The Transfer and Diffusion of Information Technology for Organizational Resilience addresses the challenges faced by many organizations today as they strive to be resilient in a turbulent economic and political environment. Resilience is considered in the context of the ideas provided by Everett Rogers in his textbook Diffusion of Innovations, where he provided a framework for evaluating the transfer and diffusion of IT.

This volume contains the edited proceedings of the Working Conference on the Transfer and Diffusion of IT for Organizational Resilience, which was sponsored by the International Federation for Information Processing (IFIP) Working Group 8.6 (Transfer and Diffusion of Information Technology), and held in Galway, Ireland in June of 2006. The material contained in this book represents current thinking on the topic of resilience by academics and leading practitioners.

Feller, J., Fitzgerald, B., Hissam, S., & Lakhani, K. (editors)
Perspectives on Free and Open Source Software. Cambridge, MA: MIT Press, 2005 (ISBN-10: 0-262-06246-1, ISBN-13: 978-0-262-06246-6).

What is the status of the Free and Open Source Software (F/OSS) revolution? Has the creation of software that can be freely used, modified, and redistributed transformed industry and society, as some predicted, or is this transformation still a work in progress? Perspectives on Free and Open Source Software brings together leading analysts and researchers to address this question, examining specific aspects of F/OSS in a way that is both scientifically rigorous and highly relevant to real-life managerial and technical concerns.

The book analyzes a number of key topics: the motivation behind F/OSS—why highly skilled software developers devote large amounts of time to the creation of "free" products and services; the objective, empirically grounded evaluation of software—necessary to counter what one chapter author calls the "steamroller" of F/OSS hype; the software engineering processes and tools used in specific projects, including Apache, GNOME, and Mozilla; the economic and business models that reflect the changing relationships between users and firms, technical communities and firms, and between competitors; and legal, cultural, and social issues, including one contribution that suggests parallels between "open code" and "open society" and another that points to the need for understanding the movement's social causes and consequences.

Garcia, S. & Turner, R.
CMMI Survival Guide: Just Enough Process Improvement. Addison Wesley Professional, 2007 (ISBN-10: 0-262-06246-1, ISBN-13: 978-0-262-06246-6).

"Traveling down the CMMI road can be difficult and time-consuming. Garcia and Turner have given us a practical roadmap that addresses the key points to learn as well as the many potholes to avoid. Their Survival Guide is a most valuable resource for the journey. It will help immeasurably in achieving the process improvement that you seek."
—Dr. Howard Eisner, Distinguished Research Professor, George Washington University

"Helps you get to the 'red meat' of the CMMI quickly and with minimum pain."
—Donald J. Reifer, President, Reifer Consultants, Inc.

"The best words I can offer potential readers is that you must have this book, not on your shelf, but with you for repeated reading to glean new ideas or reinforce old ones you gained from the past readings. If you have ever been directly involved in a process improvement initiative or if you are starting one, this book can only help you to do a better job. And while [the authors] may not have written this book explicitly for experienced consultants, I found it a great reference even for those of us who helped start this industry, because it provides clear and useful answers to those tough questions we are asked all of the time."
—Tim Kasse, CEO and Principal Consultant, Kasse Initiatives LLC

"This book contains practical (working) tips for the 'getting started' phase of process improvement, which is the hardest one in the road to improving one's processes."
—Agapi Svolou, Principal of Alexanna, LLC, and SEI CMMI Transition Partner

"The authors have done an outstanding job in providing guidance for process improvement from a practical perspective. Instead of focusing on a single technique or approach, they have provided a variety of methods for process improvement implementation and have framed their discussion with rich context from lessons learned. The concepts described in this book will be useful to both those starting CMMI implementations and to those who are well into their journey but are still looking for ways to lessen the pain and provide value-added improvements. Reading the book is like being in the audience during a live presentation by SuZ and Rich&—they wrote the book as they would present the information to a live audience."
—Bill Craig, Director, Software Engineering Directorate, AMRDEC, RDECOM

"I have been involved in process improvement since the early 90's and many of the mistakes that I made could have been prevented if this book had been available then."
—Claude Y. Laporte, Professor, ETS Universite du Quebec

