Software Engineering Institute (SEI) Podcast Series
426 episodes - English - Latest episode: 14 days ago - ★★★★★ - 18 ratingsThe SEI Podcast Series presents conversations in software engineering, cybersecurity, and future technologies.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Becoming a CISO: Formal and Informal Requirements
October 19, 2016 17:00 - 23 minutes - 16.2 MBWhether you are a CISO, CISO equivalent, or have another title with organizational cybersecurity responsibilities, the role you play in your organization to protect and sustain the key information and technical assets needed to achieve the mission is critical in today’s landscape of data breaches, nation-state hackers, and increased threats to the business. In this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the kn...
Predicting Quality Assurance with Software Metrics and Security Methods
October 13, 2016 17:00 - 11 minutes - 21.2 MBTo ensure software will function as intended and is free of vulnerabilities (aka software assurance), software engineers must consider security early in the lifecycle, when the system is being designed and architected. Recent research on vulnerabilities supports this claim: Nearly half the weaknesses identified in the Common Weakness Enumeration (CWE) repository have been identified as design weaknesses. These weaknesses are introduced early in the lifecycle and cannot be patched away in late...
Network Flow and Beyond
September 29, 2016 17:00 - 24 minutes - 45.9 MBBy the close of 2016, annual global IP traffic will pass the zettabyte ([ZB]; 1000 exabytes [EB]) threshold and will reach 2.3 ZBs per year by 2020, according to Cisco's Visual Networking Index. While capturing and evaluating network traffic enables defenders of large-scale organizational networks to generate security alerts and identify intrusions, operators of networks with even comparatively modest size struggle with building a full, comprehensive view of network activity. To make wise sec...
A Community College Curriculum for Secure Software Development
September 15, 2016 17:00 - 20 minutes - 37.8 MBIn this podcast, Girish Seshagiri discusses a two-year community college software assurance program that he developed and facilitated with SEI Fellow Nancy Mead at Illinois Community College. The two-year degree program in secure software development, which is based on the SEI’s software assurance curriculum, is the result of a collaboration between Central Illinois Center of Excellence for Secure Software and Illinois Central College. The program, which also incorporates an apprenticeship mo...
Security and the Internet of Things
August 25, 2016 17:00 - 17 minutes - 31.8 MBInternet-connected devices—from cars, insulin pumps, and baby monitors to thermostats and coffee makers—are growing in number and complexity. Most of these Internet of Things (IoT) devices weren’t built with connectivity and security in mind, leaving them vulnerable to attacks. In this podcast, CERT researcher Art Manion discusses work that his team is doing with the Department of Homeland Security to examine and secure IoT devices. Listen on Apple Podcasts.
The SEI Fellow Series: Nancy Mead
August 10, 2016 17:00 - 28 minutes - 53.4 MBThe position of SEI Fellow is awarded to people who have made an outstanding contribution to the work of the SEI and from whom the SEI leadership may expect valuable advice for continued success in the institute's mission. Nancy Mead, a principal researcher in the SEI’s CERT Division, was named an SEI Fellow in 2013. This podcast is the first in a series highlighting interviews with SEI Fellows. Listen on Apple Podcasts.
An Open Source Tool for Fault Tree Analysis
July 28, 2016 17:00 - 14 minutes - 26.6 MBSafety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761 mandate several analyses, such as Functional Hazard Assessment and Failure Mode and Effect Analysis. One popular type of saf...
Global Value Chain – An Expanded View of the ICT Supply Chain
July 18, 2016 17:00 - 30 minutes - 20.7 MBOrganizations “are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the organizations’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well...
Intelligence Preparation for Operational Resilience
June 21, 2016 17:00 - 27 minutes - 18.5 MBIntelligence preparation for Operational Resilience (IPOR) is a structured framework that decision makers can use to: •identify intelligence needs •consume the information received by intelligence sources •make informed decisions about the organization and courses of action In this podcast, Douglas Gray, a member of the CERT Cyber Risk Management team, discusses how to operationalize intelligence products to build operational resilience of organizational assets and services using IPOR. Lis...
