. Allen
In this podcast, Rich Pethia reflects on the CERT Division's 20-year history and discusses its future IT and security challenges.
learn more -
High-Fidelity E-Learning: The SEI's Virtual Training Environment (VTE)
January 01, 2009 • Technical Report
Jim WrubelDavid W. WhiteJulia H. Allen
In this 2008 report, the authors compare various approaches and tools used to capture and analyze evidence from computer memory.
read -
Climate Change: Implications for Information Technology and Security
December 09, 2008 • Podcast
Richard Power (Carnegie Mellon CyLab)Julia H. Allen
In this podcast, Richard Power explains how climate change requires new strategies for dealing with traditional IT and information security risks.
learn more -
Using High Fidelity, Online Training to Stay Sharp
November 25, 2008 • Podcast
Jim WrubelJulia H. Allen
In this podcast, Jim Wrubel explains how virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime.
learn more -
Integrating Security Incident Response and e-Discovery
November 11, 2008 • Podcast
David Matthews (City of Seattle)Julia H. Allen
In this podcast, Julia Allen explains how responding to an e-discovery request involves many of the same steps and roles as responding to a security incident.
learn more -
Concrete Steps for Implementing an Information Security Program
October 28, 2008 • Podcast
Jennifer Bayuk (No Affiliation)Julia H. Allen
In this podcast, Jennifer Bayuk explains how successful security programs are based on strategy, policy, awareness, implementation, monitoring, and remediation.
learn more -
Virtual Communities: Risks and Opportunities
October 14, 2008 • Podcast
Jan Wolynski (Royal Canadian Mounted Police)Julia H. Allen
In this podcast, Jan Wolynski advises business leaders to evaluate risks and opportunities when considering conducting business in online, virtual communities.
learn more -
Developing Secure Software: Universities as Supply Chain Partners
September 30, 2008 • Podcast
Mary Ann Davidson (Oracle)Julia H. Allen
In this podcast, Mary Ann Davidson explains how integrating security into university curricula is a key solution to developing more secure software.
learn more -
Security Risk Assessment Using OCTAVE Allegro
September 16, 2008 • Podcast
Lisa R. YoungJulia H. Allen
In this podcast, Lisa Young describes OCTAVE Allegro, a streamlined assessment method that focuses on risks to information used by critical business services.
learn more -
Getting to a Useful Set of Security Metrics
September 02, 2008 • Podcast
Clint Kreitner (The Center for Internet Security)Julia H. Allen
Well-defined metrics are essential to determine which security practices are worth the investment.
learn more -
How to Start a Secure Software Development Program
August 20, 2008 • Podcast
Gary McGrawJulia H. Allen
In this podcast, Gary McGraw explains how to achieve software security by thinking like an attacker and integrating practices into the development lifecycle.
learn more -
Managing Risk to Critical Infrastructures at the National Level
August 05, 2008 • Podcast
Bradford J. WillkeJulia H. Allen
In this podcast, Bradford Willke explain how protecting critical infrastructures and the information they use are essential for preserving our way of life.
learn more -
Analyzing Internet Traffic for Better Cyber Situational Awareness
July 28, 2008 • Podcast
Derek GabbardJulia H. Allen
In this podcast, Derek Gabbard discusses automation, innovation, reaction, and expansion as the foundation for meaningful network traffic intelligence.
learn more -
Managing Security Vulnerabilities Based on What Matters Most
July 22, 2008 • Podcast
Art ManionJulia H. Allen
In this podcast, Art Manion explains that determining which security vulnerabilities to address should be based on the importance of the information asset.
learn more -
Identifying Software Security Requirements Early, Not After the Fact
July 08, 2008 • Podcast
Nancy R. MeadJulia H. Allen
In this podcast, Nancy Mead explains that during requirements engineering, software engineers need to think about how software should behave when under attack.
learn more -
Making Information Security Policy Happen
June 24, 2008 • Podcast
Paul Love (The Standard)Julia H. Allen
In this podcast, Paul Love argues that targeted, innovative communications and a robust lifecycle are keys for security policy success.
learn more -
Becoming a Smart Buyer of Software
June 10, 2008 • Podcast
Brian P. GallagherJulia H. Allen
Managing software that is developed by an outside organization can be more challenging than building it yourself.
