Listen Now

The recent SolarWinds incident demonstrated the challenges of securing systems when they are the product of complex supply chains. Responding effectively to breaches and hacks requires a cross-section of technical skills and process insights. In this webcast, we explored the lifecycle of the SolarWinds activity and discussed both technical and risk assessment to prepare organizations to defend against this type of incident. What attendees will learn: *Technical details regarding the SolarWinds vulnerabilities and exploits *Supply chain risk management principles required to reduce the risk of future incidents *Advice on the core operational capabilities required to respond to and recover from the SolarWinds hack Speakers: Matthew Butkovic and Art Manion

In this webcast, Grace Lewis and Ipek Ozkaya provide perspectives involved in the development and operation of ML systems. What attendees will learn: • Perspectives involved in the development and operation of ML systems • Types of mismatch that occur in the development of ML systems • Future work in software engineering for ML systems

Are the great programmers really 10 times faster than the rest? What does this difference in productivity even mean? What productivity distribution should we expect between professionals? How can we use this knowledge? In this webcast, we make the most of a large set of programmer training data using repeated measures to explore these questions. What attendees will learn: • For routine tasks, professional programmers have a narrower range of productivity than we first supposed, but almost half of the variation in individual productivity is noise, making programmer rankings suspect. • Rather than finding the “fastest” programmers, we should find competent people and give them the training and environment they need to succeed.

In this webcast, Carol Woody and Rita Creel discuss how cybersecurity engineering knowledge, methods, and tools throughout the lifecycle of software-intensive systems will reduce their inherent cyber risk and increase their operational cyber resilience.

This webcast illustrated where machine learning applications can be attacked, the means for carrying out the attack and some mitigations that can be employed. The elements in building and deploying a machine learning application are reviewed, considering both data and processes. The impact of attacks on each element is considered in turn. Special attention is given to transfer learning, a popular way to construct quickly a machine learning application. Mitigations to these attacks are discussed with the engineering tradeoffs between security and accuracy. Finally, the methods by which an attacker could get access to the machine learning system were reviewed. Speaker: Dr. Mark Sherman

One of the primary drivers of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is the congressional mandate to reduce the risk of accidental disclosure of controlled unclassified information (CUI). However, a full CMMC assessment can seem daunting to organizations in the Defense Industrial Base (DIB), and many might not know where to start. In this webcast, Model Architects Gavin Jurecko and Matt Trevors reviewed several steps for identifying CUI exposure in terms of their critical services and the assets that support them. This approach can help DIB organizations properly scope a CMMC assessment and contain the costs of protecting CUI.

Risk managers must often sift through the cacophony of demands for resources and advocacy to identify a diverse set of risks to include in their organization’s risk register. These managers of cyber risk face this problem when trying to prioritize risks within the scope of their function, only to then turn to executives and justify the need for resources. OCTAVE FORTE, a new and upcoming Enterprise Risk Management (ERM) process model developed by Carnegie Mellon’s CERT Division of the SEI, provides a scalable and standardized process that assists managers and with policy guidelines and tools necessary for identifying risks and justifying the resources needed for the organization’s proper response to them. Attendees at the OCTAVE FORTE webcast learn more about the new OCTAVE FORTE process and learn about a report, Advancing Risk Management Capability Using the OCTAVE FORTE Process, due this Fall. More specifically, the webcast attendees can expect to learn about the fundamental steps of the process and how they might apply them in their own organization.

Bringing computation and data storage closer to the edge, such as disaster and tactical environments, has challenging quality attribute requirements. These include improving response time, saving bandwidth, and implementing security in resource-constrained nodes.   In this webcast we review characteristics of edge environments with a focus on architectural qualities. The characteristics and quality attribute concerns that we present are generalized from and informed by multiple customer experiences that we have undertaken in recent years.   We present an overview of edge environments, in both military and civilian contexts, and provide a discussion about edge-specific challenges and how they can differ based on the context. We discuss architectural quality attributes that are well suited to address the edge-specific challenges, and provide examples of how each apply. A microservices architecture provides an opportunity to address several of the quality attribute concerns at the edge. Through a final consolidated scenario as an exemplar, we discuss how the presented qualities can be addressed using microservices.    This webcast should be useful for anyone interested in better understanding the challenges of edge environments and learning about representative scenarios of work currently being done.

This webcast provided practical insights into how a Government Program Office can productively engage with a contractor using Agile and Lean methods. By reorienting the Agile Manifesto for a system acquisition context, we will consider the distinction between oversight and insight then briefly share examples of the impact of continuous delivery on technical review, requirements, testing, and system engineering.

Disruptive events and crises have the potential to irreparably harm your organization. The key to thriving, not simply surviving, in uncertain times is analysis of posture and preplanning. An organization can demonstrate operational resilience, when faced with both cyber and physical disruptions, if it focuses on the fundamentals and makes data-driven risk decisions. 

The chasm between what academia researches and what industry uses in cyber is wide. By building mutually beneficial collaborations between the two, we can improve algorithms, datasets and techniques that are applicable to the real-world. Students and researchers should build a solid partnership with professionals early in their career to be exposed to and ground their work in current industry challenges. This ultimately results in more research being transformed into practical solutions. Collaborations between the academia and the industry is one of the best ways for the industry to direct academic research outcomes to solve current problems. Without collaborations it can be challenging for the academia to produce algorithms, datasets and techniques that are directly applicable for real-world problems. Students and researchers have to build a working loop with the professionals early in their carrier to maximize the relevance of their work in practice, which ultimately results in more research being transformed to practical solutions.

