Software Engineering Institute (SEI) Podcast Series

In this episode, the first in a series by Suzanne Miller and Mary Ann Lapham exploring the application of agile principles in the Department of Defense (DoD), the two researchers discuss the application of the first principle, "Our highest priority is to satisfy the customer through early and continuous delivery of valuable software." Listen on Apple Podcasts.

Analysis work by the SEI on data collected from more than 100 independent technical assessments (ITAs) of software-reliant acquisition programs has produced insights into some of the most common ways that programs encounter difficulties. In this episode, Bill Novak and Andy Moore describe a recent technical report, The Evolution of a Science Project, which is based on these insights, and intends to mitigate the effects of both misaligned acquisition program organizational incentives, and adverse software-reliant acquisition structural dynamics, by improving acquisition staff decision-making. Listen on Apple Podcasts.

Ensuring the security of personal mobile devices that have access to enterprise networks requires action from employers and users. Listen on Apple Podcasts.

In this episode, Peter Feiler, primary author of the Architecture Analysis & Design Language (AADL) standard, discusses the latest changes to the standard, the second version of which was released in January 2009. First published in 2004 by SAE International, AADL is a modeling notation that employs both a textual and graphical representation to provide modeling concepts to describe the runtime architecture of application systems in terms of concurrent tasks, their interactions, and their mapping onto an execution platform. Development organizations use AADL to conduct lightweight, rigorous, yet comparatively inexpensive analyses of critical real-time factors such as performance, dependability, security, and data integrity. Listen on Apple Podcasts.

In 2012, representatives from the government approached the SEI Innovation Center about conducting research to assess the state of the practice of cyber intelligence. The overall intent is to expose industry to the best practices in capabilities and methodologies developed by the government, and for the government to learn from the process efficiencies and tools used in industry. In areas where both the government and industry are experiencing challenges, the SEI can leverage its expertise to develop and prototype innovative technologies and processes that can benefit all participants in the program. In this podcast, Troy Townsend and Jay McAllister discuss their findings with Suzanne Miller, a researcher at the SEI. Listen on Apple Podcasts.

371 cases of insider attacks lead to 4 new and 15 updated best practices for mitigating insider threat. Related Course Insider Threat Workshop Listen on Apple Podcasts.

In this podcast, Michael Bandor discusses technology readiness assessments, which the Department of Defense defines as a formal, systematic, metrics-based process and accompanying report that assess the maturity of critical hardware and software technologies to be used in systems. In a discussion with fellow researcher Suzanne Miller, Bandor discusses the latest developments with TRAs and his experiences. Listen on Apple Podcasts.

Organizations that use the cloud want the ability to easily move workloads and data from one cloud provider to another or between private and public clouds. A common tactic for enabling interoperability is the use of open standards, and many cloud standardization projects are developing standards for the cloud. In this podcast, Grace Lewis discusses her latest research exploring the role of standards in cloud-computing interoperability, which covers cloud-computing basics, standard-related efforts, cloud-interoperability use cases, and provides some recommendations for moving forward with cloud-computing adoption regardless of the maturity of standards for the cloud. Listen on Apple Podcasts.

Governments and markets are calling for the integration of plans for and responses to disruptive events. Related Courses Introduction to the CERT Resilience Management Model CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series Listen on Apple Podcasts.

In this episode, Julien Delange and Peter Feiler discuss the latest developments with the Architecture Analysis and Design Language (AADL) standard. First published in 2004 by SAE International, AADL is a modeling notation that employs both a textual and graphical representation. AADL provides modeling concepts to describe the runtime architecture of application systems in terms of concurrent tasks, their interactions, and their mapping onto an execution platform. Development organizations use AADL to conduct lightweight, rigorous, yet comparatively inexpensive analyses of critical real-time factors such as performance, dependability, security, and data integrity. Listen on Apple Podcasts.

In today's fast-paced, global economy, industry and government customers demand innovation coupled with the ability to adapt products and systems to rapidly changing needs. At the same time, the time frame for developing software continues to shorten. As a result, agile software development processes like Scrum and Extreme Programming, with their emphasis on releasing new software capabilities rapidly, are increasing in popularity beyond small teams and individual projects. In this episode, Tim Chick, a senior member of the technical staff in the Team Software Process (TSP) initiative, discusses the fundamentals of agile, specifically what it means for an organization to be agile and provides three criteria for organizations seeking to implement agile. Listen on Apple Podcasts.

