05/09/2013

Software Assurance Competency Model

This Software Assurance Competency Model helps create a foundation for assessing and advancing the capability of software assurance professionals.

05/30/2012

Report from the First CERT-RMM Users Group Workshop Series

This report describes the first CERT RMM Users Group (RUG) Workshop Series and relays the experiences of participating members and CERT staff.

05/03/2012

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders

This report presents an example of an enterprise architectural pattern, Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders, to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP.

05/01/2012

Source Code Analysis Laboratory (SCALe)

This report details the CERT Program's Source Code Analysis Laboratory (SCALe), a proof-of-concept demonstration that software systems can be conformance tested against secure coding standards, and provides an analysis of selected software systems.

05/01/2012

Insider Threat Security Reference Architecture

This technical report describes the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the threat to organizations from its own insiders. The ITSRA draws from existing best practices and standards as well as from analysis of real insider threat cases to provide actionable guidance for organizations to improve their posture against the insider threat.

03/27/2012

CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 1

This technical note maps CERT® Resilience Management Model (CERT®-RMM) process areas to certain National Institute of Standards and Technology (NIST) special publications in the 800 series.

03/05/2012

Principles of Trust for Embedded Systems

This paper gives substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems and to embedded systems in particular.

02/27/2012

Mission Risk Diagnostic (MRD) Method Description

The SEI has developed the Mission Risk Diagnostic (MRD) to assess risk in interactively complex, socio-technical systems across the life cycle and supply chain.

02/16/2012

Deriving Software Security Measures from Information Security Standards of Practice

This white paper describes an approach for deriving measures of software security from well-established and commonly used standard practices for information security.

02/13/2012

Risk-Based Measurement and Analysis: Application to Software Security

This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.

01/27/2012

SEI Technologies Forum-- Software Acquisition Program Dynamics

This January 2012 webinar discusses SEI efforts to improve acquisition program staff decision making in order to reduce program cost, schedule, and quality failures.

01/27/2012

SEI Technologies Forum-- The Insider Threat: Lessons Learned from Actual Insider Attacks

The Insider Threat Center at CERT, which has been researching insider threats since 2001, has built an extensive library and comprehensive database containing more than 700 actual cases of insider cyber crimes. This presentation will describe findings from our analysis of three primary types of insider cyber crimes: IT sabotage, theft of information, and fraud. All CERT insider threat research focuses on both the technical and behavioral aspects of actual compromises.

01/26/2012

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

This book describes CERT’s findings in practical terms, offering specific guidance and countermeasures that can be immediately applied by senior officials within any organization.

01/20/2012

Spotlight On: Malicious Insiders and Organized Crime Activity

This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why.

12/30/2011

A Closer Look at 804: A Summary of Considerations for DoD Program Managers

The information in this report is intended to help program managers reason about actions they may need to take to adapt and comply with the Section 804 NDAA for 2010 and associated guidance.

12/21/2011

Using Defined Processes as a Context for Resilience Measures

This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience.

10/31/2011

Agile Methods: Selected DoD Management and Acquisition Concerns

This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context.

10/11/2011

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

This technical note presents an insider threat pattern on how organizations can combat insider theft of intellectual property. The technical note describes how to use the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.

10/05/2011

An Acquisition Perspective on Product Evaluation

This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation. From engagements with numerous DoD acquisition programs, it has been observed that a number of recurring issues reduce the effectiveness of how software-reliant products are evaluated. An acquisition effort consists of identifying the customer’s needs, selecting or developing a product that is responsive to those needs, and then evaluating the product to determine if it properly addresses the identified needs. This technical note describes the Product Evaluation (verification, validation, and certification) process including test, reviews, and formal methods. It also makes the argument that Product Evaluation should not be deferred until after a product has been built, but should begin as soon as the customer’s needs have been identified and should continue throughout the acquisition effort

09/30/2011

2010 CERT Research Report

The CERT Research Report highlights our accomplishments and activities in successfully executing our research strategy.

09/16/2011

The CERT Oracle Secure Coding Standard for Java

This book is the first comprehensive compilation of code-level requirements for building secure systems in JAVA. Organized by CERT’s software security experts, it covers every facet of secure software coding with Java 7 SE and Java 6 SE.