Evolving Air Force Intelligence with Agile Techniques
May 26, 2016 17:00 - 17 minutes - 31.5 MBIn the past decade, the U.S. Air Force has built up great capability with the Distributed Common Ground System (AF DCGS), the Air Force’s primary weapon system for intelligence, surveillance, reconnaissance, planning, direction, collection, processing, exploitation, analysis, and dissemination. AF DCGS employs a global communications architecture that connects multiple intelligence platforms and sensors. In this podcast, Harry Levinson discusses the SEI’s work with the Air Force to further ev...
Threat Modeling and the Internet of Things
May 12, 2016 17:00 - 17 minutes - 16.2 MBThreat modeling, which has been popularized by Microsoft in the last decade, provides vulnerability analysts a means to analyze a system and identify various attack surfaces and use that knowledge to bolster a system against vulnerabilities. In this podcast, Art Manion and Allen Householder of CERT’s vulnerability analysis team, talk about threat modeling and its use in improving security of the Internet of Things. Listen on Apple Podcasts.
Open Systems Architectures: When & Where to Be Closed
April 14, 2016 17:00 - 19 minutes - 18.2 MBDue to advances in hardware and software technologies, Department of Defense (DoD) systems today are highly capable and complex. However, they also face increasing scale, computation, and security challenges. Compounding these challenges, DoD systems were historically designed using stove-piped architectures that lock the government into a small number of system integrators, each devising proprietary point solutions that are expensive to develop and sustain over the lifecycle. Although these ...
Effective Reduction of Avoidable Complexity in Embedded Systems
March 18, 2016 17:00 - 18 minutes - 17 MBSafety-critical systems are becoming extremely software-reliant. Software complexity can increase total acquisition costs as much as 16 percent. The Effective Reduction of Avoidable Complexity in Embedded Systems (ERACES) project aims to identify and remove complexity in software models. At the same time, safety-critical development is shifting from traditional programming (e.g., Ada, C) to modeling languages (e.g., Simulink, SCADE). In this podcast, Julien Delange discusses the Effective Red...
Toward Efficient and Effective Software Sustainment
March 18, 2016 17:00 - 23 minutes - 21.4 MBThe Department of Defense (DoD) must focus on sustaining legacy weapons systems that are no longer in production, but are expected to remain a key component of our defense capability for decades to come. Despite the fact that these legacy systems are no longer in the acquisition phase, software upgrade cycles are needed to refresh their capabilities every 18 to 24 months. In addition, significant modernization can often be made by more extensive, focused software upgrades with relatively mode...
Quality Attribute Refinement and Allocation
March 08, 2016 17:00 - 24 minutes - 22 MBWe know from existing SEI work on attribute-driven design, Quality Attribute Workshops, and the Architecture Tradeoff Analysis Method that a focus on quality attributes prevents costly rework. Such a long-term perspective, however, can be hard to maintain in a high-tempo, agile delivery model, which is why the SEI continues to recommend an architecture-centric engineering approach, regardless of the software methodology chosen. As part of our work in value-driven incremental delivery, we cond...
Is Java More Secure Than C?
February 19, 2016 17:00 - 17 minutes - 16.3 MBWhether Java is more secure than C is a simple question to ask, but a hard question to answer well. When researchers on the CERT Secure Coding Team began writing the SEI CERT Oracle Coding Standard for Java, they thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. They also assumed that a more secure language would need fewer rules than a less secure one. However, Java has 168 coding rules compared to j...
Identifying the Architectural Roots of Vulnerabilities
February 04, 2016 17:00 - 23 minutes - 21.7 MBIn our studies of many large-scale software systems, we have observed that defective files seldom exist alone. They are usually architecturally connected, and their architectural structures exhibit significant design flaws that propagate bugginess among files. We call these flawed structures the architecture roots, a type of technical debt that incurs high maintenance penalties. Removing the architecture roots of bugginess requires refactoring, but the benefits of refactoring have historicall...
Build Security In Maturity Model (BSIMM) – Practices from Seventy Eight Organizations
February 03, 2016 17:00 - 31 minutes - 21.6 MBThe Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. It is built directly from data observed in 78 software security initiatives from firms in nine market sectors. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing as described in the model. You can then identify goals and objectives and refer to the BSIMM to determine which additional ac...