Whether soldiers are on the battlefield or providing humanitarian relief effort, they need to capture and process a wide range of text, image, and map-based information. To support soldiers in this effort, the Department of Defense is beginning to equip soldiers with smartphones to allow them to manage that vast array and amount of information they encounter while in the field. Whether the information gets correctly conveyed up the chain of command depends, in part, on the soldier's ability to capture accurate data while in the field. In this episode, Ed Morris describes research to create a software application for smartphones that allows soldier end-users to program their smartphones to provide an interface tailored to the information they need for a specific mission. Listen on Apple Podcasts.

Today's high-risk, global, fast, and very public business environment demands a more integrated approach to not be surprised by disruptive events. Related Courses Introduction to the CERT Resilience Management Model CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series Listen on Apple Podcasts.

A common misconception is that developers using a service-oriented architecture can achieve system qualities such as interoperability and modifiability by simply integrating a set of vendor products that provide an infrastructure. Developers often believe they may then use this infrastructure to expose a set of reusable services to build systems. In reality, developers need to make many architectural decisions. In this episode, Grace Lewis discusses general guidelines for architecting service-oriented systems, how common service-oriented system components support these principles, and the effect these principles and their implementation have on system quality attributes. Listen on Apple Podcasts.

In this podcast, Bill discusses the development of the long-term, technical strategic plan of the SEI to advance the practice of software engineering for the Department of Defense (DoD) through research and technology transition involving the DoD, federal agencies, industry, and academia. Listen on Apple Podcasts.

By law, major defense acquisition programs are now required to prepare cost estimates earlier in the acquisition lifecycle, including pre-Milestone A, well before concrete technical information is available on the program being developed. Estimates are therefore often based on a desired capability-or even on an abstract concept-rather than a concrete technical solution plan to achieve the desired capability. Hence the role and modeling of assumptions becomes more challenging. In today's podcast episode, Jim McCurley and Robert Stoddard discuss a new method developed by the SEI's Software Engineering Measurement and Analysis (SEMA) team, Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE). QUELCE is a method for improving pre-Milestone A software cost estimates through research designed to improve judgment regarding uncertainty in key assumptions (called "program change drivers"), the relationships among the program change drivers, and their impact on cost. Listen on Apple Podcasts.

A network profile can help identify unintended points of entry, misconfigurations, and other weaknesses that may be visible to attackers. Listen on Apple Podcasts.

The SEI recently worked with Bursatec to create a reliable and fast new trading system for Groupo Bolsa Mexicana de Valores, the Mexican Stock Exchange. This project combined elements of the SEI's Architecture Centric Engineering (ACE) method, which requires effective use of software architecture to guide system development, with its Team Software Process (TSP), which is a team-centric approach to developing software that enables organizations to better plan and measure their work. In this episode, Felix Bachmann and James McHale discuss their work on the project. Listen on Apple Podcasts.

Organizations rely on valid data to make informed decisions. When data integrity is compromised, the veracity of the decision-making process is likewise threatened. In this episode, Dave Zubrow discusses the importance of data quality and research that his team is undertaking in this area. Listen on Apple Podcasts.

Deploy vulnerability exploit prevention and mitigation techniques to thwart attacks and manage the arms race. Related Course Malware Analysis Apprenticeship Listen on Apple Podcasts.

In this episode, Novak discusses misaligned incentives, misaligned people incentives in software acquisition programs, and how the wrong incentives can undermine acquisition programs and produce poor outcomes. Listen on Apple Podcasts.

Managing technical debt, which refers to the rework and degraded quality resulting from overly hasty delivery of software capabilities to users, is an increasingly critical aspect of producing cost-effective, timely, and high-quality software products. A delicate balance is needed between the desire to release new software capabilities rapidly to satisfy users and the desire to practice sound software engineering that reduces rework. In this podcast, Ipek Ozkaya discusses the SEI's research on the strategic management of technical debt, which involves decisions made to defer necessary work during the planning or execution of a software project. Listen on Apple Podcasts.

Soldiers can use handheld mobile computing devices (aka smart-phones) to help with various tasks, such as speech and image recognition, natural language processing, decision making and mission planning. There are challenges to achieving these capabilities such as unreliable networks and bandwidth, lack of computational power, and the toll that computation-intensive tasks take on battery power. In this episode, Grace discusses research that she is leading to overcome these challenges by using cloudlets, which are localized, lightweight servers running one or more virtual machines on which soldiers can offload expensive computations from their handheld mobile devices, thereby providing greater processing capacity and helping conserve battery power. Listen on Apple Podcasts.

