Modern society is deeply and irreversibly dependent on software systems of remarkable scope and complexity in areas that are essential for preserving our way of life. Software assurance is critical to ensuring our confidence in these systems and that they are free from vulnerabilities, function in the intended manner, and provide security capabilities appropriate to the threat environment. In this podcast, Dr. Nancy Mead discusses how, with support from the Department of Homeland Security, SEI r...
Sep 24, 2015•20 min
One of the most important and widely discussed trends within the software testing community is shift left testing, which simply means beginning testing as early as practical in the lifecycle. What is less widely known, both inside and outside the testing community, is that testers can employ four fundamentally-different approaches to shift testing to the left. Unfortunately, different people commonly use the generic term shift left to mean different approaches, which can lead to serious misunder...
Sep 10, 2015•27 min
In this podcast, Dr. Richard Young, a professor with Carnegie Mellon’s Tepper School of Business, teams with Sam Perl, a member of the CERT Division’s Enterprise Threat and Vulnerability Management team, to discuss their research on how expert cybersecurity incident handlers think, learn, and act when faced with an incident. The research study focuses on critical cognitive factors that such experts use to make decisions when faced with a complex incident, including how to deal with critical info...
Aug 27, 2015•26 min
High performance computing is now central to the federal government and industry as evidenced by the shift from single-core and multi-core or homogeneous central processing units, also known as CPUs, to many core and heterogeneous systems that also include other types of processors like graphics processing units, also known as GPUs.In this podcast, Scott McMillan and Eric Werner of the SEI’s Emerging Technology Center discuss work to create a software library for graph analytics that would take ...
Aug 27, 2015•16 min
In this podcast, Peter Feiler discusses a case study that demonstrates how an analytical architecture fault-modeling approach can be combined with confidence arguments to diagnose a time-sensitive design error in a control system and to provide evidence that proposed changes to the system address the problem. The analytical approach, based on the SAE Architecture Analysis and Design Language for its well-defined timing and fault-behavior semantics, demonstrates that such hard-to-test errors can ...
Aug 13, 2015•18 min
A surprisingly large number of different types of testing exist and are used during the development and operation of software-reliant systems. While most testers, test managers, and other testing stakeholders are quite knowledgeable about a relatively small number of testing types, many people know very little about most of them and are unaware that others even exist. Understanding these different types of testing is important because different types of testing tend to uncover different types of...
Jul 30, 2015•17 min
Systems are increasingly software-reliant and interconnected, making design, analysis and evaluation harder than in the past. While new capabilities are welcome, they require more thorough validation. Complexity could mean that design flaws or defects could lead to hazardous conditions that are undiscovered and unresolved. In this podcast, Dr. Sarah Sheard discusses a two-year research project to investigate the nature of complexity, how it manifests in software-reliant systems, such as avionics...
Jul 16, 2015•19 min
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address those ...
Jun 25, 2015•12 min
For several years, the Software Engineering Institute has researched the viability of Agile software development methods within Department of Defense programs and barriers to the adoption of those methods. In this podcast, SEI researcher Eileen Wrubel discusses how software sustainers leverage Agile methods and avoid barriers to using Agile methods. Listen on Apple Podcasts .
Jun 11, 2015•12 min
Most software systems have some "defects" that are identified by users. Some of these are truly defects in that the requirements were not properly implemented; some are caused by changes made to other systems; still others are requests for enhancement – improvements that would improve the users' experience. These "defects" are generally stored in a database and are worked off in a series of incrementally delivered updates. For most systems, it is not financially feasible to fix all of the concer...
May 28, 2015•18 min
As the number of sensors on smart phones continues to grow, these devices can automatically track data from the user's environment, including geolocation, time of day, movement, and other sensor data. Making sense of this data in an ethical manner that respects the privacy of smartphone users is just one of the many challenges faced by researchers. In this podcast, Dr. Anind Dey, director of the Human Computer Interaction Institute (HCII) at CMU, and Dr. Jeff Boleng, principal researcher at the ...
May 14, 2015•20 min
As the number of sensors on smart phones continues to grow, these devices can automatically track data from the user's environment, including geolocation, time of day, movement, and other sensor data. Making sense of this data in an ethical manner that respects the privacy of smartphone users is just one of the many challenges faced by researchers. In this podcast, the first in a two-part series, Dr. Anind Dey and Dr. Jeff Boleng introduce context-aware computing and explore other issues related...
