Software Engineering Institute (SEI) Podcast Series

In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the fourth in a series based on these interviews. Listen on Apple Podcasts.

Soldiers in battle or emergency workers responding to a disaster often find themselves in environments with limited computing resources, rapidly-changing mission requirements, high levels of stress, and limited connectivity, which are often referred to as "tactical edge environments." These types of scenarios make it hard to use mobile software applications that would be of value to soldiers or emergency personnel, including speech and image recognition, natural language processing, and situational awareness, because these computation-intensive tasks take a heavy toll on a mobile device's battery power and computing resources. Researchers in the Advanced Mobile Systems Initiative at the SEI focus on cyber foraging, which uses discoverable, forward-deployed servers to extend the capabilities of mobile devices by offloading battery-draining computations to these more powerful resources, or for staging data particular to a mission. In this podcast, Grace Lewis discusses five approaches that her team developed and tested for using tactical cloudlets as a strategy for providing infrastructure to support computation offload and data staging at the tactical edge. Listen on Apple Podcasts.

Part of a series exploring Agile in the Department of Defense, this podcast addresses key issues that occur when Agile software teams engage with systems engineering functions in the development and acquisition of software-reliant systems. Published acquisition guidance still largely focuses on a system perspective, and fundamental differences exist between systems engineering and software engineering approaches. Those differences are compounded when Agile becomes a part of the mix, rather than adhering to more traditional "waterfall"-based development lifecycles. In this research, the SEI gathered more data from users of Agile methods in the DoD and delved deeper into the existing body of knowledge about Agile and systems engineering before addressing them. In this podcast, Acquisition researchers Eileen Wrubel and Suzanne Miller offer insight into how systems engineers and Agile software engineers can better collaborate when taking advantage of Agile as they deliver incremental mission capability. Listen on Apple Podcasts.

Given that up to 70 percent of system errors are introduced during the design phase, stakeholders need a modeling language that will ensure both requirements enforcement during the development process and the correct implementation of these requirements. Previous work demonstrates that using the Architecture Analysis and Design Language (AADL) early in the development process not only helps detect design errors before implementation but also supports implementation efforts and produces high-quality code. Previous research has demonstrated how AADL can identify potential design errors and avoid propagating them through the development process. Verified specifications, however, are still implemented manually. This manual process is labor intensive and error prone, and it introduces errors that might break previously verified assumptions and requirements. For these reasons, code production should be automated to preserve system specifications throughout the development process. In this podcast, Julien Delange summarizes different perspectives on research related to code generation from software architecture models. Listen on Apple Podcasts.

In September 2014, Alistair Cockburn met with researchers at the SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there as Cockburn sat down with Suzanne Miller to discuss his unique perspective as one of the creators of the Agile manifesto and his viewpoint on the current state of Agile adoption. Listen on Apple Podcasts.

In this episode, the eighth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the eighth principle: Agile processes promotes sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely. Listen on Apple Podcasts.

Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships, the management of operational cybersecurity-related risks to these assets is a key factor in positioning the organization for success.In this podcast, Jim Cebula, the Technical Manager of the CERT Cybersecurity Risk Management Team, discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks. The taxonomy identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. This podcast is based on an SEI technical report and blog post. Listen on Apple Podcasts.

As the prevalence of suppliers using Agile methods grows, these professionals supporting the acquisition and maintenance of software-reliant systems are witnessing large portions of the industry moving away from so-called "traditional waterfall" lifecycle processes. The existing infrastructure supporting the work of acquisition professionals has been shaped by the experience of the industry—which up until recently has tended to follow a waterfall process. The industry is finding that the methods geared toward legacy life cycle processes must be realigned with new ways of doing business. In this podcast Will Hayes and Suzanne Miller discuss research intended to aid U. S. Department of Defense acquisition professionals in the use of Agile software development methods. Listen on Apple Podcasts.

In this podcast, Ian Gorton describes four general principles that hold for any scalable, big data system. These principles can help architects continually validate major design decisions across development iterations, and hence provide a guide through the complex collection of design trade-offs all big data systems require. Listen on Apple Podcasts.

In this podcast, Joseph Elm analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness. This research is the result analysis of data collected from the 2011 Systems Engineering (SE) Effectiveness Survey performed by the National Defense Industrial Association Systems Engineering Division, the Institute of Electrical and Electronics Engineers Aerospace and Electronic Systems Society, and the SEI. This analysis examined the differences in the deployment and impact of SE activities between defense-domain projects and non-defense projects. The analysis found significant differences in both the deployment of SE in the two domains and the effectiveness of the SE. The report identifies specific process areas where effectiveness in one domain is noticeably higher than in the other. Further research to understand these differences will benefit both domains by enabling them to share best practices. Listen on Apple Podcasts.

