David Svoboda, CERT® Software Security Engineer demonstrates the Source Code Analysis Laboratory (SCALe): Running Fortify. We do research and development to create tools to support creation of secure code right from the start, and analytical tools to detect code vulnerabilities. We also work with the software development and security communities to research and develop secure coding standards for commonly used programming languages and for smartphone platforms (Android, iOS, Win8). http://www.sei.cmu.edu/legal/index.cfm
Watch Grady Booch discuss Architecting the Unknown
Watch Will Hayes in this SEI Cyber Minute as he discusses "Cadence in Agile Development."
Jay McAllister of the SEI describes what "cyber Intelligence" is.
Watch Michael Keeling and Joe Runde deliver their SATURN 2017 talk "From REST to gRPC: AnAPI Evolution Story."
Watch Michael Keeling and Joe Runde deliver their SATURN 2017 talk "Architecture Decision Records in Action ."
Watch Larry Rogers in this SEI Cyber Minute as he discusses "Teaching Investigators How To Investigate Crimes with a Cyber Component."
In this webinar, SEI researchers and an industry colleague discussed in two talks What Makes a Good Software Architect? For training the SEI offers in the area of software architecture please see: https://www.sei.cmu.edu/education-outreach/courses/index.cfm Or for information on our annual software architecture conference (SATURN) see: https://resources.sei.cmu.edu/news-events/events/saturn/
Watch Bob Schiela in this SEI Cyber Minute as he discusses the "CERT Secure Coding Certificates". For more information on this program please see: http://cert.org/go/secure-coding/
Watch Hasan Yasar discuss "Integrating Security in DevOps" in the SEI Blog & Podcast Series video.
David Svoboda, CERT® Software Security Engineer demonstrates the Source Code Analysis Laboratory (SCALe): Coverity. We do research and development to create tools to support creation of secure code right from the start, and analytical tools to detect code vulnerabilities. We also work with the software development and security communities to research and develop secure coding standards for commonly used programming languages and for smartphone platforms (Android, iOS, Win8). http://www.sei.cmu.edu/legal/index.cfm
Watch Lisa Young in this SEI Cyber Minute as she discusses "CERT Resilience Management Model (RMM)".
SEI Podcast Series: Improving Cybersecurity Through Cyber Intelligence with Jared Ettinger.
Learn why secure coding practices are important to reduce common programming errors that lead to vulnerabilities.
David Svoboda, CERT® Software Security Engineer demonstrates the Source Code Analysis Laboratory (SCALe): Coverity GUI. We do research and development to create tools to support creation of secure code right from the start, and analytical tools to detect code vulnerabilities. We also work with the software development and security communities to research and develop secure coding standards for commonly used programming languages and for smartphone platforms (Android, iOS, Win8). http://www.sei.cmu.edu/legal/index.cfm
Watch Emily Sarneso of the Software Engineering Institute discuss Finding a Needle in PCAP.
The SEI serves the nation as a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DoD) and is based at Carnegie Mellon University, a global research university annually rated among the best for its programs in computer science and engineering. Our staff works with the highest levels of U.S. government and industry to secure the nation's critical infrastructure, improve mission-critical systems, and advance the state of the art.
Watch Grace Lewis in this SEI Cyber Minute as she discusses "Tactical Cloudlets".
SEI Podcast Series: Moving Target Defense with Andrew Mellinger.
Watch SEI Researcher, Grace Lewis, discuss "Authentication and Authorization for Internet of Things (IoT) Devices in Edge Environments".
Watch James McHale in this SEI Cyber Minute as he discusses "Defects in Software".
Watch Mike Cook in this SEI Cyber Minute as he discusses "Penetration Testing".
Watch Summer Fowler as she discusses "Cyber Risk Appetite" in this SEI Cyber Minute.
Watch Daniel Jackson from the MIT Computer Science and Artificial Intelligence Laboratory discuss "Rethinking Software Design."
Watch Paul Rayner deliver his SATURN 2017 talk "EventStorming: Collaborative Learning for Complex Domains."
Watch Summer Fowler as she discusses "Cyber Security Risk Oversight" in this SEI Cyber Minute.
Shane Ficorilli explains some of the requirements for successfully implementing DevOps in your organization, including how to establish a complete deployment pipeline.
SEI Podcast Series: Technical Debt as a Core Software Engineering Practice by Ipek Ozkaya
Here at the Software Engineering Institute, we have created a new tool prototype that helps explore a system’s design tradespace. The tradespace is the possible combinations of system software, hardware, and configuration options. Our prototype – which combines previous work here at the SEI with software developed at Penn State University – enables system designers to evaluate design options in the tradespace rapidly and automatically. You can find more on guided design tradespace exploration in these SEI resources: SEI Cyber Minutes video • Safety-Critical Design by Shopping https://www.youtube.com/watch?v=M8hcVB6tmaw Poster • Guided Architecture Trade Space Exploration for Safety-Critical Software Systems -- https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=506434 Blog • AADL: Four Real-World Perspectives -- https://insights.sei.cmu.edu/sei_blog/2015/03/aadl-four- real-world-perspectives.htmlhttps://insights.sei.cmu.edu/sei_blog/2014/11/tactical-cloudlets- moving-cloud-computing-to-the-edge.html For more information, write to [email protected]
Watch Rachel Kartch discuss "Best Practices: Network Border Protection" in this SEI Podcast Series video.