An Interview with Grady Booch
January 12, 2016 17:00 - 18 minutes - 16.7 MBGrady Booch recently delivered a presentation as part of the SEI’s CTO Distinguished Speaker Series where he discussed his perspectives on the biggest challenges for the future of software engineering. During his visit to the SEI, he sat down for an interview with SEI Fellow Nancy Mead for the SEI Podcast Series. Booch will be a keynote speaker at SATURN 2016. Please click the related link below for additional details. Listen on Apple Podcasts.
Structuring the Chief Information Security Officer Organization
December 23, 2015 17:00 - 31 minutes - 21.5 MBChief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most appl...
How Cyber Insurance Is Driving Risk and Technology Management
November 09, 2015 17:00 - 21 minutes - 9.78 MBEvery day another story arises about a significant breach at a major company or Government agency. Increasingly, cybersecurity is being viewed as a risk management issue by CEOs and boards of directors. So how does corporate America address risk? Insurance. Since, like a natural disaster, a company cannot completely avoid cyber attacks, the next best option is to mitigate the impact these attacks can have. [1]In this podcast, Chip Block, Vice President at Evolver, discusses the growth of the ...
A Field Study of Technical Debt
October 15, 2015 17:00 - 19 minutes - 18.3 MBIn their haste to deliver software capabilities, developers sometimes engage in less-than-optimal coding practices. If not addressed, these shortcuts can ultimately yield unexpected rework costs that offset the benefits of rapid delivery. Technical debt conceptualizes the tradeoff between the short-term benefits of rapid delivery and long-term value. Taking shortcuts to expedite the delivery of features in the short term incurs technical debt, analogous to financial debt, that must be paid of...
How the University of Pittsburgh Is Using the NIST Cybersecurity Framework
October 01, 2015 17:00 - 23 minutes - 10.9 MBIn this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (Pitt), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework). The University of Pittsburgh is a large, decentralized institution with a diverse population of networks and information types. The challenge of balancing academic freedom with security and protection of research data is put to the test every day. The use of the CSF, created by...
A Software Assurance Curriculum for Future Engineers
September 24, 2015 17:00 - 19 minutes - 17.9 MBModern society is deeply and irreversibly dependent on software systems of remarkable scope and complexity in areas that are essential for preserving our way of life. Software assurance is critical to ensuring our confidence in these systems and that they are free from vulnerabilities, function in the intended manner, and provide security capabilities appropriate to the threat environment. In this podcast, Dr. Nancy Mead discusses how, with support from the Department of Homeland Security, SE...
Four Types of Shift Left Testing
September 10, 2015 17:00 - 26 minutes - 24.7 MBOne of the most important and widely discussed trends within the software testing community is shift left testing, which simply means beginning testing as early as practical in the lifecycle. What is less widely known, both inside and outside the testing community, is that testers can employ four fundamentally-different approaches to shift testing to the left. Unfortunately, different people commonly use the generic term shift left to mean different approaches, which can lead to serious misun...
Capturing the Expertise of Cybersecurity Incident Handlers
August 27, 2015 17:00 - 26 minutes - 11.9 MBIn this podcast, Dr. Richard Young, a professor with Carnegie Mellon’s Tepper School of Business, teams with Sam Perl, a member of the CERT Division’s Enterprise Threat and Vulnerability Management team, to discuss their research on how expert cybersecurity incident handlers think, learn, and act when faced with an incident. The research study focuses on critical cognitive factors that such experts use to make decisions when faced with a complex incident, including how to deal with critical i...
Toward Speed and Simplicity: Creating a Software Library for Graph Analytics
August 27, 2015 17:00 - 15 minutes - 14.3 MBHigh performance computing is now central to the federal government and industry as evidenced by the shift from single-core and multi-core or homogeneous central processing units, also known as CPUs, to many core and heterogeneous systems that also include other types of processors like graphics processing units, also known as GPUs.In this podcast, Scott McMillan and Eric Werner of the SEI’s Emerging Technology Center discuss work to create a software library for graph analytics that would ta...
