Software Engineering Institute (SEI) Podcast Series
426 episodes - English - Latest episode: 14 days ago - ★★★★★ - 18 ratingsThe SEI Podcast Series presents conversations in software engineering, cybersecurity, and future technologies.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Undiscovered Vulnerabilities: Not Just for Critical Software
June 02, 2022 13:56 - 35 minutes - 34.9 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Jonathan Spring, a senior vulnerability researcher, discusses with Suzanne Miller the findings in a paper he published recently analyzing the number of undiscovered vulnerabilities in information systems. This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
Explainable AI Explained
May 16, 2022 18:02 - 25 minutes - 25.8 MBAs the field of artificial intelligence (AI) has matured, increasingly complex opaque models have been developed and deployed to solve hard problems. Unlike many predecessor models, these models, by the nature of their architecture, are harder to understand and oversee. When such models fail or do not behave as expected or hoped, it can be hard for developers and end-users to pinpoint why or determine methods for addressing the problem. Explainable AI (XAI) meets the emerging demands of AI e...
Model-Based Systems Engineering Meets DevSecOps
April 05, 2022 15:29 - 34 minutes - 33.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, senior researchers Jerome Hugues and Joe Yankel discuss ModDevOps, an extension of DevSecOps that embraces model-based systems engineering (MBSE) practices and technology. Hugues and Yankel also discuss how making this integration between DevSecOps and MBSE explicit unlocks both the speed of DevSecOps and the risk reduction of MBSE.
Incorporating Supply-Chain Risk and DevSecOps into a Cybersecurity Strategy
March 22, 2022 15:23 - 31 minutes - 31.3 MBOrganizations are turning to DevSecOps to produce code faster and at lower cost, but the reality is that much of the code is actually coming from the software supply chain through code libraries, open source, and third-party components where reuse is rampant. The downside is that this reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. This is troubling news in an operational climate already rife with cybersecurity risk. Organizat...
Software and Systems Collaboration in the Era of Smart Systems
March 09, 2022 15:30 - 26 minutes - 26.1 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), director Paul Nielsen talks with principal researcher Suzanne Miller about how the advent of smart systems has led to a growing need for effective collaboration and cross-pollination between the disciplines of systems engineering and software engineering.
Securing the Supply Chain for the Defense Industrial Base
February 22, 2022 15:26 - 18 minutes - 19.8 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Gavin Jurecko, who leads the Resilience Diagnostics Team, talks with Katie Stewart about risks associated with the supply chains of the defense industrial base (DIB), and how the SEI works with the U.S. Department of Defense to help secure the DIB supply chain.
Securing the Supply Chain for the Defense Industrial Base
February 22, 2022 15:25In this podcast from the Carnegie Mellon University Software Engineering Institute, Gavin Jurecko, who leads the Resilience Diagnostics Team, talks with Katie Stewart about risks associated with the supply chains of the defense industrial base (DIB), and how the SEI works with the U.S. Department of Defense to help secure the DIB supply chain.
Building on Ghidra: Tools for Automating Reverse Engineering and Malware Analysis
February 08, 2022 17:58 - 23 minutes - 23.6 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jeffrey Gennari, a senior malware reverse engineer, and Garret Wassermann, a vulnerability analyst, both with the SEI’s CERT Division, discuss Kaiju, a series of tools that they have developed that allows for malware analysis and reverse engineering. Kajiu helps analysts take better advantage of Ghidra, the National Security Agency’s reverse-engineering tool.
Envisioning the Future of Software Engineering
January 20, 2022 15:45 - 40 minutes - 39.2 MBIn this SEI Podcast, Anita Carleton, director of the Software Solutions Division at the SEI, and Forrest Shull, lead for defense software acquisition policy research in the Software Solutions Division of the SEI, discuss the recently published SEI-led study Architecting the Future of Software Engineering: A National Agenda for Software Engineering Research & Development. In creating this multi-year research and development vision and roadmap for engineering next-generation software-reliant s...
Implementing the DoD's Ethical AI Principles
January 11, 2022 16:55 - 23 minutes - 23.5 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, a senior research scientist in Human Machine Interaction, and Alexandrea Van Deusen, an assistant design researcher, both with the SEI’s AI Division, discuss a recent project in which they helped the Defense Innovation Unit (DIU) of the U.S. Department of Defense develop guidelines for responsible use of artificial intelligence (AI), based on the DoD’s Ethical Principles for AI. These guidelines ...