Many warfighters and first responders operate at what we call "the tactical edge," where users are constrained by limited communication connectivity, storage availability, processing power, and battery life. In these environments, onboard sensors are used to capture data on behalf of mobile applications to perform tasks such as face recognition, speech recognition, natural language translation, and situational awareness. These applications then rely on network interfaces to send the data to nearby servers or the cloud, if local processing resources are inadequate. While software developers have traditionally used native mobile technologies to develop these applications, the approach has some drawbacks, such as limited portability. In contrast, HTML5 has been touted for its portability across mobile device platforms as well an ability to access functionality without having to download and install applications. In this podcast, Grace Lewis describes research aimed at evaluating the feasibility of using HTML5 to develop applications that can meet tactical edge requirements. Listen on Apple Podcasts.

In this episode, the seventh in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the seventh principle: Working software is the primary measure of progress. Listen on Apple Podcasts.

In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the third in a series based on these interviews. Listen on Apple Podcasts.

The Wireless Emergency Alerts (WEA) service depends on information technology (IT)—computer systems and networks—to convey potentially life-saving information to the public in a timely manner. However, like other cyber-enabled services, the WEA service is susceptible to risks that may enable an attacker to disseminate unauthorized alerts or to delay, modify, or destroy valid alerts. Successful attacks on the alerting process may result in property destruction, financial loss, infrastructure disruption, injury, or death. Such attacks may damage WEA credibility to the extent that users ignore future alerts or disable alerting on their mobile devices. In this podcast, Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks. Listen on Apple Podcasts.

In this podcast, Julien Delange discusses two extensions to the Architecture Analysis and Design Language: the behavior annex and the error-model annex. The behavior annex represents the functional logic of AADL components and interacts with the other system elements. SEI researchers are currently participating in the ongoing improvements of this extension of the AADL by connecting it to other analysis tools. The error model annex augments the architecture description by specifying safety concerns of the system (error propagation, error behavior, etc.). The language is the foundation of new analysis tools that provide qualitative and quantitative assessment of system safety and reliability. SEI researches have defined new tools that analyze the model and produces safety validation documents, such as the one required by safety standard such as the SAE ARP4761. Listen on Apple Podcasts.

In this episode, the sixth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense (DoD), the two researchers discuss the application of the sixth principle,The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. Listen on Apple Podcasts.

Every day, major anti-virus companies and research organizations are inundated with new malware samples. Although estimates vary, approximately 150,000 new malware strains are released each day. Not enough manpower exists to manually address the volume of new malware samples that arrive daily in analysts' queues. Malware analysts need an approach that allows them to sort samples in a fundamental way so they can assign priority to the most malicious binary files. In this podcast, Jose Morales, a malicious software researcher with the CERT Division, discusses an approach for prioritizing malware samples, helping analysts to identify the most destructive malware to examine first, based on the binary file's execution behavior and its potential impact. Related Training Malware Analysis Apprenticeship Listen on Apple Podcasts.

In the acquisition of a software-intensive system, the relationship between the software architecture and the acquisition strategy is typically not examined. Although software is increasingly important to the success of government programs, there is often little consideration given to its impact on early key program decisions. The Carnegie Mellon University Software Engineering Institute (SEI) is conducting a multi-phase research initiative aimed at answering the question: is the probability of a program's success improved through deliberately producing a program acquisition strategy and software architecture that are mutually constrained and aligned? Moreover, can we develop a method that helps government program offices produce such alignment? In this podcast, Patrick Place describes research aimed at determining how acquisition quality attributes can be expressed and used to facilitate alignment among the software architecture and acquisition strategy. Listen on Apple Podcasts.

Trust is a key factor in the effectiveness of the Wireless Emergency Alerts (WEA) service. Alert originators at emergency management agencies must trust WEA to deliver alerts to the public in an accurate and timely manner. The public must also trust the WEA service before they will act on the alerts that they receive. Managing trust in WEA is a responsibility shared among many stakeholders who are engaged with WEA. In this podcast, Robert Ellison and Carol Woody discuss research aimed at developing recommendations for alert originators, the Federal Emergency Management Agency, commercial mobile service providers, and suppliers of message-generation software that would enhance both alert originators' trust in the WEA service and the public's trust in the alerts that they receive. Listen on Apple Podcasts.

