Software is everywhere. We love it when it makes our lives easier. We hate it when it doesn't work the way we expect—or when its design is not sufficiently intuitive or robust. Software is in our military systems—satellites, tanks, aircraft and ships—but it's also in our everyday life: toasters, automobiles, banks, and medical equipment.

Software is important and its importance is growing. Software allows us to personalize and customize many systems. It brings increasingly complex integrated circuits to life and harnesses their power to help us. It allows us to communicate more efficiently, to live in a more connected world, to operate businesses more effectively. Multi-national businesses have software-intensive enterprise systems while small businesses and individuals use the Internet for ever growing applications.

Unfortunately, there is a gap between the state of the art and the state of the practice of software engineering. Many senior managers don't understand software engineering and many software practitioners have lapsed into undisciplined, ad hoc practices. Consequently, software design, development and integration are often plagued by schedule delays, cost increases, performance problems and defects.

Data indicate that 60-80% of the cost of software development is in rework, that is, fixing defects that are found during testing. Fortunately, there is an alternative. We can reduce test and rework costs significantly if we use better design and implementation practices. We can meet schedules and we can reduce the variability and risk in software intensive programs. We can make our software teams more productive and raise the quality of their work experience if we follow disciplined engineering practices.

Commercial software products today are often riddled with defects—commonly known as "bugs"— that are introduced in the software's design and development. As our systems become more and more interconnected in networks, the stakes are rising. Defects in products that are linked to the Internet open vulnerabilities to cyber attack and exploitation. The Internet is only as secure as its weakest link.

Each year, the SEI's CERT Coordination Center (CERT/CC) documents thousands of commercial product vulnerabilities. Once again, however, there is an alternative. Most of these vulnerabilities are due to a modest number of root causes. We can avoid these vulnerabilities and greatly reduce the number of successful cyber attacks if software developers use the proven best design techniques of software engineering.

The SEI's core purpose is to improve the state of the art in software engineering, and to transition this work to the community so we improve the state of practice in software engineering as well. Our work is not done unless we do both parts of our job. We believe, and we have the evidence to support us, that the best way to ensure the security of software is to design, develop, and integrate software in a way that does not allow defects into software in the first place. Investments in up-front discipline and sound processes increase quality and security and decrease cost and risk.

We are part of Carnegie Mellon University, one of the nation's premier computer science and engineering institutions. Since 1984, we have been identifying, developing, and advocating practices to improve all aspects of software. At the SEI, we emphasize defect prevention through improvement of process and product quality during the early phases of system development. We believe you should design quality into software, not test and patch it.

At SEI, we're developing innovative software technologies to meet today's challenges and tomorrow's opportunities.

Paul D. Nielsen
Director and Chief Executive Officer
Software Engineering Institute