Software Engineering Institute (SEI) Podcast Series
421 episodes - English - Latest episode: 19 days ago - ★★★★★ - 18 ratingsThe SEI Podcast Series presents conversations in software engineering, cybersecurity, and future technologies.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Developing and Using a Software Bill of Materials Framework
April 04, 2024 17:58 - 37 minutes - 43.1 MBWith the increasing complexity of software systems, the use of third-party components has become a widespread practice. Cyber disruptions, such as SolarWinds and Log4j, demonstrate the harm that can occur when organizations fail to manage third-party components in their software systems. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Woody, principal researcher, and Michael Bandor, a senior software engineer, discuss a Software Bill of Materials (SB...
The Importance of Diversity in Cybersecurity: Carol Ware
March 21, 2024 13:11 - 26 minutes - 32.4 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Ware, a senior cybersecurity engineer in the SEI’s CERT Division, discusses her career path, the value of mentorship, and the importance of diversity in cybersecurity.
The Importance of Diversity in Software Engineering: Suzanne Miller
March 21, 2024 04:09 - 29 minutes - 35 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Suzanne Miller, a principal researcher in the SEI’s Software Solutions Division, discusses her career path, the value of mentorship, and the importance of diversity in software engineering.
The Importance of Diversity in Artificial Intelligence: Violet Turri
March 15, 2024 14:20 - 16 minutes - 23.5 MBAcross the globe, women account for less than 30 percent of professionals in technical fields. That number drops to 22 percent in the field of Artificial Intelligence (AI). In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Violet Turri, a software developer in the SEI’s AI Division, discusses the evolution of her career in AI and the importance of diversity in the field.
Using Large Language Models in the National Security Realm
February 16, 2024 02:51 - 34 minutes - 40.4 MBAt the request of the White House, the Office of the Director of National Intelligence (ODNI) began exploring use cases for large language models (LLMs) within the Intelligence Community (IC). As part of this effort, ODNI sponsored the Mayflower Project at Carnegie Mellon University’s Software Engineering Institute (SEI) from May 2023 through September 2023. The Mayflower Project attempted to answer the following questions: How might the IC set up a baseline, stand-alone LLM? How mi...
Atypical Applications of Agile and DevSecOps Principles
February 09, 2024 17:37 - 33 minutes - 39 MBModern software engineering practices of Agile and DevSecOps have provided a foundation for producing working software products faster and more reliably than ever before. Far too often, however, these practices do not address the non-software concerns of business mission and capability delivery even though these concerns are critical to the successful delivery of a software product. Through our work with government organizations, we have found that expanding DevSecOps beyond product developm...
When Agile and Earned Value Management Collide: 7 Considerations for Successful Interaction
January 31, 2024 15:11 - 35 minutes - 41 MBIncreasingly in government acquisition of software-intensive systems, we are seeing programs using Agile development methodology and earned value management. While there are many benefits to using both Agile and EVM, there are important considerations that software program managers must first address. In this podcast, Patrick Place, a senior engineer, and Stephen Wilson, a test engineer, both with the SEI Agile Transformation Team, discuss seven considerations for successful use of Agile and...
The Impact of Architecture on Cyber-Physical Systems Safety
January 24, 2024 19:56 - 34 minutes - 39.8 MBAs developers continue to build greater autonomy into cyber-physical systems (CPSs), such as unmanned aerial vehicles (UAVs) and automobiles, these systems aggregate data from an increasing number of sensors. However, more sensors not only create more data and more precise data, but they require a complex architecture to correctly transfer and process multiple data streams. This increase in complexity comes with additional challenges for functional verification and validation, a greater pote...
ChatGPT and the Evolution of Large Language Models: A Deep Dive into 4 Transformative Case Studies
December 14, 2023 21:15 - 46 minutes - 52.1 MBTo better understand the potential uses of large language models (LLMs) and their impact, a team of researchers at the Carnegie Mellon University Software Engineering Institute CERT Division conducted four in-depth case studies. The case studies span multiple domains and call for vastly different capabilities. In this podcast, Matthew Walsh, a senior data scientist in CERT, and Dominic Ross, Multi-Media Design Team lead, discuss their work in developing the four case studies as well as limit...
The Cybersecurity of Quantum Computing: 6 Areas of Research
November 28, 2023 20:42 - 23 minutes - 29.3 MBResearch and development of quantum computers continues to grow at a rapid pace. The U.S. government alone spent more than $800 million on quantum information science research in 2022. Thomas Scanlon, who leads the data science group in the SEI CERT Division, was recently invited to be a participant in the Workshop on Cybersecurity of Quantum Computing, co-sponsored by the National Science Foundation (NSF) and the White House Office of Science and Technology Policy, to examine the emerging ...