Walking Fast Into the Future: Evolvable Technical Reference Frameworks for Mixed-Criticality Systems
December 03, 2021 16:04 - 39 minutes - 37.9 MBIn this SEI Podcast, Nickolas Guertin, a senior systems engineer with the SEI’s Software Solutions Division, and Douglas Schmidt, associate provost of research at Vanderbilt University and former chief technical officer at the SEI, discuss strategies for creating architectures for large-scale, complex systems that comprise functions with a wide range of requirements. This is one of the most challenging areas in U.S. Department of Defense acquisition, and this approach and the strategies disc...
Software Engineering for Machine Learning: Characterizing and Understanding Mismatch in ML Systems
November 18, 2021 21:47 - 30 minutes - 30.7 MBMismatches between the perspectives and practices of the roles involved in the development and fielding of ML systems—data scientists, software engineers, and operations personnel—can affect the ability of systems to achieve their intended missions. In this SEI Podcast, Grace Lewis, a principal researcher and lead for the Tactical and AI-Enabled Systems Initiative, and Ipek Ozkaya, technical director of Engineering Intelligent Software Systems, discuss their research into characterizing, cod...
A Discussion on Automation with Watts Humphrey Award Winner Rajendra Prasad
November 11, 2021 19:45 - 37 minutes - 36.7 MBIn this SEI Podcast, Mike Konrad, a principal researcher in the SEI's Software Solutions Division, talks with 2020 IEEE Computer Society SEI Watts Humphrey Software Quality Award winner Rajendra Prasad of Accenture about automation and how SEI-developed process improvement methods and tools provided the foundation for his leadership role.
Enabling Transition From Sustainment to Engineering Within the DoD
November 03, 2021 14:58 - 31 minutes - 31.3 MBOrganic software sustainment organizations within the Department of Defense are expanding beyond their traditional purview of software maintenance into software engineering and development. Instead of repairing and maintaining legacy software in already deployed systems, software sustainment teams must now shift to designing and implementing new software architectures and code. Unfortunately, many of these sustainment teams are taking on these new responsibilities without proper guidance and...
The Silver Thread of Cyber in the Global Supply Chain
October 25, 2021 18:56 - 26 minutes - 27 MBThe global supply chain touches every aspect of our lives, from fuel prices to the availability of computer chips and supermarket products. In out latest podcast, Matt Butkovic, technical director of risk and resilience at Carnegie Mellon University’s Software Engineering Institute, discusses with Suzanne Miller the supply chain's silver thread of cyber, specifically how cyber both underpins the cyber supply chain and the broader supply chain. Butkovic’s team recently engaged with the World...
Measuring DevSecOps: The Way Forward
October 15, 2021 14:29 - 39 minutes - 39.2 MBIn this SEI Podcast, Bill Nichols and Hasan Yasar, both with the Carnegie Mellon University Software Engineering Institute, discuss DevSecOps metrics with Suzanne Miller. DevSecOps practices, made possible by improvements in underlying technology that automate the development-to-production pipeline, can generate more information about development and operational performance than has ever been readily available before. Nichols and Yasar discuss the ways in which DevSecOps practices yield v...
Bias in AI: Impact, Challenges, and Opportunities
September 23, 2021 14:35 - 24 minutes - 25.1 MBIn this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, a senior research scientist in human-machine interaction, and Jonathan Spring, a senior vulnerability researcher, discuss the hidden sources of bias in artificial intelligence (AI) systems and how systems developers can raise their awareness of bias, mitigate consequences, and reduce risks.
My Story in Computing with Rachel Dzombak
September 17, 2021 15:25 - 35 minutes - 32.7 MBIn this SEI Podcast in the “My Story in Computing” series, Rachel Dzombak discusses her journey integrating biomedical, mechanical, and civil engineering to her current leadership role at the SEI as digital transformation lead in artificial-intelligence (AI) engineering.
Agile Strategic Planning: Concepts and Methods for Success
September 09, 2021 15:50 - 29 minutes - 29.4 MBThe rapid pace of change in software development, in business, and in the world has many organizations struggling to execute daily operations, wrangle big projects, and feel confident that there is a long-term strategy at play. Incorporating agile principles into strategic planning and execution is a highly effective way to drive strategy development, strategy execution, data-driven decision making, and results. In this SEI Podcast, Linda Parker Gates, initiative lead, Software Acquisition P...