learn more -
Building More Secure Software
May 27, 2008 • Podcast
Bill PollakJulia H. Allen
In this podcast, Julia Allen explains how software security is about building more defect-free software to reduce vulnerabilities targeted by attackers.
learn more -
Connecting the Dots Between IT Operations and Security
May 13, 2008 • Podcast
Gene Kim (IP Services and ITPI)Julia H. Allen
In this podcast, Gene Kim describes how high performing organizations must integrate information security controls into their IT operational processes.
learn more -
Getting in Front of Social Engineering
April 29, 2008 • Podcast
Gary Hinson (No Affiliation)Julia H. Allen
In this podcast, Betsy Nichols tells us how benchmark results can compare results with peers, drive performance, and help determine how much security is enough.
learn more -
Using Benchmarks to Make Better Security Decisions
April 15, 2008 • Podcast
Betsy Nichols (PlexLogic)Julia H. Allen
In this podcast, Betsy Nichols describes how benchmark results can be used to help determine how much security is enough.
learn more -
Protecting Information Privacy - How To and Lessons Learned
April 01, 2008 • Podcast
Kim Hargraves (Microsoft)Julia H. Allen
In this podcast, Kim Hargraves describes three keys to ensuring information privacy in an organization.
learn more -
Initiating a Security Metrics Program: Key Points to Consider
March 18, 2008 • Podcast
Samuel A. MerrellJulia H. Allen
In this podcast, Samuel Merrell explains that a sound security metrics program should select data relevant to consumers from repeatable processes.
learn more -
Insider Threat and the Software Development Life Cycle
March 04, 2008 • Podcast
Dawn CappelliJulia H. Allen
In this podcast, Dawn Cappelli explains how insider threat vulnerabilities can be introduced during all phases of the software development lifecycle.
learn more -
Software Security Engineering: A Guide for Project Managers (book)
March 01, 2008 • Book
Julia H. AllenSean BarnumRobert J. Ellison
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.
read -
The Art of Information Security Governance
February 24, 2008 • Presentation
Julia H. Allen
This presentation was given at the Qatar Information Security Forum, 24 February 2008.
read -
Tackling the Growing Botnet Threat
February 19, 2008 • Podcast
Nicholas IanelliJulia H. Allen
In this podcast, Nicholas Ianelli cautions business leaders to understand the risks to their organizations caused by the proliferation of botnets.
learn more -
Building a Security Metrics Program
February 05, 2008 • Podcast
Betsy Nichols (PlexLogic)Julia H. Allen
In this podcast, Betsy Nichols explains that reporting meaningful security metrics depends on topic selection, context definition, and data access.
learn more -
Inadvertent Data Disclosure on Peer-to-Peer Networks
January 22, 2008 • Podcast
M. Eric Johnson (Dartmouth College)Scott Dynes (Dartmouth College)Julia H. Allen
In this podcast, participants discuss how peer-to-peer networks are being used to unintentionally disclose government, commercial, and personal information.
learn more -
Information Compliance: A Growing Challenge for Business Leaders
January 08, 2008 • Podcast
Tom Smedinghoff (Wildman Harrold)Julia H. Allen
In this podcast, Tom Smedinghoff reminds directors and executives that they are personally accountable for protecting information entrusted to their care.
learn more -
Internal Audit's Role in Information Security: An Introduction
December 10, 2007 • Podcast
Dan Swanson (Dan Swanson and Associates)Julia H. Allen
In this podcast, Dan Swanson explains how an internal audit can serve a key role in establishing an effective information security program.
learn more -
The Path from Information Security Risk Assessment to Compliance
November 13, 2007 • Podcast
William R. WilsonJulia H. Allen
In this podcast, William Wilson explains how an information security risk assessment, performed with operational risk management, can contribute to compliance.
learn more -
Governing for Enterprise Security: An Implementation Guide
November 07, 2007 • Presentation
Julia H. Allen
presentation given at the Security Management Conference, November 7, 2007
read -
Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity
October 15, 2007 • Podcast
Lisa R. YoungJulia H. Allen
In this podcast, Lisa Young suggests that by taking a holistic view of business resilience, business leaders can help their organizations stand up to threats.