The importance of verification and validation (especially testing) is a major reason that the traditional waterfall development cycle underwent a minor modification to create the V model that links early development activities to their corresponding later testing activities. In this podcast, Don Firesmith introduces three variants on the V model of system or software development that make it more useful to testers, quality engineers, and other stakeholders interested in the use of testing as a verification and validation method. Listen on Apple Podcasts.

The Personal Software Process promotes the use of careful procedures during all stages of development with the aim of increasing an individual's productivity and producing high quality final products. Formal methods use the same methodological strategy as the PSP: emphasizing care in development procedures as opposed to relying on testing and debugging. They also establish the radical requirement of proving mathematically that the programs produced satisfy their specifications. Design by Contract is a technique for designing components of a software system by establishing their conditions of use and behavioral requirements in a formal language. When appropriate techniques and tools are incorporated to prove that the components satisfy the established requirements, the method is called Verified Design by Contract (VDbC). In this podcast, Bill Nichols discusses a proposal for integrating VDbC into PSP to reduce the number of defects present at the unit-esting phase, while preserving or improving productivity. The resulting adaptation of the PSP, called PSPVDC, incorporates new phases, modifies others, and adds new scripts and checklists to the infrastructure. Specifically, the phases of formal specification, formal specification review, formal specification compile, test case construct, pseudo code, pseudo code review, and proof are added. Listen on Apple Podcasts.

Technical professionals are often called on to research, recommend, implement, and execute IT risk assessment and analysis processes. These processes provide important data used by management to responsibly grow and protect the business through good decision making for mitigating, accepting, transferring, or avoiding risk. These decisions must account for IT risks caused by emerging threats to the enterprise and vulnerabilities in the people, processes and technologies required for digital business. Which method you choose for IT risk assessment and risk analysis is far less important than ensuring that the selected methodology is operationalized and a good fit for the corporate culture. The selected approach must be able to produce output that is meaningful to management, and supporting processes must account for assumptions, documentation, and potential gaming of the system. Tools should be leveraged, where possible, to ease method adoption. In this podcast, Ben Tomhave and Erik Heidt, research directors with Gartner Technical Professionals, discuss methods for IT risk assessment and analysis and comparison factors for selecting the methods that are the best fit for your organization. Listen on Apple Podcasts.

In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, PA. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the second in a series based on those interviews. Listen on Apple Podcasts.

The SEI has seen increased interest and adoption of OSS products across the federal government, including the Department of Defense, the intelligence community, and the Department of Homeland Security. The catalyst for this increase has been innovators in government seeking creative solutions to rapidly field urgently needed technologies. While the rise of OSS adoption signals a new approach for government t acquirers, it is not without risks that, it is not without risks that must be acknowledged and addressed, particularly given current certification and accreditation (C&A) techniques. In this podcast, Kate Ambrose Sereno and Naomi Anderson discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software. Listen on Apple Podcasts.

The process of designing and analyzing software architectures is complex. Architectural design is a minimally constrained search through a vast multi-dimensional space of possibilities. The end result is that architects are seldom confident that they have done the job optimally, or even satisfactorily. Over the past two decades, practitioners and researchers have used architectural patterns to expedite sound software design. Architectural patterns are prepackaged chunks of design that provide proven structural solutions for achieving particular software system quality attributes, such as scalability or modifiability. While use of patterns has simplified the architectural design process somewhat, key challenges remain. In this podcast, Rick Kazman discusses these challenges and a solution he has developed for achieving system security qualities through use of patterns. Listen on Apple Podcasts.

ES-C2M2 helps improve the operational resilience of the U.S. power grid.  Listen on Apple Podcasts.

In this episode, the fifth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense (DoD), the two researchers discuss the application of the fifth principle, Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. Listen on Apple Podcasts.

From the braking system in automobiles to the software that controls aircraft, safety-critical systems are ubiquitous. Showing that such systems meet their safety requirements has become a critical area of work for software and systems engineers. The SEI is addressing this issue with a significant research program into assurance cases. In this podcast, the first in a series on assurance cases and confidence, Charles Weinstock introduces the concept of assurance cases and discusses how they can be used to assure that complex software-based systems meet certain kinds of requirements such as safety, security, and reliability. Listen on Apple Podcasts.