Improving Quality Using Architecture Fault Analysis with Confidence Arguments
August 13, 2015 17:00 - 18 minutes - 16.5 MBIn this podcast, Peter Feiler discusses a case study that demonstrates how an analytical architecture fault-modeling approach can be combined with confidence arguments to diagnose a time-sensitive design error in a control system and to provide evidence that proposed changes to the system address the problem. The analytical approach, based on the SAE Architecture Analysis and Design Language for its well-defined timing and fault-behavior semantics, demonstrates that such hard-to-test errors c...
A Taxonomy of Testing Types
July 30, 2015 17:00 - 16 minutes - 15.2 MBA surprisingly large number of different types of testing exist and are used during the development and operation of software-reliant systems. While most testers, test managers, and other testing stakeholders are quite knowledgeable about a relatively small number of testing types, many people know very little about most of them and are unaware that others even exist. Understanding these different types of testing is important because different types of testing tend to uncover different type...
Reducing Complexity in Software & Systems
July 16, 2015 17:00 - 19 minutes - 17.5 MBSystems are increasingly software-reliant and interconnected, making design, analysis and evaluation harder than in the past. While new capabilities are welcome, they require more thorough validation. Complexity could mean that design flaws or defects could lead to hazardous conditions that are undiscovered and unresolved. In this podcast, Dr. Sarah Sheard discusses a two-year research project to investigate the nature of complexity, how it manifests in software-reliant systems, such as avion...
Designing Security Into Software-Reliant Systems
June 25, 2015 17:00 - 11 minutes - 10.7 MBSoftware is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address tho...
Agile Methods in Air Force Sustainment
June 11, 2015 17:00 - 12 minutes - 11.4 MBFor several years, the Software Engineering Institute has researched the viability of Agile software development methods within Department of Defense programs and barriers to the adoption of those methods. In this podcast, SEI researcher Eileen Wrubel discusses how software sustainers leverage Agile methods and avoid barriers to using Agile methods. Listen on Apple Podcasts.
Defect Prioritization With the Risk Priority Number
May 28, 2015 17:00 - 17 minutes - 16.2 MBMost software systems have some "defects" that are identified by users. Some of these are truly defects in that the requirements were not properly implemented; some are caused by changes made to other systems; still others are requests for enhancement – improvements that would improve the users' experience. These "defects" are generally stored in a database and are worked off in a series of incrementally delivered updates. For most systems, it is not financially feasible to fix all of the c...
SEI-HCII Collaboration Explores Context-Aware Computing for Soldiers
May 14, 2015 17:00 - 20 minutes - 18.6 MBAs the number of sensors on smart phones continues to grow, these devices can automatically track data from the user's environment, including geolocation, time of day, movement, and other sensor data. Making sense of this data in an ethical manner that respects the privacy of smartphone users is just one of the many challenges faced by researchers. In this podcast, Dr. Anind Dey, director of the Human Computer Interaction Institute (HCII) at CMU, and Dr. Jeff Boleng, principal researcher at t...
An Introduction to Context-Aware Computing
April 23, 2015 17:00 - 19 minutes - 17.8 MBAs the number of sensors on smart phones continues to grow, these devices can automatically track data from the user's environment, including geolocation, time of day, movement, and other sensor data. Making sense of this data in an ethical manner that respects the privacy of smartphone users is just one of the many challenges faced by researchers. In this podcast, the first in a two-part series, Dr. Anind Dey and Dr. Jeff Boleng introduce context-aware computing and explore other issues rela...
Data Driven Software Assurance
April 09, 2015 17:00 - 30 minutes - 20.8 MBSoftware vulnerabilities are defects or weaknesses in a software system that, if exploited, can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development ...
Supply Chain Risk Management: Managing Third Party and External Dependency Risk
March 26, 2015 17:00 - 28 minutes - 12.9 MBOne caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.In this podcast, Matt Butkovic, the Technical Manager of CERT’s Cybersecurity Assurance Team, and John Haller, a member of Matt’s team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from...
Applying Agile in the DoD: Twelfth Principle
March 26, 2015 17:00 - 12 minutes - 11.2 MBIn this episode, the 12th and final podcast in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the 12th principle: at regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly. Listen on Apple Podcasts.