learn more -
Dual Perspectives: A CIO's and CISO's Take on Security
September 04, 2007 • Podcast
Patty Morrison (Motorola)Bill Boni (Motorola)Julia H. Allen
In this podcast, participants explain that since you can't secure everything, managing security risk to a "commercially reasonable degree" is best.
learn more -
Tackling Security at the National Level: A Resource for Leaders
August 07, 2007 • Podcast
Jeffrey J. CarpenterJulia H. Allen
In this podcast, Clint Kreitner explains how information security costs can be reduced by enforcing standard configurations for widely deployed systems.
learn more -
Reducing Security Costs with Standard Configurations: U.S. Government Initiatives
August 07, 2007 • Podcast
Clint Kreitner (The Center for Internet Security)Julia H. Allen
In this podcast, participants explain that since you can't secure everything, , managing security risk to a "commercially reasonable degree" is best.
learn more -
Governing for Enterprise Security (GES) Implementation Guide
August 01, 2007 • Technical Note
Julia H. AllenJody R. Westby
In this 2007 report, the authors provide prescriptive guidance for creating and sustaining an enterprise security governance program.
read -
Using Standards to Build an Information Security Program
July 10, 2007 • Podcast
William R. WilsonJulia H. Allen
In this podcast, William Wilson explains how business leaders can use international standards to create a business- and risk-based information security program.
learn more -
Getting Real About Security Governance
June 26, 2007 • Podcast
Julia H. AllenStephanie Losi
In this podcast, participants explain that enterprise security governance can be achieved by implementing a defined, repeatable process.
learn more -
Convergence: Integrating Physical and IT Security
June 12, 2007 • Podcast
Brian Contos (ArcSight)Bill Crowell (No Affiliation)Julia H. Allen
In this podcast, participants recommend deploying common solutions for physical and IT security as a cost-effective way to reduce risk and save money.
learn more -
Governing for Enterprise Security (GES) Implementation Guide Article 3: Enterprise Security Governance Activities
March 05, 2007 • White Paper
Jody R. WestbyJulia H. Allen
Governing for Enterprise Security (GES) Implementation Guide Article 3: Enterprise Security Governance Activities
read -
Assuring Mission Success in Complex Environments
February 06, 2007 • Podcast
Christopher J. AlbertsJulia H. Allen
In this podcast, participants discuss analysis tools for assessing complex organizational and technological issues that are beyond traditional approaches.
learn more -
Governing for Enterprise Security (GES) Implementation Guide Article 1: Characteristics of Effective Security Governance1
February 05, 2007 • White Paper
Julia H. AllenJody R. Westby
Governing for Enterprise Security (GES) Implementation Guide Article 1: Characteristics of Effective Security Governance1
read -
Building Staff Competence in Security
January 09, 2007 • Podcast
Barbara LaswellJulia H. Allen
In this podcast, Barbara Laswell describes specifications that define the knowledge, skills, and competencies required for a range of security positions.
learn more -
Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for Technology
December 26, 2006 • Podcast
Thomas A. LongstaffJulia H. Allen
In this podcast, participants discuss how business models are evolving as security threats become more covert and technology enables information migration.
learn more -
Protecting Against Insider Threat
November 28, 2006 • Podcast
Dawn CappelliJulia H. Allen
In this podcast, Dawn Cappelli describes the real and substantial threat of attack from insiders.
learn more -
CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERT
October 31, 2006 • Podcast
Richard D. PethiaJulia H. Allen
In this podcast, Richard Pethia voices his view of the internet security landscape and the future of the CERT Division.
learn more -
The ROI of Security
October 17, 2006 • Podcast
Stephanie LosiJulia H. Allen
In this podcast, Julia Allen explains how ROI is a useful tool because it enables comparison among investments in a consistent way.
learn more -
Compliance vs. Buy-in
October 17, 2006 • Podcast
Julia H. AllenStephanie Losi
In this podcast, Julia Allen explains why integrating security into standard business processes is more effective than treating security as a compliance task.
learn more -
Why Leaders Should Care About Security
October 17, 2006 • Podcast
Bill PollakJulia H. Allen
In this podcast, Julia Allen urges leaders to be security conscious and treat adequate security as a non-negotiable requirement of being in business.