User-Centric Metrics for Agile
November 16, 2023 14:36 - 31 minutes - 37.2 MBFar too often software programs continue to collect metrics for no other reason than that is how it has always been done. This leads to situations where, for any given environment, a metrics program is defined by a list of metrics that must be collected. A top-down, deterministic specification of graphs or other depictions of data required by the metrics program can distract participants from the potentially useful information that the metrics reveal and illuminate. In this podcast from the ...
The Product Manager’s Evolving Role in Software and Systems Development
November 10, 2023 01:41 - 24 minutes - 30.2 MBIn working with software and systems teams developing technical products, Judy Hwang, a senior software engineer in the SEI CERT Division, observed that teams were not investing the time, resources and effort required to manage the product lifecycle of a successful product. These activities include thoroughly exploring the problem space by talking to users, assessing existing solutions, understanding the competition, and positioning the product to create value for customers. In this podcast...
Measuring the Trustworthiness of AI Systems
October 12, 2023 19:51 - 19 minutes - 26 MBThe ability of artificial intelligence (AI) to partner with the software engineer, doctor, or warfighter depends on whether these end users trust the AI system to partner effectively with them and deliver the outcome promised. To build appropriate levels of trust, expectations must be managed for what AI can realistically deliver. In this podcast from the SEI’s AI Division, Carol Smith, a senior research scientist specializing in human-machine interaction, joins design researchers Katherin...
Actionable Data in the DevSecOps Pipeline
September 13, 2023 14:57 - 31 minutes - 37.8 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Bill Nichols and Julie Cohen talk with Suzanne Miller about how automation within DevSecOps product-development pipelines provides new opportunities for program managers (PMs) to confidently make decisions with the help of readily available data. As in commercial companies, DoD PMs are accountable for the overall cost, schedule, and performance of a program. The PM’s job is even more complex in large progra...
Insider Risk Management in the Post-Pandemic Workplace
September 08, 2023 13:51 - 47 minutes - 52.1 MBIn the wake of the COVID pandemic, the workforce decentralized and shifted toward remote and hybrid environments. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dan Costa, technical manager of enterprise threat and vulnerability management, and Randy Trzeciak, deputy director of Cyber Risk and Resilience, both with the SEI’s CERT Division, discuss how remote work in the post-pandemic world is changing expectations about employee behavior monitorin...
An Agile Approach to Independent Verification and Validation
August 09, 2023 15:48 - 31 minutes - 37.7 MBIndependent verification and validation (IV&V) is a significant step in the process of deploying systems for mission-critical applications in the Department of Defense (DoD). In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Justin Smith, senior Agile transformation leader in the SEI Software Solutions Division, talks with principal researcher Suzanne Miller about how to bring concepts from Lean and Agile software development into the practice of IV&V....
Zero Trust Architecture: Best Practices Observed in Industry
July 26, 2023 17:16 - 27 minutes - 33.8 MBZero trust architecture has the potential to improve an enterprise’s security posture. There is still considerable uncertainty about the zero trust transformation process, however, as well as how zero trust architecture will ultimately appear in practice. Recent executive orders have accelerated the timeline for zero trust adoption in the federal sector, and many private-sector organizations are following suit. Researchers in the CERT Division at the Carnegie Mellon University Software Engin...
Automating Infrastructure as Code with Ansible and Molecule
July 10, 2023 11:32 - 39 minutes - 44.6 MBIn Ansible, roles allow system administrators to automate the loading of certain variables, tasks, files, templates, and handlers based on a known file structure. Grouping content by roles allows for easy sharing and reuse. When developing roles, users must deal with various concerns, including what operating system(s) and version(s) will be supported and whether a single node or a cluster of machines is needed. In this podcast from the Carnegie Mellon University Software Engineering Institu...
Identifying and Preventing the Next SolarWinds
June 20, 2023 15:20 - 46 minutes - 50.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Gregory J. Touhill, director of the SEI CERT Division, talks with principal researcher Suzanne Miller about the 2020 attack on Solar Winds software and how to prevent a recurrence of another major attack on key systems that are in widespread use. Solar Winds is the name of a company that provided software to the U.S. federal government. In late 2020, news surfaced about a cyberattack that had already be...