Applying Scientific Methods in Cybersecurity
August 24, 2021 16:12 - 39 minutes - 39.5 MBIn this SEI Podcast, Dr. Leigh Metcalf and Dr. Jonathan Spring, both researchers with the Carnegie Mellon University Software Engineering Institute’s CERT Division, discuss the application of scientific methods to cybersecurity. As described in their recently published book, Using Science in Cybersecurity, Metcalf and Spring describe a common-sense approach and practical tools for applying scientific rigor to the field of cybersecurity.
Zero Trust Adoption: Benefits, Applications, and Resources
August 13, 2021 13:38 - 30 minutes - 30.7 MBZero trust adoption is a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed. In this SEI Podcast, Geoff Sanders, a senior network defense analyst ...
Uncertainty Quantification in Machine Learning: Measuring Confidence in Predictions
August 06, 2021 12:01 - 31 minutes - 31.1 MBIn this SEI Podcast, Dr. Eric Heim, a senior machine learning research scientist at Carnegie Mellon University's Software Engineering Institute (SEI), discusses the quantification of uncertainty in machine-learning (ML) systems. ML systems can make wrong predictions and give inaccurate estimates for the uncertainty of their predictions. It can be difficult to predict when their predictions will be wrong. Heim also discusses new techniques to quantify uncertainty, identify causes of uncertain...
11 Rules for Ensuring a Security Model with AADL and Bell–LaPadula
July 29, 2021 14:05 - 48 minutes - 47.2 MBIn this SEI Podcast, Aaron Greenhouse, a senior architecture researcher with Carnegie Mellon University’s Software Engineering Institute, talks with principal researcher Suzanne Miller about use of the Bell–LaPadula mathematical security model in concert with the Architecture Analysis and Design Language (AADL) to model and validate confidentiality. Greenhouse and Miller also discuss 11 analysis rules that must be enforced over an AADL instance to ensure the consistency of a security model. ...
Benefits and Challenges of Model-Based Systems Engineering
July 23, 2021 14:53 - 33 minutes - 32.5 MBNataliya (Natasha) Shevchenko and Mary Popeck, both senior researchers in the CERT Division at Carnegie Mellon University’s Software Engineering Institute, discuss the use of model-based systems engineering (MBSE), which, in contrast to document-centric engineering, puts models at the center of system design. MBSE is used to support the requirements, design, analysis, verification, and validation associated with the development of complex systems.
Fostering Diversity in Software Engineering
July 16, 2021 14:41 - 29 minutes - 29.6 MBIn this SEI Podcast, Grace Lewis hosts a panel discussion with Ipek Ozkaya, Nathan West, and Jay Palat about diversity in software engineering. The panelists, all researchers with the Carnegie Mellon University Software Engineering Institute, share their perspectives about their own experiences in the software engineering field, the value of diversity to enhance problem solving from multiple perspectives, and strategies for supporting and encouraging underrepresented groups to become involve...
Can DevSecOps Make Developers Happier?
June 24, 2021 14:01 - 41 minutes - 40.5 MBAuthor Daniel H. Pink recently examined the factors that lead to job satisfaction among knowledge workers and summarized them in three components: autonomy, skill mastery, and purpose. In this SEI Podcast, Hasan Yasar, technical director of Continuous Deployment of Capability at Carnegie Mellon University’s Software Engineering Institute, relates these components to DevSecOps and summarizes a recent survey affirming that DevSecOps practices do indeed make developers and other stakeholders in...
Is Your Organization Ready for AI?
June 22, 2021 20:49 - 30 minutes - 30.2 MBIn this SEI Podcast, digital transformation lead Dr. Rachel Dzombak and research scientist Carol Smith, both with the SEI’s Emerging Technology Center at Carnegie Mellon University, discuss how AI Engineering can support organizations to implement AI systems. The conversation covers the steps that organizations need to take (as well as the hard conversations that need to occur) before they are AI ready.