learn more -
Proactive Remedies for Rising Threats
October 17, 2006 • Podcast
Martin LinderStephanie LosiJulia H. Allen
In this podcast, participants discuss how threats to information security are increasingly stealthy and must be mitigated through sound policy and strategy.
learn more -
Governing for Enterprise Security
June 01, 2005 • Technical Note
Julia H. Allen
In this 2005 report, Julia Allen examines governance thinking, principles, and approaches and applies them to the subject of enterprise security.
read -
Information Security as an Institutional Priority
May 24, 2005 • Presentation
Julia H. Allen
This presentation on information security as an institutional priority was delivered by Julia Allen in 2005.
read -
Governing for Enterprise Security (Presentation)
January 26, 2005 • Presentation
Julia H. Allen
This 2005 presentation addresses various issues related to governance.
read -
Managing for Enterprise Security
December 01, 2004 • Technical Note
Richard A. CaralliJulia H. AllenJames F. Stevens
In this 2004 report, the authors itemize characteristics of common approaches to security that limit effectiveness and success.
read -
Building a Practical Framework for Enterprise-Wide Security Management
April 28, 2004 • Presentation
Julia H. AllenKevin Behr (IP Services and ITPI)Richard A. Caralli
In this presentation, the authors describe a practical framework for enterprise-wide security management as developed by the CERT Division.
read -
OCTAVE Catalog of Practices, Version 2.0
October 01, 2001 • Technical Report
Christopher J. AlbertsAudrey J. DorofeeJulia H. Allen
In this report, the authors describe OCTAVE practices, which enable organizations to identify risks and mitigate them.
read -
CERT Guide To System and Network Security Practices
June 07, 2001 • Book
Julia H. Allen
In this book, Julia Allen describes practices and offers guidance for protecting systems and networks against malicious and inadvertent compromise.
read -
Securing Public Web Servers
May 01, 2000 • Security Improvement Module
Klaus-Peter KossakowskiJulia H. Allen
The practices recommended in this 2000 report are designed to help administrators mitigate the risks associated with several known security problems.
read -
Securing Network Servers (2000)
April 01, 2000 • Security Improvement Module
Julia H. AllenKlaus-Peter KossakowskiGary Ford
The practices recommended in this report from 2000 are designed to help administrators configure and deploy network servers that satisfy organizational security requirements.
read -
State of the Practice of Intrusion Detection Technologies
January 01, 2000 • Technical Report
Julia H. AllenAlan M. ChristieWilliam L. Fithen
This report provides an unbiasedassessment of publicly available ID technology. The report also outlines relevant issues for the research community as they formulate research directions and allocate funds.
read -
Deploying Firewalls
October 01, 1999 • Security Improvement Module
William L. FithenJulia H. AllenEd Stoner
This document helps organizations improve the security of their networked computer systems by illustrating how to design and deploy a firewall.
read -
Securing Desktop Workstations
February 01, 1999 • Security Improvement Module
Derek SimmelGary FordJulia H. Allen
The practices recommended in this 1999 report are designed to help you configure and deploy networked workstations that satisfy your organization‰s security requirements. The practices may also be useful in examining the configuration of previously deployed workstations.
read -
Responding to Intrusions
February 01, 1999 • Security Improvement Module
Klaus-Peter KossakowskiSuresh KondaWilliam R. Wilson
This 1999 report is one of a series of SEI publications that are intended to provide practical guidance to help organizations improve the security of their networked computer systems. This report is intended for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.
read -
Securing Network Servers (1999)
February 01, 1999 • Security Improvement Module
Gary FordDerek SimmelDwayne Vermeulen
The practices recommended in this 1999 report are designed to help administrators configure and deploy network servers that satisfy organizational security requirements.
read -
Preparing to Detect Signs of Intrusion
June 01, 1998 • Security Improvement Module
John KochmarJulia H. AllenChristopher J. Alberts
The practices contained in this 1998 report identify advance preparations you must make to enable you to obtain evidence of an intrusion or an intrusion attempt.
read -
Security for Information Technology Service Contracts
January 01, 1998 • Security Improvement Module
Julia H. AllenGary FordBarbara Fraser
This 1998 document is one of a new series of publications of the Software EngineeringInstitute at Carnegie Mellon University,security improvement modules.They are intended to provide concrete, practical guidance that will help organizationsimprove the security of their networked computer systems.
read