A Penetration Testing Findings Repository
June 13, 2023 20:01 - 25 minutes - 31.8 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Marisa Midler and Samantha Chaves, penetration testers with the SEI’s CERT Division, talk with Suzanne Miller about a penetration-testing repository that they helped to build. The repository is a source of information for active directory, phishing, mobile technology, systems and services, web applications, and mobile- and wireless-technology weaknesses that could be discovered during a penetration tes...
Understanding Vulnerabilities in the Rust Programming Language
June 08, 2023 18:17 - 36 minutes - 42.1 MBWhile the memory safety and security features of the Rust programming language can be effective in many situations, Rust’s compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI),...
We Live in Software: Engineering Societal-Scale Systems
May 18, 2023 19:25 - 39 minutes - 44.5 MBSocietal-scale software systems, such as today’s commercial social media platforms, are among the most widely used software systems in the world, with some platforms reporting billions of daily active users. These systems have created new mechanisms for global communication and connect people with unprecedented speed. Despite the numerous benefits of societal-scale systems, these systems are designed to optimize user engagement and scale by using psychology (such as gaming and reward mechani...
Secure by Design, Secure by Default
May 10, 2023 14:58 - 54 minutes - 58.7 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Gregory J. Touhill, director of the SEI CERT Division, talks with Suzanne Miller about secure by design, secure by default, a longstanding tenet of the work of the SEI and CERT in particular. The SEI has been in the forefront of secure software development, promoting an approach where security weaknesses are addressed, prevented, or eliminated earlier in the software development lifecycle, which not only...
Key Steps to Integrate Secure by Design into Acquisition and Development
May 02, 2023 20:36 - 48 minutes - 53.2 MBSecure by design means performing more security and assurance activities earlier in the product and system lifecycles. A secure-by-design mindset addresses the security of systems during the requirements, design, and development phases of lifecycles rather than waiting until the system is ready for implementation. The need for a secure-by-design mindset is exacerbated by the amount of interconnectedness of today’s systems and the increasing amount of automation that characterizes system deve...
An Exploration of Enterprise Technical Debt
April 18, 2023 14:18 - 25 minutes - 32.2 MBLike all technical debt, enterprise technical debt consists of choices expedient in the short term, but often problematic over the long term. In enterprise technical debt, the impact reaches beyond the scope of a single system or project. Because ignoring enterprise technical debt can have significant consequences, software and systems architects should be alert for it, and they should not let it get overlooked or ignored when they come across it. Enterprise technical debt often results in m...
The Messy Middle of Large Language Models
March 29, 2023 18:44 - 33 minutes - 39.5 MBThe recent growth of applications that leverage large language models, including ChatGPT and Copilot, has spurred reactions ranging from fear and uncertainty to adoration and lofty expectations. In this podcast from the Carnegie Mellon University Software Engineering Institute, Jay Palat, senior engineer and technical director of AI for mission, and Dr. Rachel Dzombak, senior advisor to the director of the SEI’s AI Division, discuss the current landscape of large language models (LLMs), comm...
An Infrastructure-Focused Framework for Adopting DevSecOps
March 21, 2023 15:20 - 43 minutes - 48.9 MBDevSecOps practices, including continuous-integration/continuous-delivery (CI/CD) pipelines, enable organizations to respond to security and reliability events quickly and efficiently and to produce resilient and secure software on a predictable schedule and budget. Despite growing evidence and recognition of the efficacy and value of these practices, the initial implementation and ongoing improvement of the methodology can be challenging. In this podcast from the Carnegie Mellon University ...
Software Security in Rust
March 15, 2023 13:53 - 18 minutes - 24.6 MBRust is growing in popularity. Its unique security model promises memory safety and concurrency safety, while providing the performance of C/C++. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Joe Sible, both engineers in the SEI’s CERT Division, talk with principal researcher Suzanne Miller about the Rust programming language and its security-related features. Svoboda and Sible discuss Rust’s compile-time safety guarantees, the ki...
Improving Interoperability in Coordinated Vulnerability Disclosure with Vultron
February 24, 2023 18:56 - 51 minutes - 55.4 MBCoordinated vulnerability disclosure (CVD) begins when at least one individual becomes aware of a vulnerability, but it can’t proceed without the cooperation of many. Software supply chains, software libraries, and component vulnerabilities have evolved in complexity and have become as much a part of the CVD process as vulnerabilities in vendors’ proprietary code. Many CVD cases now require coordination across multiple vendors. In this podcast from the Carnegie Mellon University Software En...
