To contain costs, it is essential to understand which factors drive costs over the longer term and can be controlled. In studies of software development, as a research community, we have not done an adequate job of differentiating causal influences from noncausal statistical correlations. In this podcast, Mike Konrad and Bob Stoddard discuss the use of an approach known as causal learning that can help the Department of Defense identify which factors cause software costs to escalate and, therefo...
Aug 02, 2018•31 min
In this podcast, Dr. Carol Woody discusses opportunities and risks in cybersecurity engineering, software assurance, and the resulting CERT Cybersecurity Engineering and Software Assurance Professional Certificate. The courses for this certificate program focus on software-reliant systems engineering and acquisition activities. The goal of the program is to infuse an awareness of cybersecurity (and an approach to identifying security requirements, engineering risk, and supply chain risk) early i...
Jul 26, 2018•9 min
In the SEI’s examination of the software sustainment phase of the Department of Defense (DoD) acquisition lifecycle, we have noted that the best descriptor for sustainment efforts for software is “continuous engineering.” Typically, during this phase, the hardware elements are repaired or have some structural modifications to carry new weapons or sensors. Software, on the other hand, continues to evolve in response to new security threats, new safety approaches, or new functionality provided wit...
Jul 10, 2018•28 min
The SEI Emerging Technology Center is conducting a study sponsored by the U.S. Office of the Director of National Intelligence to understand cyber intelligence best practices, common challenges, and future technologies that we will culminate in a published report. Through interviews with U.S.-based organizations from a variety of sectors, researchers are identifying tools, practices, and resources that help those organizations make informed decisions that protect their information and assets. In...
Jun 25, 2018•19 min
In today's global business environment, risk management must be aligned to business strategy. As companies continue to shift their business models, strategies change and risk management becomes even more important. A company must find the right balance between risk resiliency and risk agility. The chief risk officer (CRO) role is an important catalyst to make that happen, so a company's long term strategic objectives may be realized. The CRO Certificate Program is developed and delivered by Carn...
May 24, 2018•28 min
The Defense Advanced Research Projects Agency (DARPA) and other agencies are expressing significant interest in blockchain technology because it promises inherent transparency, resiliency, forgery-resistance, and nonrepudiation, which can be used to protect sensitive infrastructure. At the same time, numerous high-profile incidents of blockchain coding errors that cause major damage to organizations have raised serious concerns about blockchain adoption. In this podcast, Eliezer Kanal and Michae...
May 10, 2018•32 min
DevOps breaks down software development silos to encourage free communication and constant collaboration. Agile, an iterative approach to development, emphasizes frequent deliveries of software. In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program, and Hasan Yasar, technical manager of the Secure Lifecycle Solutions Group in the SEI’s CERT Division, discuss how Agile and DevOps can be deployed together to meet organizational needs. Listen on Apple Podcasts ....
Apr 19, 2018•33 min
This series of podcasts presents excerpts from a recent SEI virtual event, Is Software Spoiling Us? Jeff Boleng, acting chief technical officer, moderated the discussion, which featured a panel of SEI researchers: Grace Lewis, Eliezer Kanal, Joseph Yankel, and Satya Venneti. In this segment, the panel discusses technical innovations that can be applied to the Department of Defense including improved situational awareness, human-machine interactions, artificial intelligence, machine learning, dat...
Mar 15, 2018•21 min
This series of podcasts presents excerpts from a recent SEI virtual event, Is Software Spoiling Us. Jeff Boleng, acting chief technical officer, moderated the discussion, which featured a panel of SEI researchers: Grace Lewis, Eliezer Kanal, Joseph Yankel, and Satya Venneti. In this podcast, the panel discusses awesome innovations in daily life that are made possible because of software. Listen on Apple Podcasts .
Feb 08, 2018•17 min
DevOps, which breaks down software development silos to encourage free communication and constant collaboration, reinforces many Agile methodologies. Equally important, the Risk Management Framework, provides a clearly defined framework that helps program managers incorporate security and risk management activities into the software and systems development life cycle. In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program leads a roundtable discussion into how A...
Feb 01, 2018•34 min
Insider threat continues to be a problem with approximately 50 percent of organizations experiencing at least one malicious insider incident per year, according to the 2017 U.S. State of Cybercrime Survey. Although the attack methods vary depending on the industry, the primary types of attacks identified by researchers at the CERT Insider Threat Center—theft of intellectual property, sabotage, fraud, and espionage—continue to hold true. In our work with public and private industry, we continue t...
Dec 28, 2017•11 min
Pharos was created by the SEI CERT Division to automate the reverse engineering of binaries, with a focus on malicious code analysis. Pharos, which was recently released on Github, builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. In this podcast, the SEI CERT Division’s Jeff Gennari discusses updates to the Pharos framework including new tools, improvements, and bug fixes. Lis...
Dec 12, 2017•10 min
In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor and constrain employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In this podcast, Andrew Moore and Dan Bauer high...
Nov 30, 2017•24 min
Dr. Andrew Moore, who is the Dean of the School of Computer Science at CMU, predicted that 2016 would be a watershed year for machine emotional intelligence. Evidence of this can be seen in the Department of Defense, which increasingly relies on biometric data, such as iris scans, gait recognition, and heart-rate monitoring to protect against both cyber and physical attacks. Current state-of-the-art approaches do not make it possible to gather biometric data in real-world settings, such as borde...
Nov 16, 2017•21 min
In today’s increasingly interconnected world, the information security community must be prepared to address emerging vulnerabilities that may arise from new technology domains. Understanding trends and emerging technologies can help information security professionals, leaders of organizations, and others interested in information security to anticipate and prepare for such vulnerabilities. In this podcast, CERT vulnerability analyst Dan Klinedinst discusses research aimed at helping the Departm...