08/10/2011

Keeping Your Family Safe in a Highly Connected World

Because of the anonymity provided by networked devices, our families are more likely to be attacked, be victims of theft, be subjected to inappropriate people or materials, or become involved unknowingly in illegal activities over a networked device than they are in person. This document discusses various dangers to be aware of and safeguards to reduce the risk of these dangers.

07/26/2011

Measures for Managing Operational Resilience

In this report, Resilient Enterprise Management (REM) team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT® Resilience Management Model, Version 1.1 (CERT®-RMM).

07/20/2011

A Decision Framework for Selecting Licensing Rights for Noncommercial Computer Software in the DoD Environment

This report describes standard noncommercial software licensing alternatives as defined by U.S. government and Department of Defense (DoD) regulations. It also suggests an approach for objectively identifying agency needs for license rights and the appropriate license type for systems with noncommercial computer software or as standalone software in the DoD environment.

06/02/2011

A Preliminary Model of Insider Theft of Intellectual Property

This report presents research about insider theft of intellectual property.

04/29/2011

Trusted Computing in Embedded Systems Workshop

This report describes the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University.

04/21/2011

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0

This document, first in the Best Practices for National Cyber Security series, provides information that interested organizations and governments can use to develop a national incident management capability.

03/31/2011

Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi

This report, the third volume in the Software Assurance Curriculum Project sponsored by the U.S. Department of Homeland Security, provides sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.

03/24/2011

Application of the CERT® Resilience Management Model at Lockheed Martin

Presented at SEPG North America 2011 on Thursday, March 24

03/24/2011

Using CERT-RMM in a Software and System Assurance Context

Presented at SEPG North America 2011 on Thursday, March 24

02/28/2011

A Framework for Evaluating Common Operating Environments: Piloting, Lessons Learned, and Opportunities

This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions.

02/25/2011

Function Extraction (FX) Research for Computation of Software Behavior: 2010 Development and Application of Semantic Reduction Theorems for Behavior Analysis

This 2011 report presents the findings of an SEI study that have been implemented in a system for malware analysis and improved capabilities for behavior computation in other applications.

02/18/2011

An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases

This report provides an overview of techniques employed by malicious insiders to steal intellectual property, including the types of assets targeted and the methods used to remove the information from a victim organization’s control. The report closes with a brief discussion of mitigating factors and strategic items that an organization should consider when defending against insider attacks on intellectual property.

02/08/2011

Network Monitoring for Web-Based Threats

This report provides detection and prevention methods to counter an approach that a focused attacker would need to take in order to breach an organization through web-based protocols.

01/17/2011

Trust and Trusted Computing Platforms

This technical note examines the Trusted Platform Module, which arose from work related to the Independent Research and Development project "Trusted Computing in Extreme Adversarial Environments: Using Trusted Hardware as a Foundation for Cyber Security."

01/14/2011

Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data

This 2011 report seeks to demonstrate how a method for modeling previous insider crimes can create informed candidate technical controls and indicators.

01/03/2011

Software Supply Chain Risk Management: From Products to Systems of Systems

This 2010 report considers current practices in software supply chain analysis and suggests foundational practices that can reduce risk in the supply chain.

12/28/2010

Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems

The Source Code Analysis Laboratory (SCALe) tests software applications for conformance to one of the CERT® secure coding standards. Though SCALe can be used in various capacities, it is particularly significant for conformance testing of energy delivery systems because of their critical importance.

12/28/2010

A Taxonomy of Operational Cyber Security Risks

This report presents a taxonomy of operational cyber security risks. This report discusses the harmonization of the taxonomy with other risk and security activities.

12/17/2010

Beyond Technology Readiness Levels for Software: U.S. Army Workshop Report

This report synthesizes presentations, discussions, and outcomes from the "Beyond Technology Readiness Levels for Software" workshop from August 2010.

11/12/2010

CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience

This book presents best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these into a unified CMM that encompasses security, business continuity, and IT operations.

11/11/2010

Strategic Planning with Critical Success Factors and Future Scenarios: An Integrated Strategic Planning Framework

This report explores the value of enhancing typical strategic planning techniques with the CSF method and scenario planning.

10/05/2010

Securing Information in the Health-Care Industry: Network Security, Incident Management, and Insider Threat

In this webinar Greg Porter and Randy Trzeciak, discuss the effects of the new regulations on the health-care industry and some of the essential elements that healthcare technology executives should consider in order to secure patient information and systems from external threats. As well as, the increasing risks of insider threat within organizations, the key factors influencing an insider's decision to act, the technical and non-technical indicators and precursors of malicious acts, and the countermeasures that could improve the survivability and resiliency of the organization. (1 hr:31 mins)

09/30/2010

Success in Acquisition: Using Archetypes to Beat the Odds

This report describes key elements in systems thinking, provides an introduction to general systems archetypes, and applies these concepts to the software acquisition domain.

