In this SEI Cyber Minute, Alex Corn discusses how to protect systems using Secure Shell (SSH). SSH supports keys, which provide efficiency and security benefits.By Alex Corn

In this SEI Cyber Minute, Bobbie Stempfley explains how in our increasingly complex world, the SEI is redefining approaches to security to address the transformative technologies being adopted throughout government and industry.By Bobbie Stempfley

In this SEI Cyber Minute, Suzanne Miller explains a pitfall that can occur when trying to use Agile and Lean methods when developing and implementing complex, embedded systems. In such projects, development traditionally proceeds in a model shaped like a “V,” where the completion of requirements definition, architecture, and design occurs along the…

September 2019 has been designated “National Insider Threat Awareness Month.” A number of federal agencies—including the FBI, Office of the Under Secretary of Defense for Intelligence, and Department of Homeland Security—have chosen September to spotlight the risks that insiders pose to national security. Since 2001, the SEI’s CERT Division has bee…

Static analysis (SA) alerts about software code flaws require costly manual effort to validate (e.g., determine True or False) and repair. As a result, organizations often severely limit the types of alerts they manually examine to the types of code flaws they most worry about. That approach results in a tradeoff where many True flaws may never get…

In this SEI Cyber Minute, Ebonie McNeil explains how the Source Code Analysis Integrated Framework Environment or (SCAIFE) prototype is intended to be used by developers and analysts who manually audit alerts. SCAIFE provides automatic alert classification using machine learning which gives a level of confidence that the alert is true or false. The…

Threat-modeling methods provide an approach for identifying possible threats to a system and mitigating them. In this SEI Cyber Minute, Chris Alberts discusses the Security Engineering Risk Analysis (SERA) Method and the threats and risks that organizations can use it to model and plan for. In addition, Chris discusses the threat-modeling methods t…

Chuck Weinstock introduces confidence maps and explains how they work to determine how much confidence someone can have in a claim. Confidence maps collect arguments or doubts about a claim, to which one can then apply a process of elimination to establish how much confidence someone can have that the claim is true. This SEI Cyber Minute gives an e…

Elli Kanal describes the work that the SEI does to train computers to learn about stored content and find pertinent information without the help of an analyst. The Software Engineering Institute (SEI) works on projects that help computers (1) learn about the content that they store and (2) find pertinent information based on what they learn. One pa…

At the SEI, we built an implementation of tactical cloudlets that we call KD-Cloudlet. Soldiers, emergency workers, field researchers, medics – really anyone who needs to be a cyber forager for computing resources -- can now use KD-Cloudlet to support mobile applications that: •contain computation-intensive code •collect large amounts of data in th…

The SEI has conducted research on the issues associated with sustaining legacy systems and migrating them, such as trying to sustain a system when there is a lack of documentation and minimal Infrastructure as Code. This SEI Cyber Minute describes a prototype that the SEI has developed in light of this research and how it functions to generate code…

Suzanne Miller discusses why the use of Agile methods can vary so much from one contractor to another. Because the Agile methodology is based on a set of principles, contractors sometimes apply Agile methods differently depending on the scope and nature of the work they’re doing. This SEI Cyber Minute explains why these variations occur when practi…

Mary Catherine Ward explains the unique work that the SEI does for the Department of Defense as a federally funded research and development center (FFRDC). Federally funded research and development centers (FFRDCs) perform research to meet the specialized needs of the U.S. government. The SEI is an FFRDC sponsored by the Department of Defense and h…

Self-driving cars, drones, or missiles that use computer systems to interact with the physical world are examples of cyber-physical systems. As these systems become more complex and unpredictable, establishing confidence that they work correctly becomes challenging. To address these challenges, the Software Solutions Division of the SEI conducted r…

Eileen Wrubel discusses getting your agile program started. Agile relies on small batches of work and fast learning cycles, instead of specifying extensive big-batch requirements up front. Programs need to extend this thinking beyond the software they are building, to the development and acquisition processes themselves.…

Alex Corn discusses how cross-origin resource sharing (CORS) works to resolve network problems caused by same-origin policy, and how it should be configured. Same-origin policy is a feature of modern web browsers that restricts scripts hosted on one website from making calls to another website. While useful from a security perspective, this policy …

Watch Mark Sherman in this SEI Cyber Minute as he discusses "Influence Attacks on Machine Learning".By Members of the Technical Staff

Shane Ficorilli explains some of the requirements for successfully implementing DevOps in your organization, including how to establish a complete deployment pipeline.By Members of the Technical Staff

Watch SEI Researcher Andrew Kotov respond to "What does a software architect do?"By Members of the Technical Staff

Watch Bob Schiela and Jeff Boleng discuss "Where dynamic and static code analysis merge".By Members of the Technical Staff

Watch Bob Schiela discuss "Why aren’t DoD Programs using static analysis as commercial firms do?"By Members of the Technical Staff