An essential element of secure coding in the C programming language is a set of well-documented and enforceable coding rules. The rules specified in this Technical Specification apply to analyzers, including static analysis tools, and C language compiler vendors that wish to diagnose insecure code beyond the requirements of the language standard. All rules are meant to be enforceable by static analysis. The application of static analysis to security has been done in an ad hoc manner by different vendors, resulting in nonuniform coverage of significant security issues. This specification enumerates secure coding rules and requires analysis engines to diagnose violations of these rules as a matter of conformance to this specification. In this podcast, Robert Seacord, the leader of CERT's Secure Coding Initiative, discusses the 7-year journey resulting in the selection of 46 coding rules, derived from the CERT C Secure Coding Standard, for this new technical specification.   Listen on Apple Podcasts.

In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast, with Peter Feiler and Etienne Borde of Télécom Paris Tech, is the first in a series based on these interviews. Listen on Apple Podcasts.

In this podcast, Tim Chick and Gene Miluk discuss methodology and outputs of the Checkpoint Diagnostic, a tool that provides organizations with actionable performance related information and analysis closely linked to business value. The Checkpoint Diagnostic utilizes process models, data mapping, and quantitative analytics to provide organizations with qualitative process baselines, quantitative performance baselines, benchmark performance comparison, and a prioritized listing of improvement opportunities. Listen on Apple Podcasts.

In this episode, Ian Gorton and John Klein discuss big data and the challenges it presents for software engineers. With help from fellow SEI researchers, the two have developed a lightweight risk reduction approach to help software engineers manage the challenges of big data. Called Lightweight Evaluation and Architecture Prototyping (for Big Data), the approach is based on principles drawn from proven architecture and technology analysis and evaluation techniques to help the Department of Defense (DoD) and other enterprises including avionics, communications, and healthcare develop and evolve systems to manage big data. Listen on Apple Podcasts.

The U.S. Department of Homeland Security (DHS) conducts a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cybersecurity capacities and capabilities within all 18 Critical Infrastructure and Key Resources (CIKR) Sectors, as well as State, Local, Tribal, and Territorial (SLTT) governments. The goal of the CRR is to develop an understanding of an organization's operational resilience and ability to manage cyber risk to its critical services and assets during normal operations and during times of operational stress and crises. In this podcast, Kevin Dillon, Branch Chief for Stakeholder Risk Assessment and Mitigation with DHS and Matthew Butkovic, the CERT Division's Technical Portfolio Manager for Infrastructure Resilience, discuss the DHS Cyber Resilience Review and how it is helping critical infrastructure owners and operators improve their operational resilience and security. Listen on Apple Podcasts.

In this podcast Soumya Simanta describes research aimed at creating the Edge Mission-Oriented Tactical App Generator (eMontage), a software prototype that allows warfighters and first responders to rapidly integrate or mash geo-tagged situational awareness data from multiple remote data sources. Listen on Apple Podcasts.

In this episode, the fourth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of agile principles in the Department of Defense (DoD), the two researchers discuss the application of the fourth principle, "Business people and developers must work together daily throughout the project." Listen on Apple Podcasts.

In this episode, Eric Werner discusses research that he and several of his colleagues are conducting to help software developers create systems for the many-core central processing units in massively parallel computing environments. Eric and his team are creating a software library that can exploit the heterogeneous parallel computers of the future and allow developers to create systems that are more efficient at computation and power consumption. Listen on Apple Podcasts.

In this episode, Bill Novak talks about his work with acquisition archetypes and how they can be used to help government programs avoid problems in software development and systems acquisition. Acquisition archetypes are developed based on experiences with actual programs, and they use concepts from systems thinking to characterize and analyze dynamics. Listen on Apple Podcasts.

In this episode, James Edmondson discusses his research on autonomous systems, specifically robotic systems and autonomous systems for robotic systems. In particular, his research focuses on partial autonomy with an aim of complementing human users and extending their reach and capabilities in mission- critical environments. Listen on Apple Podcasts.

In late June 2013, a team of SEI researchers attended a four-day music festival at the invitation of Adam Miller, director of the Huntingdon County, Pennsylvania, Emergency Management Agency. The festival typically draws close to 100,000 concert goers to a rural farm in Pennsylvania that lacks significant infrastructure and is accessible only by a two-lane highway. Miller is charged with ensuring the public safety, so it seemed like a good match to partner with researchers from the SEI's Advanced Mobile Systems Team, which supports emergency responders and soldiers in the field who work in situations with limited computer resources, poor connections with networks, and highly diverse missions. This podcast highlights an interview that Bill Pollak, communication and transition manager in the SEI Software Solutions Division, conducted with Miller. Listen on Apple Podcasts.