09/30/2010

Program Executive Officer Aviation, Major Milestone Reviews: Lessons Learned Report

This report documents ideas and recommendations for improving the overall acquisition process and presents the actions taken by project managers in several programs to develop, staff, and obtain approval for their systems.

09/30/2010

Suggestions for Documenting SOA-Based Systems

This report provides suggestions for documenting service-oriented architecture-based systems based on the Views & Beyond (V&B) software documentation approach.

09/29/2010

Measuring Operational Resilience Using the CERT Resilience Management Model

This 2010 report begins a dialogue and establishes a foundation for measuring and analyzing operational resilience.

09/22/2010

Securing Information in the Health-Care Industry: Network Security, Incident Management, and Insider Threat (Webinar)

Greg Porter and Randy Trzeciak provide some essential elements that healthcare technology executives should consider in order to secure patient information and systems from external threats.

08/31/2010

Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum

This report contains a master of software assurance curriculum that educational institutions can use to create a degree program or track.

08/31/2010

Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines

This report focuses on an undergraduate curriculum specialization for software assurance.

08/18/2010

Risk Management Framework

This report details a framework that documents best practices for risk management and an approach for evaluating a program’s risk management practice in relation to this framework.

07/30/2010

Adapting the SQUARE Process for Privacy Requirements Engineering

This 2010 report explores how the SQUARE process can be adapted for privacy requirements engineering in software development.

07/28/2010

Transforming Your Operational Resilience Management Capabilities: CERT’s Resilience Management Model (Webinar)

Rich Caralli, architect of CERT’s Resilience Management Model (CERT RMM), will describe how an organization can use the RMM to transform its operational resilience.

06/30/2010

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability

This document -- first in the Best Practices for National Cyber Security Series - provides insight that interested organizations and governments can use to begin to develop a national incident management capability.

06/17/2010

Considerations for Using Agile in DoD Acquisition

This 2010 report explores the questions: Can Agile be used in the DoD environment? If so, how?

06/16/2010

Securing Global Software Supply Chains

This webinar will discuss an ongoing SEI effort to develop an approach for assessing software supply chains and identifying the associated software assurance risks. (48 mins)

06/07/2010

Data Rights for Proprietary Software Used in DoD Programs

This report examines how data rights issues were addressed in the TSAT program, reviews additional concerns posed by the use of commercial software in the TSAT program’s Space Segment, and reviews data rights concerns for software incorporated in the GPS program.

06/07/2010

Java Concurrency Guidelines

The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. This report documents the portion of those Java guidelines that are related to concurrency.

06/04/2010

Specifications for Managed Strings, Second Edition

This report describes a managed string library for the C programming language.

06/01/2010

Survivability Analysis Framework

Description of a framework (Survivability Analysis Framework) used to examine the elements of an operational process and evaluate the survivability and effectiveness of the linkage among roles, dependencies, constraints, and risks to achieve critical operational capabilities.

05/25/2010

The Illusion of Certainty - Paper

In this 2010 paper, Grady Campbell - delivered at the 7th Acquisition Research Symposium - argues that a new approach to acquisition is needed that recognizes that hiding uncertainty is detrimental to success.

05/25/2010

The Illusion of Certainty - Presentation

presentation given at the 7th Annual Acquisition Research SymposiumNaval Postgraduate School, Monterey, CA, May 2010

05/21/2010

CERT Resilience Management Model, Version 1.0

This report presents the CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.

05/20/2010

Identifying Anomalous Port-Specific Network Behavior

A method for identifying network behavior that my be a sign of coming internet-wide attacks is presented.

05/04/2010

QUality Assessment of System Architectures and their Requirements (QUASAR) (SoSECIE 2010)

one hour overview presented as a DoD and NDIA System-of-Systems Engineering Collaborator’s Information Exchange (SoSECIE) Webinar on May 18, 2010

05/04/2010

Keynote: Engineering Safety-and Security-Related Requirements for Software-Intensive Systems (ICSE 2010)

Keynote presentation by Donald Firesmith at SESS’10, as part of the 32nd ACM/IEEE International Conference on Software Engineering (ISCE’2010) in Cape Town, South Africa.