Asking the Right Questions to Coordinate Security in the Supply Chain
February 07, 2023 22:02 - 31 minutes - 30.9 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dr. Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about the SEI’s newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system components including hardware, network interfaces, software interfaces, and mission capabilities.
Securing Open Source Software in the DoD
January 26, 2023 14:59 - 35 minutes - 35.3 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Scott Hissam, a researcher within the SEI’s Software Solutions Division who works on software assurance in Department of Defense (DoD) systems, talks with Linda Parker Gates, initiative lead for the SEI’s Software Acquisition Pathways, about the use of free and open-source software (FOSS) in the DoD, building on insights that surfaced in a recent workshop held for producers and consumers of FOSS for DoD...
A Model-Based Tool for Designing Safety-Critical Systems
December 13, 2022 20:45 - 48 minutes - 47.4 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dr. Sam Procter and Lutz Wrage, researchers with the SEI, discuss the Guided Architecture Trade Space Explorer (GATSE), a new SEI-developed model-based tool to help with the design of safety-critical systems. The GATSE tool allows engineers to evaluate more design options in less time than they can now. This prototype language extension and software tool partially automates the process of model-based sy...
Managing Developer Velocity and System Security with DevSecOps
December 07, 2022 16:32 - 32 minutes - 31.7 MBIn aiming for correctness and security of product, as well as for development speed, software development teams often face tension in their objectives. During a recent customer engagement that involved the development of a continuous-integration (CI) pipeline, developers wanted to develop features and deploy to production, deferring non-critical bugs as technical debt, whereas cyber engineers wanted compliant software by having the pipeline fail on any security requirement that was not met. ...
A Method for Assessing Cloud Adoption Risks
November 17, 2022 19:57 - 21 minutes - 22 MBThe shift to a cloud environment provides significant benefits. Cloud resources can be scaled quickly, updated frequently, and widely accessed without geographic limitations. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks. In this podcast from the Carnegie Mellon University Software Engineering Institute, Chris Alberts, principal cybersecurity analyst in the SEI’s CERT Division, discusses with principal researcher Suzanne Mil...
Software Architecture Patterns for Deployability
November 15, 2022 20:07 - 29 minutes - 29.1 MBCompetitive pressures in many domains, as well as development paradigms such as Agile and DevSecOps, have led to the increasingly common practice of continuous delivery or continuous deployment where frequent updates to software systems are rapidly and reliably fielded. In today’s systems, releases can occur at any time—possibly hundreds of releases per day—and each can be instigated by a different team within an organization. Being able to release frequently means that bug fixes and securit...
ML-Driven Decision Making in Realistic Cyber Exercises
October 13, 2022 14:37 - 48 minutes - 47.8 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Thomas Podnar and Dustin Updyke, both senior cybersecurity engineers with the SEI’s CERT Division, discuss their work to apply machine learning to increase the realism of non-player characters (NPCs) in cyber training exercises.
A Roadmap for Creating and Using Virtual Prototyping Software
October 06, 2022 23:50 - 56 minutes - 54.9 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Douglass Post and Richard Kendall, authors of "Creating and Using Virtual Prototyping Software: Principles and Practices" discuss with principal researcher Suzanne Miller experiences and insights that they gleaned from applying virtual prototyping in CREATE (Computational Research and Engineering Acquisition Tools and Environments), a multiyear DoD program to develop and deploy software for systems like ships...
Software Architecture Patterns for Robustness
September 15, 2022 19:17 - 31 minutes - 31.2 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, visiting scientist Rick Kazman and principal researcher Suzanne Miller discuss software architecture patterns and the effect that certain architectural patterns have on quality attributes, such as availability and robustness. Kazman also provides examples of mechanisms—such as architectural tactics and patterns—and the effects they have on availability and robustness, especially in cloud-based systems.
A Platform-Independent Model for DevSecOps
September 08, 2022 17:30 - 23 minutes - 24.4 MBDevSecOps encompasses all the best software engineering principles known today with an emphasis on faster delivery through increased collaboration of all stakeholders resulting in more secure, useable, and higher-quality software systems. In this podcast from the Carnegie Mellon University Software Engineering Institute, researchers Tim Chick and Joe Yankel present a DevSecOps Platform-Independent Model (PIM), which uses model based systems engineering (MBSE) to formalize the practices of De...