"Primarily, the book is practical. The guidance presented is geared toward someone who is not exactly sure why they need process improvement, but is presented with the fact that they must do it. Very often these are smaller organizations, with limited resources, and uncertain support from above. As I read the book, I thought almost immediately of a couple of organizations with which I am familiar who could use this kind of tutelage. There are real, and useful, techniques in this book that I believe can help these kinds of organizations prioritize and establish reasonable plans for improving the processes in the organization. I also like the sidebars and personal observations. Discussions of experience can really help organizations through the various pitfalls that are part of developing and deploying processes. It makes the book more of a 'real life' guide, and not a theoretical exercise. Finally, the book is an enjoyable read. The conversational style of the book (and the humor) make it much easier to read than many of the books I have read in the past."
—Alexander Stall, Principal Process Improvement Engineer, Systems and Software Consortium

The CMMI provides a framework for process improvement spanning the life cycle of a product or service, from conception through delivery and maintenance. Widely and beneficially adopted around the world, the size and apparent complexity of the framework have nonetheless been daunting to some organizations. That need not be so. With a proper guide to help navigate around unknown dangers, potential pitfalls, and false paths, you too, can realize substantial business value from a successful CMMI implementation. This book is such a guide, full of the real-life examples to ease your way, and written in a lighter style to ease your reading.

The CMMI Survival Guide is an effective resource for multiple readerships. If you are just now considering a process improvement program, with the CMMI among your options, the authors' discussion of relevant issues will enhance your business case right from the start. If you have already decided to implement the CMMI, the authors' practical knowledge will help you make the most of your efforts. Even if you are well into a CMMI implementation, but are lost, stuck, or going around in circles, the authors' valuable advice will help you regain your direction. If you work in a smaller or resource-strapped organization, you will particularly benefit from the authors' description of alternative paths to process improvement—approaches that are more incremental or agile, and less intensive, than you might imagine for a CMMI implementation. The authors draw on their extensive experience working with diverse organizations, and on the CMMI tools, techniques, and templates developed for those organizations.

Whatever your background or need, the CMMI Survival Guide will help you survey the CMMI territory, consult possible road maps, learn from other CMMI explorers, weigh the benefits of hiring a living guide, and even consider whether the trip is right for you.

Hoffman, H., Yedlin, D., Mishler, J., & Kushner, S.
CMMI for Outsourcing: Guidelines for Software, Systems, and IT Acquisition. Addison Wesley Professional, 2006 (ISBN-10: 0-321-47717-0, ISBN-13: 978-0-321-47717-0).

"By following the guidance contained in [the CMMI-ACQ and this book], you'll be able to build an organic acquisition capability that will position your organization to successfully set the scope of engagements with suppliers, keep suppliers and in-house users focused on a common picture of success, and deliver capabilities that will position your organization as a leader in your market or mission for years to come."
—Foreword by Brian Gallagher (Director, Acquisition Program, Software Engineering Institute)

Increasingly, both commercial and government organizations are acquiring key software, systems, and IT functions instead of building them. Yet all too often, the technology solutions they purchase cannot be sustained successfully. Now there is a comprehensive solution: the CMMI for Acquisition (CMMI-ACQ) model, which connects the widely adopted CMMI 1.2 framework with established industry best practices for acquisition and outsourcing.

This book is a practical introduction to the initial CMMI-ACQ and its use in all phases of technology acquisition. Developed under the leadership of the SE) and General Motors (GM), the CMMI-ACQ combines CMMI's successful process discipline with techniques proven to work in GM's own extensive outsourcing program. Reflecting the unique insights of key players in the development and early implementation of the CMMI-ACQ, the book covers the entire acquisition project lifecycle, presenting real-world stories as they might occur in your own organizations, insider experiences, tips, tricks, and pitfalls to avoid.

The topics discussed here include: determining when outsourcing is and is not appropriate; developing acquisition strategies and aligning organizational structure with them; capturing accurate requirements; specifying realistic design constraints; writing effective RFPs; selecting, managing, and collaborating with suppliers; negotiating contracts; managing risk; and "measuring for success." CMMI for Outsourcing will be valuable to any organization that wants to achieve better results from technology acquisition. It will be especially helpful to organizations already involved with CMMI-related process improvement and to companies that partner with them.

Northrop, L., Feiler, P., Gabriel , R., Goodenough, J., Linger, R., Longstaff, T., Kazman, R. Klein, M., Schmidt, D., Sullivan, K., & Wallnau, K.
Ultra-Large-Scale Systems: The Software Challenge of the Future. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2007 (ISBN: 0-9786956-0-7).