In recent years, rapid evolutions have occurred in technology and its application in most market sectors, leading to the introduction of many new systems, business processes, markets, and enterprise integration approaches. How do you manage the interactions of systems and processes that are continually evolving? Just as important, how can you tell if you are doing a good job of managing these changes, as well as monitoring your progress on an ongoing basis? And how do poor processes impact interoperability, safety, reliability, efficiency, and effectiveness? Maturity models can help you answer these questions by providing a benchmark to use when assessing how a set of security practices has evolved. [1] In this podcast, Rich Caralli, the technical director of CERT's Cyber Enterprise and Workforce Management Directorate, discusses maturity models and how they are being used to improve cybersecurity. He describes their key concepts, definitions, and principles and how these can and have been applied to a wide range of disciplines and market sectors. Related Courses Introduction to the CERT Resilience Management Model Listen on Apple Podcasts.

In this episode, the third in a series by Suzanne Miller and Mary Ann Lapham exploring the application of agile principles in the Department of Defense (DoD), the two researchers discuss the application of the third principle, "Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale." Listen on Apple Podcasts.

"Release early, release often" to significantly improve software performance, stability, and security using a DevOps approach. Listen on Apple Podcasts.

Modern mobile devices create new opportunities to interact with their surrounding environment, but their computational power and battery capacity is limited. Code offloading to external servers located in clouds or data centers can help overcome these limitations. However, in hostile environments it is not possible to guarantee reliable networks. Consequently, stable cloud access is not available. Cyber foraging is a technique for offloading resource-intensive tasks from mobile devices to resource-rich surrogate machines in close wireless proximity. One type of surrogate machine is a cloudlet—a generic server that runs one or more virtual machines (VMs) located in single-hop distance to the mobile device. Cloudlet-based cyber foraging can compensate for missing cloud access in hostile environments. One strategy for cloudlet provisioning is VM synthesis. Unfortunately, this method is time consuming and battery draining because it requires large file transfers. In this podcast, researcher Grace Lewis discusses application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning. Listen on Apple Podcasts.

The National Institute of Standards & Technology (NIST) reports that inadequate testing methods and tools annually cost the U.S. economy between $22.2 billion and $59.5 billion, with roughly half of these costs borne by software developers in the form of extra testing and half by software users in the form of failure avoidance and mitigation efforts. The same study notes that between 25 percent and 90 percent of software development budgets are often spent on testing. In this episode, SEI researcher Don Firesmith discusses problems that commonly occur during testing as well as his development of a framework that lists potential symptoms by which each can be recognized, potential negative consequences, and potential causes, and makes recommendations for preventing them or mitigating their effects. Listen on Apple Podcasts.

In this episode, SEI researcher Bill Novak discusses joint programs and social dilemmas, which have become increasingly common in defense acquisition, and the ways in joint program outcomes can be affected by their underlying structure. Listen on Apple Podcasts.

In this episode, the second in a series by Suzanne Miller and Mary Ann Lapham exploring the application of agile principles in the Department of Defense (DoD), the two researchers discuss the application of the second principle, "Welcome changing requirements, even late in development. Agile processes harness change for the customer's competitive advantage." Listen on Apple Podcasts.

Four experience reports demonstrate how the CERT Resilience Management Model can be applied to manage complex and diverse operational risks. Related Courses Introduction to the CERT Resilience Management Model CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series Listen on Apple Podcasts.

In this episode, Peter Feiler discusses his recent work to improve the quality of software-reliant systems through an approach known as the Reliability Validation and Improvement Framework. The purpose of the framework is to facilitate early defect discovery and incremental end-to-end validation. Listen on Apple Podcasts.

A common language is essential to develop a shared understanding to better analyze malicious code. Related Course Malware Analysis Apprenticeship Listen on Apple Podcasts.

In this podcast, Joe Elm discusses the results of a recent technical report, The Business Case for Systems Engineering, which establishes clear links between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs. The report clearly shows that projects that do more SE perform better in terms of meeting budgets, schedules, and technical requirements. The survey population consisted of projects and programs executed by system developers reached through the National Defense Industrial Association Systems Engineering Division, the Institute of Electrical and Electronics Engineers Aerospace and Electronic Systems Society, and the International Council on Systems Engineering. Listen on Apple Podcasts.