My Story in Computing with Marisa Midler
June 11, 2021 19:40 - 27 minutes - 27 MBIn this SEI Podcast, the latest in the My Story in Computing series, Marisa Midler, a cybersecurity engineer in the SEI’s CERT Division, discusses her career path. After growing up on a farm in Pennsylvania, Midler graduated from college with a degree in communications and English writing and then traveled to Seattle and worked a variety of jobs, including as a bouncer at a Seattle night club. Midler returned to Pittsburgh to obtain a second bachelor’s degree in information science followed ...
Managing Vulnerabilities in Machine Learning and Artificial Intelligence Systems
June 04, 2021 14:44 - 40 minutes - 41.2 MBThe robustness and security of artificial intelligence, and specifically machine learning (ML), is of vital importance. Yet, ML systems are vulnerable to adversarial attacks. These can range from an attacker attempting to make the ML system learn the wrong thing (data poisoning), do the wrong thing (evasion attacks), or reveal the wrong thing (model inversion). Although there are several efforts to provide detailed taxonomies of the kinds of attacks that can be launched against a machine lea...
AI Workforce Development
May 20, 2021 23:30 - 35 minutes - 35.1 MBIn this SEI Podcast, Rachel Dzombak and Jay Palat discuss growth in the field of artificial intelligence (AI) and how organizations can hire and train staff to take advantage of the opportunities afforded by AI and machine learning—and the critical need for an AI engineering discipline to grow the AI workforce.
Moving from DevOps to DevSecOps
May 13, 2021 11:21 - 40 minutes - 61.5 MBDevSecOps is a set of principles and practices that provide faster delivery of secure software capabilities by improving the collaboration and communication between software development teams, IT operations, and security staff within an organization, as well as with acquirers, suppliers, and other stakeholders in the life of a software system. In this SEI podcast, Hasan Yasar, technical director of the Continuous Deployment of Capability group in the Software Solutions Division of the SEI, d...
My Story in Computing with David Zubrow
April 29, 2021 20:51 - 37 minutes - 37.3 MBIn this SEI Podcast, the latest in the “My Story in Computing” series, which explores the unique paths people take into the field of computing, David Zubrow discusses his path from a PhD in applied history and social sciences and an administrative position at Carnegie Mellon University to a career as a manager and technical leader at the SEI.
Mission-Based Prioritization: A New Method for Prioritizing Agile Backlogs
April 23, 2021 19:08 - 13 minutes - 14.1 MBIn this SEI Podcast, Keith Korzec discusses the Mission-Based Prioritization method for prioritizing Agile backlogs. This method overcomes the shortcomings of prioritization based on “weighted shortest job first” and utilizes objective, mission-focused criteria while allowing ongoing re-prioritization to be conducted with minimal overhead.
My Story in Computing with Carol Smith
April 09, 2021 14:48 - 16 minutes - 17.5 MBThose who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast, part of the My Story in Computing series, learn how Carol Smith, who trained as a photojournalist, discusses how a love of telling people’s stories led to a career in human-computer interaction working in artificial intelligence with the SEI’s Emerging Technology Center.
Digital Engineering and DevSecOps
March 16, 2021 12:55 - 30 minutes - 30.6 MBDigital engineering is an integrated digital approach that uses authoritative sources of systems data and models as a continuum across disciplines to support lifecycle activities from concept through disposal. With digital engineering, models are developed for everything, not just for software, but for all components of a system of systems, hardware and software. The models and associated data are stored in a singular repository of knowledge and are the single source that is used by all cont...
A 10-Step Framework for Managing Risk
March 09, 2021 13:48 - 30 minutes - 30.2 MBBrett Tucker, a technical manager for cyber risk in the SEI CERT Division, discusses the Operationally Critical Threat, Asset, and Vulnerability Evaluation for the Enterprise (OCTAVE FORTE) Model, which helps organizations evaluate security risks and use principles of enterprise risk management to bridge the gap between executives and practitioners. In this SEI Podcast, Tucker outlines OCTAVE FORTE's 10-step framework to guide organizations in managing risk.
7 Steps to Engineer Security into Ongoing and Future Container Adoption Efforts
February 23, 2021 15:12 - 20 minutes - 19.4 MBIf organizations take more steps to address security-related activities now, they will be less likely to encounter security incidents in the future. When it comes to application containers, security is achieved through adopting a series of best practices and guidelines. In this SEI Podcast, Tom Scanlon and Richard Laughlin, researchers with the SEI's CERT Division, discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.