Eliezer Kanal explains deep learning, a subfield of artificial intelligence, and how the SEI is conducting research to learn how it might be used to advance cybersecurity.By Members of the Technical Staff

Watch SEI Researchers Andrew Kotov and John Klein respond to "Should a software architect be concerned with risk analysis?"By Members of the Technical Staff

Watch SEI Researcher Ipek Ozkaya respond to "Do all systems have technical debt?"By Members of the Technical Staff

Watch Bob Schiela and Jeff Boleng discuss "How can automated code repair help DoD with legacy code vulnerability analysis?By Members of the Technical Staff

Watch SEI Researchers Andrew Kotov and John Klein respond to "How do you integrate software architecture into Agile/DevOps environments?"By Members of the Technical Staff

Here at the Software Engineering Institute, we have created a new tool prototype that helps explore a system’s design tradespace. The tradespace is the possible combinations of system software, hardware, and configuration options. Our prototype – which combines previous work here at the SEI with software developed at Penn State University – enables…

Pat Place discusses the forces that influence how often your organization is able to perform system updates.By Members of the Technical Staff

Manually fixing coding errors is time- and money-consuming. As a result, teams charged to make the fixes can eliminate few vulnerabilities; and fixing errors often breaks the working code, adding unwanted delay in testing. The SEI has developed a tool to detect and automatically repair integer overflow and reads of stale sensitive data, two pervasi…

Watch Hasan Yasar discuss how to "Build Secure Applications with DevSecOps." DevSecOps is a model on integrating the software development and operational process that considers security activities throughout DevOps pipeline with practicing collaboration and communication between software development teams , IT operations staff along with acquirers,…

Rob Cunningham discusses the promise of Quantum Computing and highlights some of the remaining scientific and engineering challenges.By Members of the Technical Staff

Watch SuZ Miller discuss four things for government acquisition agents to include or watch for as they prepare a request for proposal that will attract bidders who work using Agile and lean principles.By Members of the Technical Staff

Malfaces from the Software Engineering Institute is a two-tool process that visualizes similarities between malware input files. The first tool uses binary code comparison techniques and a transform function to determine which input files match. Then, using statistical analysis, the second tool draws Chernoff faces for each file and delivers an est…

Alex Corn describes how SQL injection can occur and how you can prevent attackers from exploiting these potentially serious vulnerabilities. SQL injection vulnerabilities are common, and attackers can use them to carry out harmful attacks. This SEI Cyber Minute explains how these attacks can be prevented by using database abstraction libraries or p…

Watch Luiz Antunes in this SEI Cyber Minute as he discusses "DevOps Metrics & Visualizations".By Members of the Technical Staff

Watch SuZ Miller in this SEI Cyber Minute as she discusses "Interruption Costs" in the development process.By Members of the Technical Staff

The SEI has launched the “CERT Cybersecurity Engineering and Software Assurance Professional Certificate” program. This program addresses the growing need to educate the current workforce to make good cybersecurity choices.By Members of the Technical Staff

Watch Douglas Reynolds in this SEI Cyber Minute as he discusses "Secure DevOps: Managing Your FOSS Dependencies."By Members of the Technical Staff

Are you Preparing for IPv6 Enterprise Deployment? Be sure to watch this SEI Cyber Minute.By Members of the Technical Staff

Our team is conducting research to describe and quantify the acquisition “game” being played using modeling and simulation to frame the misaligned incentives.By Members of the Technical Staff

Our team is developing a new prototype tool to help soldiers identify and exploit cyber opportunities in the physical environment.By Members of the Technical Staff

Here at the Software Engineering Institute, we have created a new tool prototype that automatically explores a system's design trade space; that is, its possible combinations of system software, hardware, and configuration options.By Members of the Technical Staff

By considering dynamic information in conjunction with static information, we can precisely locate such design flaws, and determine the root causes of bugs more quickly.By Members of the Technical Staff

Good cyber intelligence practices—those that help you see the big picture—can prevent costly security breaches and help safeguard valuable assets and information.By Members of the Technical Staff

The SEI Source Code Analysis Lab (SCALe) gives analysts the ability to focus on the most critical alerts from static analysis.By Members of the Technical Staff

Watch April Galyardt in this SEI Cyber Minute as she discusses "Assessing the Skills of Cyber Operatives".By Members of the Technical Staff

This research will help ensure the security and effectiveness of IoT devices in tactical environments.By Members of the Technical Staff

By creating a secure-by-design language that renders certain types of bugs impossible to create, we aim to significantly reduce the risk inherent in the adoption of blockchain technology.By Members of the Technical Staff

Watch Will Klieber in this SEI Cyber Minute as he discusses "Inference of Memory Bounds: Preventing the Next Heartbleed".By Members of the Technical Staff

Watch Jeff Gennari in this SEI Cyber Minute as he discusses "Automated Reverse Engineering with Pharos."By Members of the Technical Staff