Ultra-Large-Scale Systems: The Software Challenge of the Future is the product of a 12-month study of ultra-large-scale (ULS) systems software. The study brought together experts in software and other fields to answer a question posed by the U.S. Army Office of the Assistant Secretary of the U.S. Army (Acquisition, Logistics & Technology): “Given the issues with today’s software engineering, how can we build the systems of the future that are likely to have billions of lines of code?” Increased code size brings with it increased scale in many dimensions, posing challenges that strain current software foundations. The report details a broad, multi-disciplinary research agenda for developing the ultra-large-scale systems of the future.

Software, says Claude M. Bolton, Jr., assistant secretary of the Army (Acquisition, Logistics & Technology), is the chief enabler of an Army transformation that emphasizes information superiority. “Software makes possible increased situational awareness by providing sensors into networks that allow commanders and soldiers to see first, act first, and act decisively,” he says. But the Army’s demands for software are rapidly outpacing its ability to manage software acquisition. “We need better tools to meet future challenges,” says Bolton, “and neither industry nor government is working on how to do things light-years faster and cheaper. How can future systems be built reliably if we can’t even get today’s systems right?”

“The DoD has a goal of information dominance,” says Linda M. Northrop, who led the study for the SEI. “Achieving this goal depends on the availability of increasingly complex systems characterized by thousands of platforms, sensors, decision nodes, weapons, and users, connected through heterogeneous wired and wireless networks. These systems will be ULS systems. Although they will comprise far more than just software,” says Northrop, “it is software that fundamentally will make possible the achievement of the DoD’s goal. Yet software is the least well understood and the most problematic element of our largest systems today. Our current understanding of software and our software development practices will not meet the demands of the future. To make significant progress in the size and complexity of systems that can be built and deployed successfully, we require a culture shift. In this report, we identify the kinds of research that will effect such a culture shift.”

If you would like more information about ULS systems and the ULS Systems Study, please visit the ULS pages on the SEI Web site or contact: Linda Northrop ( lmn@sei.cmu.edu).

Seacord, R.
Secure Coding in C and C++. Addison Wesley Professional, 2006 (ISBN-10: 0-321-33572-4).

"The security of information systems has not improved at a rate consistent with the growth and sophistication of the attacks being made against them. To address this problem, we must improve the underlying strategies and techniques used to create our systems. Specifically, we must build security in from the start, rather than append it as an afterthought. That's the point of Secure Coding in C and C++. In careful detail, this book shows software developers how to build high-quality systems that are less vulnerable to costly and even catastrophic attack. It's a book that every developer should read before the start of any serious project."
—Frank Abagnale, leading consultant on fraud prevention and secure documents

Commonly exploited software vulnerabilities are usually caused by avoidable software defects. Having analyzed nearly 18,000 vulnerability reports over the past ten years, the CERT/Coordination Center (CERT/CC) has determined that a relatively small number of root causes account for most of them. This book identifies and explains these causes and shows the steps that can be taken to prevent exploitation. Moreover, this book encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's.

Drawing on the CERT/CC's reports and conclusions, Robert Seacord systematically identifies the program errors most likely to lead to security breaches, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.

Coverage includes technical detail on how to (1) Improve the overall security of any C/C++ application, (2) Thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic, (3) Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions, (4) Eliminate integer-related problems: integer overflows, sign errors, and truncation errors, (5) Correctly use formatted output functions without introducing format-string vulnerabilities, (6) Avoid I/O vulnerabilities, including race conditions

Secure Coding in C and C++ presents hundreds of examples of secure code, insecure code, and exploits, implemented for Windows and Linux. If you're responsible for creating secure C or C++ software—or for keeping it safe—no other book offers you this much detailed, expert assistance.

Software Engineering Institute
A Process Research Framework. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2007.

The SEI's International Process Research Consortium (IPRC) brings together 27 leaders from academia and industry to study the implications of both plausible future scenarios and existing process research. The group’s research framework addresses the question of how the communities represented by the IPRC membership should invest in process research during the next decade.

By providing systematically organized research themes and targeted questions, the framework serves as a focusing tool for industry, researchers, and funding agencies in determining the most fruitful questions to address in their own process research programs.