Apr 23, 2015•19 min
Software vulnerabilities are defects or weaknesses in a software system that, if exploited, can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development lif...
Apr 09, 2015•30 min
In this episode, the 12th and final podcast in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the 12th principle: at regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly. Listen on Apple Podcasts .
Mar 26, 2015•12 min
One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.In this podcast, Matt Butkovic, the Technical Manager of CERT’s Cybersecurity Assurance Team, and John Haller, a member of Matt’s team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from "e...
Mar 26, 2015•28 min
In Department of Defense programs, a system of systems (SoS) is integrated to accomplish a number of missions that involve cooperation among individual systems. Understanding the activities conducted within each system and how they interoperate to accomplish the missions of the SoS is of vital importance. A mission thread is a sequence of end-to-end activities and events, given as a series of steps, that accomplish the execution of one or more capabilities that the SoS supports. However, listing...
Mar 12, 2015•24 min
In this episode, the 11th in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the 11th principle: the best architectures, requirements, and designs emerge from self-organizing teams. Listen on Apple Podcasts .
Feb 26, 2015•14 min
This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team’s experiences in planning and executing the workshop, and identifying improvements for future offerings. The Measuring What Matters Workshop introduces the Goal-Question-Indicator-Metric (GQIM) approach that enables users to derive meaningful metrics for managing cybersecurity risks from strategic and business objectives. This approach helps ensure that organizational leaders have bette...
Feb 20, 2015•31 min
In this episode, the tenth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the tenth principle: Simplicity—the art of maximizing the amount of work not done—is essential. Listen on Apple Podcasts .
Feb 12, 2015•14 min
Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumera...
Jan 29, 2015•19 min
In this episode, the ninth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the ninth principle: continuous attention to technical excellence and good design enhances Agile. Listen on Apple Podcasts .
Jan 16, 2015•18 min
The goal of any cybersecurity investment is to reduce the potential impact from cyber risk. Initial investments should be in capability development—the implementation of controls to protect and sustain operations that depend on technology. As capability increases, additional capability investments produce diminishing returns—the curve flattens. At that point, investment in cyber insurance becomes an efficient means to further reduce risk.In this podcast, Jim Cebula, the Technical Manager of CERT...
Jan 08, 2015•37 min
In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the fourth in a series based on these interviews. Listen on Apple Podcasts .
Dec 18, 2014•9 min
Soldiers in battle or emergency workers responding to a disaster often find themselves in environments with limited computing resources, rapidly-changing mission requirements, high levels of stress, and limited connectivity, which are often referred to as “tactical edge environments.” These types of scenarios make it hard to use mobile software applications that would be of value to soldiers or emergency personnel, including speech and image recognition, natural language processing, and situatio...
Dec 04, 2014•32 min
Part of a series exploring Agile in the Department of Defense, this podcast addresses key issues that occur when Agile software teams engage with systems engineering functions in the development and acquisition of software-reliant systems. Published acquisition guidance still largely focuses on a system perspective, and fundamental differences exist between systems engineering and software engineering approaches. Those differences are compounded when Agile becomes a part of the mix, rather than ...
Nov 27, 2014•12 min
Given that up to 70 percent of system errors are introduced during the design phase, stakeholders need a modeling language that will ensure both requirements enforcement during the development process and the correct implementation of these requirements. Previous work demonstrates that using the Architecture Analysis and Design Language (AADL) early in the development process not only helps detect design errors before implementation but also supports implementation efforts and produces high-qual...
Nov 13, 2014•20 min
In September 2014, Alistair Cockburn met with researchers at the SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there as Cockburn sat down with Suzanne Miller to discuss his unique perspective as one of the creators of the Agile manifesto and his viewpoint on the current state of Agile adoption. Listen on Apple Podcasts .
Oct 30, 2014•28 min
In this episode, the eighth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the eighth principle: Agile processes promotes sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely. Listen on Apple Podcasts .
Oct 09, 2014•13 min
Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships...
Oct 07, 2014•33 min
As the prevalence of suppliers using Agile methods grows, these professionals supporting the acquisition and maintenance of software-reliant systems are witnessing large portions of the industry moving away from so-called "traditional waterfall" lifecycle processes. The existing infrastructure supporting the work of acquisition professionals has been shaped by the experience of the industry—which up until recently has tended to follow a waterfall process. The industry is finding that the methods...
Sep 25, 2014•24 min