The SEI is focused on reducing the DoD information technology (IT) development cycle currently as long as 81 months to short, incremental approaches that yield results more quickly. One complicating factor is that DoD acquisition programs (like other highly-regulated commercial environments) have a prescribed vision of how IT systems are developed. This podcast explores the SEI's research and work to assist the DoD in Agile acquisition. Listen on Apple Podcasts.

Typically, people who believe themselves to be Agile, believe that developers realize the best results when they focus on empowered teams, collaboration with stakeholders, avoiding unnecessary work, and receiving frequent feedback. Agilests hate the term "process" because they use the word somewhat differently than we do. The word "process," however, can be defined as something done repeatedly, with some discipline, and to achieve an end. In this podcast, Bill Nichols discusses how a disciplined process enables and enhances agility. Listen on Apple Podcasts.

CERT-RMM can be used to establish and meet resilience requirements for a wide range and diverse set of business objectives. Related Courses Introduction to the CERT Resilience Management Model CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series Listen on Apple Podcasts.

Implementing CERT-RMM requires well-defined improvement objectives, sponsorship, proper scoping and diagnosis, and defined processes and measures. Related Courses: Introduction to the CERT Resilience Management Model CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series Listen on Apple Podcasts.

Security controls, including those for insider threat, are the safeguards necessary to protect information and information systems. Related Course Insider Threat Workshop Listen on Apple Podcasts.

Implementing secure coding standards to reduce the number of vulnerabilities that can escape into operational systems is a sound business decision. Related Course Secure Coding in C and C++ Listen on Apple Podcasts.

Protecting the internet and its users against cyber attacks requires a significant increase in the number of skilled cyber warriors. Related Courses Information Security for Technical Staff Fundamentals of Incident Handling Listen on Apple Podcasts.

Electronic health records bring many benefits along with security and privacy challenges. Listen on Apple Podcasts.

Measures of operational resilience should answer key questions, inform decisions, and affect behavior. Related Course Introduction to the CERT Resilience Management Model Listen on Apple Podcasts.

Use of Domain Name System security extensions can help prevent website hijacking attacks. Listen on Apple Podcasts.

Depending on the service model, cloud providers and customers can monitor and implement controls to better protect their sensitive information. Listen on Apple Podcasts.

Analyzing malware is essential to assess the damage and reduce the impact associated with ongoing infection. Related Course Malware Analysis Apprenticeship Listen on Apple Podcasts.

Over 100 electric power utilities are accelerating their transformation to the smart grid by using the Smart Grid Maturity Model. Listen on Apple Podcasts.

Business leaders must address risk at the enterprise, business process, and system levels to effectively protect against today's and tomorrow's threats. Related Courses Assessing Information Security Risk Using the OCTAVE Approach Introduction to the CERT Resilience Management Model Listen on Apple Podcasts.

Scenario-based exercises help organizations, governments, and nations prepare for, identify, and mitigate cyber risks. Listen on Apple Podcasts.

Technical controls may be effective in helping prevent, detect, and respond to insider crimes. Related Course Insider Threat Workshop Listen on Apple Podcasts.

Use the CERT Resilience Management Model (CERT-RMM) to help ensure that critical assets and services perform as expected in the face of stress and disruption. Related Course Introduction to the CERT Resilience Management Model Listen on Apple Podcasts.

Government agencies and private industry must build effective partnerships to secure national critical infrastructures. Listen on Apple Podcasts.

Knowledge about software assurance is essential to ensure that complex systems function as intended. Related Course Secure Coding in C and C++ Listen on Apple Podcasts.

Organizations can benchmark their software security practices against 109 observed activities from 30 organizations. Related Course Secure Coding in C and C++ Listen on Apple Podcasts.

Internet-connected mobile devices are becoming increasingly attractive targets Listen on Apple Podcasts.

A national CSIRT is essential for protecting national and economic security, and ensuring the continuity of government agencies and critical infrastructures. Related Courses Creating a Computer Security Incident Response Team Managing Computer Security Incident Response Teams Listen on Apple Podcasts.

Securing systems that control physical switches, valves, pumps, meters, and manufacturing lines as these systems connect to the internet is critical for service continuity. Listen on Apple Podcasts.

To help identify and eliminate security vulnerabilities, subject all software that you build and buy to fuzz testing. Listen on Apple Podcasts.

Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses. Listen on Apple Podcasts.

Being able to respond effectively when faced with a disruptive event requires that staff members learn to become more resilient. Listen on Apple Podcasts.

CISOs must leave no room for anyone to deny that they understand what is expected of them when developing secure software. Listen on Apple Podcasts.