SEI Podcast Series: Is Java More Secure Than C? by David Svoboda
The insider threat certificates from Carnegie Mellon University's Software Engineering Institute can help organizations satisfy the requirements of Executive Order 13587 with sophisticated, flexible insider threat programs that are tailored to the unique circumstances of individual organizations.
Watch Bob Schiela in this SEI Cyber Minute as he discusses the "CERT Secure Coding Standards". For more information on this program please see: http://cert.org/go/secure-coding/
Watch Grace Lewis discuss "What are the challenges in bringing cloud computing to edge environments?" For related content please see: • Establishing Trust in Disconnected Environments (https://insights.sei.cmu.edu/sei_blog/2017/02/establishing-trust-in-disconnected-environments.html) • Tactical Cloudlets: Moving Cloud Computing to the Edge (https://insights.sei.cmu.edu/sei_blog/2014/11/tactical-cloudlets-moving-cloud-computing-to-the-edge.html) • SEI Cyber Minute: Safely Using IoT at the Edge (https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=511232) • Two Perspectives on IoT Security (poster) (https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=506396) • Pursuing an Imagined End-State in Software-based Capability (https://insights.sei.cmu.edu/sei_blog/2017/10/pursuing-an-imagined-end-state-in-software-based-capability.html) • KD-Cloudlet (KVM-based Discoverable Cloudlets (https://github.com/SEI-AMS/pycloud/wiki)
Watch Mark Sherman in this SEI Cyber Minute as he discusses "Adding Security to Agile's Scrum".
Watch George Fairbanks deliver his SATURN 2017 talk "Functional Programming Invades Architecture."
Watch SEI Researcher, April Galyardt, discuss "Explainable AI and Human Computer Interaction".
For a long time, various architect titles have been used across the industry, but the roles and responsibilities of the architect have never been very clear. In several places, architects have moved away from engineering responsibilities, forcing some of the brightest engineers to perform tasks that didn't quite require engineering skills or the appetite to learn new technologies. More recently, in many organizations, architecture is becoming a shared concern. In this panel, we'll debate what's happening to the role of software architect and how teams should make important crosscutting design decisions.
Watch James Edmondson in this SEI Cyber Minute as he discusses "Predictable, Scalable Artificial Intelligence." For more information on the subject of this Cyber Minute, please see the following: Introduction to Autonomy Software: http://sei.cmu.edu/training/ Open-sourced Software MADARA: http://madara.sourceforge.net GAMS: http://jredmondson.github.io/gams DART: http://cps-sei.github.io/dart Autonomy videos: NATO demonstrations: https://www.youtube.com/watch?v=N6PfUubaVMY SMASH project: https://youtu.be/iLnNHwp-H8E
Watch Ipek Ozkaya as she discusses "Representing Your Technical Debt" in this SEI Cyber Minute.
Rob Cunningham discusses the promise of Quantum Computing and highlights some of the remaining scientific and engineering challenges.
Automation of static analysis of malicious binaries amplifies the effort of a limited pool of malware analysts and accelerates insight generation captured by higher-level abstractions accessible to more network defenders within the U.S. Department of Defense (DoD). Analyzing large numbers of malware attacking the DoD worldwide infrastructure is a time-consuming process. Malware analysis requires specialized skills, and when confronted with novel malware binaries, malware analysts can spend days (or even weeks) reverse-engineering a single sample. This bottleneck in the process of deriving actionable insights by understanding the threat presented by malware can be mitigated by both automating repetitive tasks and providing more semantically rich abstractions used by a malware analyst and others who use his or her results.
Watch Sebastian von Conrad deliver his SATURN 2017 talk "An In-Depth Look at Event Sourcing With CQRS ."
Watch Jeff Boleng in this SEI Cyber Minute as he discusses a "Software Defined World".
Most enterprises understand the value of the cloud but have a significant drag on their ability to define a path forward. While cloud strategies are being defined and target states identified, enterprises typically lack resources, funding, and skill sets to refactor applications for the cloud. Mining cloud-native patterns/anti-patterns has established a rule set for assessing cloud suitability of .NET and Java enterprise applications. These rules assess the vulnerabilities, performance, availability, dependencies, scalability, portability, and code quality attributes in the application. In this presentation, we will examine a few critical samples of 350-plus rules for Java applications and 250-plus rules for .NET applications identified so far to assess an application’s cloud readiness. These rules form the basis of the cloud assessment tool’s rule set that we are implementing as the SonarQube plugin. The tool helps enterprises accelerate cloud adoption by assessing application code in minutes instead of months. The tool has been used successfully in multiple enterprise assessments and helped migrate existing systems to cloud. Attendees will learn the cloud-native patterns/anti-patterns for assessing cloud suitability of .NET and Java enterprise applications and the common challenges in enterprise systems migrating to cloud.
Eliezer Kanal explains deep learning, a subfield of artificial intelligence, and how the SEI is conducting research to learn how it might be used to advance cybersecurity.
Watch George Fairbanks discuss My Silver Toolbox: Building Models Quickly + Carefully.
SEI Podcast Series: DNS Best Practices by Mark Langston
Watch Art Manion in this SEI Cyber Minute as he discusses "Coordinated Vulnerability Disclosure".