The concept of software architecture as a distinct discipline in software engineering started to emerge in 1990 — although the idea had been around for much longer. Throughout my career in industry, then in academia, I’ve witnessed the growth of software architecture, its evolution in leaps and bounds. I’ve also had the privilege to meet and work with many of the key contributors who over 30 years have shaped it to what we know today: a mature discipline. It has its theories, its standards, its processes and tools, its place in schools’ curricula. Industry and academia, although often on different tracks —and often ignoring each other— have been making every year more incremental progress and even branching out subdisciplines or different schools of thoughts. But the obvious question is: are we done? what’s next? Plateau, obsolescence, retirement? Not quite. New problems arose, driven by new technologies, and some old problems were not really fully solved, or their context significantly evolved. In this brief talk, I’ll reflect on these 30 years, and pulling out my crystal ball, I’ll speculate potential developments ahead, from 4+1 different viewpoints.

SEI Chief Technology Officer Tom Longstaff interviewed Jeff Boleng, a senior advisor to the U.S. Department of Defense, on recent DoD software advances and accomplishments. They discussed how the DoD is implementing recommendations from the Defense Science Board and the Defense Innovation Board on continuous development of best practices for software, source selection for evaluating software factories, risk reduction and metrics for new programs, developing workforce competency, and other advancements. Boleng and Longstaff also discussed how the SEI, the DoD’s research and development center for software engineering, will adapt and build on this work to accomplish major changes at the DoD.

In an increasingly cloud-native world, application containers and microservice architectures are the next go-to for system architecture modernization.  Like many technology choices, there are trade-offs that have to be carefully considered.  Will containers solve my business problems?  How will certain responsibilities shift between my software teams? How do I maximize my cyber security posture? Will I need to re-train staff? What is my budget for infrastructure and prototyping? In this webcast, David Shepard and Aaron Volkmann discussed some of the potential pitfalls of using containers and provide some food for thought to software teams considering embarking on a journey to containers.

You may have a secure application today, but you cannot guarantee that it will still be secure tomorrow. Application security is a living process that must be constantly addressed throughout the application lifecycle. This requires continuous security assessments at every phase of the software development lifecycle (SDLC). The SEI has researched a continuous authorization concept—DevSecOps—that allows for constant interaction between developers and information security teams throughout the entire SDLC. This allows any authorizing officials, such as personnel on information security teams, to be in constant contact with developers as changes are made to existing code and as new features are added. From project conception, a developed system security plan should be integrated into the development platform as well as other environments, where both developers and IAs can see the same artifacts for every development and deployment activity. This allows any changes to the system's security posture to be immediately identified and reported to the IA to evaluate and ensure that all security controls are adequately addressed. As a result, all security features can be verified and authorized, and eventually the organization will build a trusted culture among all stakeholders. Hasan Yasar and Eric Bram discussed how the continuous aspect of communication and collaboration among developers and information security teams reinforces core DevOps principles, as well as allowing developers to write code with a "secure” development mindset. Giving developers and DevOps engineers the tools and knowledge to excel in their roles not only leads to enhanced productivity but also a more robust and secure application and environment development mindset. Giving developers and DevOps engineers alike the tools and knowledge to excel in their roles not only leads to enhanced productivity but also a more robust and secure application and environment.

In this webcast, CMMC Architects, Gavin Jurecko & Matt Trevors provide insight on how to evaluate and assess your organization’s readiness for meeting the practice requirements of CMMC Level 1. Learn more about the DIB CS Program at: https://dibnet.dod.mil/ Or email: osd.ncr.dod-cio.mbx.dib-cs-ia-program-registration@mail.mil CISA CRR Resources: https://www.us-cert.gov/resources CMMC Accreditation Body – https://www.cmmcab.org NIST SP 800-171A - https://csrc.nist.gov/publications/detail/sp/800-171a/final

Andrew Hoover and Katie Stewart discussed the DoD’s new CMMC program. They gave a brief overview of CMMC followed by a deep dive into the Process Maturity aspect of the model. The webcast provided insight into how organizations can prepare for CMMC.

This webcast will assist professionals and executives communicate risk concerns despite the cacophony and distraction posed by technical details and other organizational demands using the new OCTAVE FORTE approach.  Practical tips for risk appetite development and application will be discussed.

This webcast covered the implementation of an automated, continuous risk pipeline that demonstrates how cyber-resiliency and compliance risk can be traced to and from DevSecOps teams working in the SDLC program and project levels. It will include integration of asset management, DevSecOps tooling, policy-to-procedure platform and risk management platform.

For more than two decades, Carnegie Mellon University’s Software Engineering Institute (SEI) has been instrumental in the creation and development of the field of software architecture. In our past webcasts, What Makes a Good Software Architect? (https://www.youtube.com/watch?v=CbLJC...) and What Makes a Good Software Architect (2019 Edition)? (https://www.youtube.com/watch?v=UFqys...), we have discussed what makes a good software architect. The range of knowledge and skills involved can be daunting, particularly given the pace of change in technologies and practices. In this session, a panel of architects will discuss their personal paths to becoming software architects and how they have helped others on that journey.