Oct 24, 2017•11 min
For some time now, the cyber world has been under attack by a diffused set of enemies who improvise their own tools in many different varieties and hide them where they can do much damage. In this podcast, CERT researcher Vijay Sarvepalli explores Domain Name System or DNS Blocking, the idea of disrupting communications from malicious code such as ransomware that is used to lock up your digital assets, or data-exfiltration software that is used to steal your digital data. DNS blocking ensures a ...
Oct 12, 2017•15 min
When it comes to network traffic, it’s important to establish a filtering process that identifies and blocks potential cyberattacks, such as worms spreading ransomware and intruders exploiting vulnerabilities, while permitting the flow of legitimate traffic. In this podcast, the latest in a series on best practices for network security, Rachel Kartch explores best practices for network border protection at the Internet router and firewall. It is important to note that these recommendations are g...
Sep 21, 2017•24 min
Since its debut on Jeopardy in 2011, IBM’s Watson has generated a lot of interest in potential applications across many industries. As detailed in this podcast, Mark Sherman recently led a research team investigating whether the Department of Defense could use Watson to improve software assurance and help acquisition professionals assemble and review relevant evidence from documents. Specifically, Sherman and his team examined whether typical developers could build an IBM Watson application to s...
Sep 07, 2017•20 min
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field ex...
Aug 31, 2017•19 min
All major defense contractors in the market can tell you about their approaches to implementing the values and principles found in the Agile Manifesto. Published frameworks and methodologies are rapidly maturing, and a wave of associated terminology is part of the modern lexicon. We are seeing consultants feuding on Internet forums as well, each claiming to have the “true” answer for what Agile is and how to make it work in your organization. The challenge now is to scale Agile to work in comple...
Aug 03, 2017•24 min
On May 12, 2017, in the course of a day, the WannaCry ransomware attack infected nearly a quarter million computers. WannaCry is the latest in a growing number of ransomware attacks where, instead of stealing data, cyber criminals hold data hostage and demand a ransom payment. WannaCry was perhaps the largest ransomware attack to date, taking over a wide swath of global computers from FedEx in the United States to the systems that power Britain’s healthcare system to systems across Asia, accordi...
Jul 14, 2017•30 min
The term "software security" often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty, and road blocks to fast development and release. To secure software, developers must follow numerous guidelines that, while intended to satisfy some regulation or other, can be very restrictive and hard to understand. As a result, a lot of fear, uncertainty, and doubt can surround software security. In this podcast, Hasa...
Jun 29, 2017•29 min
The position of SEI Fellow is awarded to people who have made an outstanding contribution of the work of the SEI and from home the SEI leadership may expect valuable advice for continued success in the institute’s mission. Peter Feiler was named an SEI Fellow in August 2016. This podcast is the second in a series highlighting interviews with SEI Fellows Listen on Apple Podcasts .
Jun 15, 2017•41 min
The network time protocol (NTP) synchronizes the time of a computer client or server to another server or within a few milliseconds of Coordinated Universal Time (UTC). NTP servers, long considered a foundational service of the Internet, have more recently been used to amplify large-scale Distributed Denial of Service (DDoS) attacks. While 2016 did not see a noticeable uptick in the frequency of DDoS attacks, the last 12 months have witnessed some of the largest DDoS attacks, according to Akamai...
May 25, 2017•12 min
First responders, search-and-rescue teams, and military personnel often work in “tactical edge” environments defined by limited computing resources, rapidly changing mission requirements, high levels of stress, and limited connectivity. In these tactical edge environments, software applications that enable tasks such as face recognition, language translation, decision support, and mission planning and execution are critical due to computing and battery limitations on mobile devices. Our work on ...
May 18, 2017•18 min
In 2014-2015, a group of researchers across various disciplines gathered at the Caltech Keck Institute for Space Studies (KISS) to explore whether recent advances in multifunctional, reconfigurable, and adaptive structures could enable a microenvironment control to support space exploration in extreme environments. The workshop series spawned multiple working groups and project ideas for pushing the state-of-the-art in space exploration, colonization and infrastructure. One such project, called ...
Apr 20, 2017•18 min
Making sure government and privately owned drones share international air space safely and effectively is a top priority for government officials. Distributed Adaptive Real-Time (DART) systems are key to many areas of Department of Defense (DoD) capability, including the safe execution of autonomous, multi-unmanned aerial systems missions having civilian benefits. DART systems promise to revolutionize several such areas of mutual civilian-DoD interest, such as robotics, transportation, energy, a...
Mar 27, 2017•47 min
In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies. Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study. Researchers in the SEI's CERT Division recently examined the security of a large swath of technology domains being developed in industry and...
Mar 23, 2017•17 min
As software developers deal with issues such as legacy modernization, agile adoption, and architecture, they need to be able to articulate the tradeoffs of design and business decisions. In this podcast, Ipek Ozkaya talks about managing technical debt as a core software engineering practice and its importance in the education of future software engineers. Listen on Apple Podcasts .
Feb 27, 2017•23 min
The Domain Name System (DNS) is an essential component of the Internet, a virtual phone book of names and numbers, but we rarely think about it until something goes wrong. DNS also serves as the backbone for other services critical to organizations including email, external web access, file sharing and voice over IP (VoIP). There are steps, however, that network administrators can take to ensure the security and resilience of their DNS infrastructure and avoid security pitfalls. In this podcast,...
Feb 23, 2017•27 min