For more information on the IPRC framework, please visit www.sei.cmu.edu/iprc

Book Chapters & Contributions

Buttles-Valdez, P. & Valdez, F.
"Terminal Classic Events: Colha Belize and the Central Maya Lowlands." In Archaeological Investigations in the Eastern Maya Lowlands; Research Reports in Belizean Archaeology, Volume 4.

The "collapse" or "demise" of Classic Maya civilization has long been a subject of intense study and interest. Terminal Classic events at prehistoric Colha, in northern Belize, provide contextual evidence of activities which resulted in the abandonment of the site. Of particular interest is the placement of a “skull pit” containing the decapitated skulls of 30 "elite" level individuals in the monumental center. The site of Colha is contextualized and the violent activity of the Terminal Classic occupation is presented. Implications of the skull pit and events across the Central Maya Lowlands are discussed for modeling one possible scenario of Terminal Classic events.

Humphrey, W.
(foreword for Japanese translation). TSP: Leading a Development Team. Addison Wesley Professional, 2005 (ISBN: 0321349628).

Ferguson, R.
Evaluating the Impact of the QuARS Requirements Analysis Tool Using Simulation. Heidelberg: Springer Berlin, 2007 (ISBN 978-3-540-72425-4).

Konrad, M.
(invited foreword). Der Weg zur professionellen IT: Eine praktische Anleitung fuer das Management von Veranderungen mit CMMI ITIL oder SPICE (by Foegen, M. Solbach, M., & Raak, C) 2007.

Levine, L. & Saunders, K.
"Software Patents: Innovation or Litigation?" In Software Patents: Protection and Licensing (by Narsimha Rao, A.V., editor), pp.119-133. Hyderabad, India: Amicus Books, The Icfai University Press. [Reprinted from IT Innovation for Adaptability and Competitiveness, Fitzgerald B. &  Wynn, E. (editors). IFIP 8.6 Working Conference on IT Innovation for Adaptability and Competitiveness (pp. 229 – 242), May 30- June 2, 2004, Leixlip, Ireland. Boston: Kluwer Academic Publishers.

The proposed Directive on the Patentability of Computer-Implemented Inventions recently approved by the European Parliament may have significant implications for the software industry, public policy and patent protection. In this paper, we summarize the scope of patent protection in the European Union, the United States, and Japan. We examine the patentability of computer software under E.U. and U.S. patent law. We provide an overview of the Directive and finally assess the legal, economic, and public policy implications for software developers and users should the Directive be approved.

Liu, Y.,  Gorton, I.,  Bass, L., Hoang C., & Abanmi, S.
“MEMS: A Method for Evaluating Middleware Architectures in Quality of Software Architectures,” Lecture Notes in Computer Science, 4214, 2006, pp 9 – 26.

Middleware architectures play a crucial role in determining the overall quality of many distributed applications. Systematic evaluation methods for middleware architectures are therefore important to thoroughly assess the impact of design decisions on quality goals. This paper presents MEMS, a scenario-based evaluation approach. MEMS provides a principled way of evaluating middleware architectures by leveraging generic qualitative and quantitative evaluation techniques such as prototyping, testing, rating, and analysis. It measures middleware architectures by rating multiple quality attributes, and the outputs aid the determination of the suitability of alternative middleware architectures to meet an application’s quality goals. MEMS also benefits middleware development by uncovering potential problems at early stage, making it cheaper and quicker to fix design problems. The paper describes a case study to evaluate the security architecture of grid middleware architectures for managing secure conversations and access control. The results demonstrate the practical utility of MEMS for evaluating middleware architectures for multiple quality attributes.

Mead, N.
"Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method" Chapter 2.20 of Information Security and Ethics: Concepts, Methodologies, Tools and Applications (Hamid Nemati, editor) pp. 943 – 963.

In this chapter we describe general issues in developing security requirements, methods that have been useful, and a process (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems.  The SQUARE process, developed at SEI/CERT, provides a systematic approach to security requirements engineering.  The method has been used on a number of client projects by CMU student teams, prototype tools have been developed, and research is ongoing to improve this promising method.

Book Reviews

Ferguson, R.
"Commonsense Reasoning" [registration required]
(by Eric T. Mueller). Software Quality Professional (December 2006).

"Implementing Lean Software Development: From Concept to Cash" [registration required]
Software Quality Professional (June 2007).

Annual Report Archives: 2002 | 2003 | 2004 | 2005 | 2006