Using the Quantum Approximate Optimization Algorithm (QAOA) to Solve Binary-Variable Optimization Problems
August 18, 2022 12:12 - 27 minutes - 27.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Jason Larkin and Daniel Justice, researchers in the SEI’s AI Division, discuss a paper outlining their efforts to simulate the performance of Quantum Approximate Optimization Algorithm (QAOA) for the Max-Cut problem and compare it with some of the best classical alternatives, for exact, approximate, and heuristic solutions.
Trust and AI Systems
August 05, 2022 11:24 - 35 minutes - 35 MBTo ensure trust, artificial intelligence systems need to be built with fairness, accountability, and transparency at each step of the development cycle. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, a senior research scientist in human machine interaction, and Dustin Updyke, a senior cybersecurity engineering in the SEI’s CERT Division, discuss the construction of trustworthy AI systems and factors influencing human trust of AI systems.
A Dive into Deepfakes
July 28, 2022 17:41 - 31 minutes - 31.4 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Shannon Gallagher, a data scientist with SEI’s CERT Division, and Dominic Ross, multimedia team lead for the SEI, discuss deepfakes, their exponential growth in recent years, their increasing technical sophistication, and the problems they pose for individuals and organizations. Gallagher and Ross also discuss the SEI’s recent research in assessing the technology underlying the creation and detection of dee...
Challenges and Metrics in Digital Engineering
July 13, 2022 13:51 - 42 minutes - 42.2 MBDigital engineering uses digital tools and representations in the process of developing, sustaining, and maintaining systems, including requirements, design, analysis, implementation, and test. The digital modeling approach is intended to establish an authoritative source of truth for the system, in which discipline-specific views of the system are created using the same model elements. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), William “Bill” N...
The 4 Phases of the Zero Trust Journey
July 05, 2022 10:55 - 34 minutes - 34 MBOver the past several years, zero trust architecture has emerged as an important topic within the field of cybersecurity. Heightened federal requirements and pandemic-related challenges have accelerated the timeline for zero trust adoption within the federal sector. Private sector organizations are also looking to adopt zero trust to bring their technical infrastructure and processes in line with cybersecurity best practices. Real-world preparation for zero trust, however, has not caught up ...
DevSecOps for AI Engineering
June 21, 2022 19:01 - 43 minutes - 42.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Hasan Yasar, technical director, Continuous Deployment of Capability at the SEI, and Jay Palat, interim director of AI for Mission in the SEI’s AI Division, discuss how to engineer AI systems with DevSecOps and explore the relationship between MLOps and DevSecOps.
Undiscovered Vulnerabilities: Not Just for Critical Software
June 02, 2022 13:56 - 35 minutes - 34.9 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Jonathan Spring, a senior vulnerability researcher, discusses with Suzanne Miller the findings in a paper he published recently analyzing the number of undiscovered vulnerabilities in information systems. This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
Explainable AI Explained
May 16, 2022 18:02 - 25 minutes - 25.8 MBAs the field of artificial intelligence (AI) has matured, increasingly complex opaque models have been developed and deployed to solve hard problems. Unlike many predecessor models, these models, by the nature of their architecture, are harder to understand and oversee. When such models fail or do not behave as expected or hoped, it can be hard for developers and end-users to pinpoint why or determine methods for addressing the problem. Explainable AI (XAI) meets the emerging demands of AI e...
Model-Based Systems Engineering Meets DevSecOps
April 05, 2022 15:29 - 34 minutes - 33.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, senior researchers Jerome Hugues and Joe Yankel discuss ModDevOps, an extension of DevSecOps that embraces model-based systems engineering (MBSE) practices and technology. Hugues and Yankel also discuss how making this integration between DevSecOps and MBSE explicit unlocks both the speed of DevSecOps and the risk reduction of MBSE.
Incorporating Supply-Chain Risk and DevSecOps into a Cybersecurity Strategy
March 22, 2022 15:23 - 31 minutes - 31.3 MBOrganizations are turning to DevSecOps to produce code faster and at lower cost, but the reality is that much of the code is actually coming from the software supply chain through code libraries, open source, and third-party components where reuse is rampant. The downside is that this reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. This is troubling news in an operational climate already rife with cybersecurity risk. Organizat...
Software and Systems Collaboration in the Era of Smart Systems
March 09, 2022 15:30 - 26 minutes - 26.1 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), director Paul Nielsen talks with principal researcher Suzanne Miller about how the advent of smart systems has led to a growing need for effective collaboration and cross-pollination between the disciplines of systems engineering and software engineering.