Introduction to the Mission Thread Workshop
March 12, 2015 17:00 - 23 minutes - 21.8 MBIn Department of Defense programs, a system of systems (SoS) is integrated to accomplish a number of missions that involve cooperation among individual systems. Understanding the activities conducted within each system and how they interoperate to accomplish the missions of the SoS is of vital importance. A mission thread is a sequence of end-to-end activities and events, given as a series of steps, that accomplish the execution of one or more capabilities that the SoS supports. However, list...
Applying Agile in the DoD: Eleventh Principle
February 26, 2015 17:00 - 14 minutes - 12.9 MBIn this episode, the 11th in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the 11th principle: the best architectures, requirements, and designs emerge from self-organizing teams. Listen on Apple Podcasts.
A Workshop on Measuring What Matters
February 20, 2015 17:00 - 30 minutes - 14 MBThis podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team’s experiences in planning and executing the workshop, and identifying improvements for future offerings. The Measuring What Matters Workshop introduces the Goal-Question-Indicator-Metric (GQIM) approach that enables users to derive meaningful metrics for managing cybersecurity risks from strategic and business objectives. This approach helps ensure that organizational leaders have be...
Applying Agile in the DoD: Tenth Principle
February 12, 2015 17:00 - 13 minutes - 12.8 MBIn this episode, the tenth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the tenth principle: Simplicity—the art of maximizing the amount of work not done—is essential. Listen on Apple Podcasts.
Predicting Software Assurance Using Quality and Reliability Measures
January 29, 2015 17:00 - 19 minutes - 17.4 MBSecurity vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enum...
Applying Agile in the DoD: Ninth Principle
January 16, 2015 17:00 - 17 minutes - 16.1 MBIn this episode, the ninth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the ninth principle: continuous attention to technical excellence and good design enhances Agile. Listen on Apple Podcasts.
Cyber Insurance and Its Role in Mitigating Cybersecurity Risk
January 08, 2015 17:00 - 37 minutes - 17.1 MBThe goal of any cybersecurity investment is to reduce the potential impact from cyber risk. Initial investments should be in capability development—the implementation of controls to protect and sustain operations that depend on technology. As capability increases, additional capability investments produce diminishing returns—the curve flattens. At that point, investment in cyber insurance becomes an efficient means to further reduce risk.In this podcast, Jim Cebula, the Technical Manager of C...
AADL and Dassault Aviation
December 18, 2014 17:00 - 8 minutes - 8.17 MBIn 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the fourth in a series based on these interviews. Listen on Apple Podcasts.
Tactical Cloudlets
December 04, 2014 17:00 - 32 minutes - 29.7 MBSoldiers in battle or emergency workers responding to a disaster often find themselves in environments with limited computing resources, rapidly-changing mission requirements, high levels of stress, and limited connectivity, which are often referred to as “tactical edge environments.” These types of scenarios make it hard to use mobile software applications that would be of value to soldiers or emergency personnel, including speech and image recognition, natural language processing, and situa...
Agile Software Teams and How They Engage with Systems Engineering on DoD Acquisition Programs
November 27, 2014 17:00 - 11 minutes - 10.8 MBPart of a series exploring Agile in the Department of Defense, this podcast addresses key issues that occur when Agile software teams engage with systems engineering functions in the development and acquisition of software-reliant systems. Published acquisition guidance still largely focuses on a system perspective, and fundamental differences exist between systems engineering and software engineering approaches. Those differences are compounded when Agile becomes a part of the mix, rather th...
Coding with AADL
November 13, 2014 17:00 - 20 minutes - 18.4 MBGiven that up to 70 percent of system errors are introduced during the design phase, stakeholders need a modeling language that will ensure both requirements enforcement during the development process and the correct implementation of these requirements. Previous work demonstrates that using the Architecture Analysis and Design Language (AADL) early in the development process not only helps detect design errors before implementation but also supports implementation efforts and produces high-q...
The State of Agile
October 30, 2014 17:00 - 28 minutes - 25.7 MBIn September 2014, Alistair Cockburn met with researchers at the SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there as Cockburn sat down with Suzanne Miller to discuss his unique perspective as one of the creators of the Agile manifesto and his viewpoint on the current state of Agile adoption. Listen on Apple Podcasts.