Ransomware: Evolution, Rise, and Response
February 16, 2021 18:22 - 32 minutes - 33.1 MBIn this SEI Podcast, Marisa Midler and Tim Shimeall, network defense analysts within the SEI's CERT Division, discuss the growing problem of ransomware including the rise of ransomware as a service threats. Ransom payments from Quarter 3 of 2019 were on average $42,000, and in Quarter 1 of 2020, that average increased $70,000 to $112,000. The volume of attacks also increased by 25 percent in Quarter 4 of 2019 and by another 25 percent in Quarter 1 of 2020. The sophistication of the attacks h...
VINCE: A Software Vulnerability Coordination Platform
January 21, 2021 16:11 - 38 minutes - 37.8 MBSoftware vulnerability coordination at the CERT Coordination Center (CERT/CC) has traditionally relied on a hub-and-spoke model, with reports submitted to analysts at the CERT/CC analysts who would then work with contact affected vendors. To scale communications and increase the level of collaboration between vulnerability reporters, coordinators, and software vendors, the CERT/CC team has created a web-based platform for software vulnerability reporting and coordination called the Vulnerabi...
Work From Home: Threats, Vulnerabilities, and Strategies for Protecting Your Network
January 06, 2021 18:40 - 46 minutes - 44.8 MBThe COVID-19 pandemic has forced significant changes in enterprise work practices, including an increased use of telecommunications technologies required by the new work-from-home policies that most organizations have instituted in response. In this podcast, Phil Groce, a senior network defense analyst in the CERT Division of the Carnegie Mellon University Software Engineering Institute, discusses the security implications of this dramatic increase in the number of people in organizations wh...
An Introduction to CMMC Assessment Guides
December 08, 2020 18:25 - 8 minutes - 9.36 MBThe Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from D...
An Introduction to CMMC Assessment Guides
December 08, 2020 18:25 - 8 minutes - 9.36 MBThe Cybersecurity Maturity Model Certification (CMMC) for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB e...
The CMMC Level 3 Assessment Guide: A Closer Look
December 07, 2020 16:11 - 13 minutes - 14.4 MBThe Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from D...
The CMMC Level 1 Assessment Guide: A Closer Look
December 07, 2020 15:13 - 20 minutes - 20.8 MBThe Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from D...
Achieving Continuous Authority to Operate (ATO)
November 24, 2020 23:24 - 33 minutes - 40 MBAuthority to Operate (ATO) is a process that certifies a system to operate for a certain period of time by evaluating the risk of the system's security controls. ATO is based on the National Institute of Standards and Technology’s Risk Management Framework (NIST 800-37). In this podcast, Shane Ficorilli and Hasan Yasar, both with the Carnegie Mellon University Software Engineering Institute, discuss continuous ATO, including challenges, the role of DevSecOps, and cultural issues that organiz...
Challenging the Myth of the 10x Programmer
November 09, 2020 15:41 - 16 minutes - 20.9 MBA pervasive belief in software engineering is that some programmers are much, much better than others (the times-10, or 10x, programmer), and that the skills, abilities, and talents of these programmers exert an outsized influence on that organizations’ success or failure. Bill Nichols, a researcher with the Carnegie Mellon University Software Engineering Institute, recently examined the veracity and relevance of this widely held notion. Using data from a study conducted at the SEI, Nichols ...
A Stakeholder-Specific Approach to Vulnerability Management
October 27, 2020 11:43 - 37 minutes - 44.2 MBMany organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with CVSS. SSVC takes the form of decision trees for different vulnerability management communities. During this podcast, CERT vulnerability researchers Eric Hatlebac...
Optimizing Process Maturity in CMMC Level 5
October 13, 2020 16:06 - 9 minutes - 10.5 MBThe Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from D...
Reviewing and Measuring Activities for Effectiveness in CMMC Level 4
October 07, 2020 14:17 - 13 minutes - 14.2 MBThe Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from D...
Situational Awareness for Cybersecurity: Beyond the Network
September 30, 2020 20:22 - 25 minutes - 31 MBSituational awareness makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help leaders make more informed decisions. In this SEI Podcast, Angela Horneman and Timothy Morrow, researchers in the SEI's CERT Division, discuss the importance of looking beyond the network to acquire situational awareness for cybersecurity.