05/04/2010

Engineering Safety- and Security-Related Requirements for Software-Intensive Systems (ICSE 2010)

presentation given at the 22nd Annual Systems and Software Technology Conference (SSTC 2010) in Salt Lake City, Utah on April 26-29, 2010.

05/04/2010

Engineering Safety-and Security-Related Requirements for Software-Intensive Systems (ICSE 2010)

presentation given at the 32nd International Conference on Software Engineering 4 May 2010

04/30/2010

We Have All Been Here Before: Recurring Patterns Across 12 U.S. Air Force Acquisition Programs

presentation given by William Novak and Ray Williams at the 2010 Systems and Software Technology Conference (SSTC) on April 29, 2010

04/30/2010

Status of Ongoing Work in Software TRAs/TRLs

In this 2010 presentation, Michael Bandor and Suzanne Garcia-Miller focus on software issues and shortfalls observed during the DoD Technology Readiness Assessment (TRA) processes.

04/30/2010

Characterizing Technical Software Performance Within System of Systems Acquisitions: A Step-Wise Methodology

Bryce Meyer and James Wessel provide a 10-step method for planning/assessing software performance, allowing for respective improvement of architecture and test processes.

04/30/2010

Measurement That Works -- Really!

James Wessel focuses on software measurement practices that Army acquisition organizations find useful for software issue identification, tracking, and active control of programs.

04/30/2010

Why Is R&D in the Cyber and Software Engineering Environment Different? (SSTC 2010)

Terry Roberts addresses why R&D in cyber and software engineering is different, how to research the federal lab landscape for opportunities, and how focus our R&D initiatives.

04/06/2010

Selecting Middleware Technologies

presentation made by Patricia Oberndorf Thomas Merendino, & Soumya Simanta at the at the Systems and Software Technology Conference, Salt Lake City, UT, April 26, 2010

04/06/2010

Open Systems: What’s Old Is New Again

presentation made by Patricia Oberndorf & Carol Sledge at the Systems and Software Technology Conference, Salt Lake City, UT, April 27, 2010

04/06/2010

Evolution of a Software Engineer in a SoS System Engineering World

This presentation was given by Patricia Oberndorf and Carol A. Sledge of the Software Engineering Institute (SEI) on April 6, 2010 at the IEEE Systems Conference in San Diego, CA.

01/18/2010

Acquisition Archetype: Shooting the Messenger

When problems are detected in programs, everyone needs to listen and work together towards a solution. Shooting the messenger only delays the process, and hurts program morale.

12/31/2009

Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report

Criteria and standards to certify an organization as a COE are presented in this Carnegie Mellon Software Engineering Institute preliminary report.

11/17/2009

Evaluating Artifact Quality from an Appraisal Perspective

This report explores the lack of agreement among SCAMPI Lead Appraisers about what “artifact quality” means in the SCAMPI process context.

11/17/2009

Evaluating Process Quality from an Appraisal Perspective

This report explores the lack of agreement among SCAMPI Lead Appraisers about what “process quality” means in the SCAMPI process context.

10/26/2009

Rethinking Risk Management Tutorial

Presented at the NDIA Systems Engineering Conference 2009 by Audrey Dorofee and Christopher Alberts.

10/15/2009

Acquisition Archetypes: Brooks' Law

This April 2009 whitepaper focuses on the problems of underspending, which can result in funds being shifted from one acquisition program to another.

10/15/2009

Acquisition Archetypes: Happy Path Testing

When time and budget are tight, it's tempting to follow the "happy path" in testing. But be careful: it may be a path that brings your program great unhappiness.

09/30/2009

Lessons Learned from a Large, Multi-Segment, Software-Intensive System

This 2009 report contains a series of observations and their associated lessons learned from a large, multi-segment, software-intensive system.

08/13/2009

Secure Coding

Led by Robert Seacord, the Secure Coding Initiative (SCI) within CERT works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before software becomes operational. SCI is developing secure coding standards for commonly used programming languages such as C, C++, and Java. These standards can be used to improve and assess the security and overall quality of software through training, automated analysis, code review, and other processes. (59 mins)

06/30/2009

Incremental Development in Large-Scale Systems: Finding the Programmatic IEDs

This paper explores how continued use of the acquisition roadmaps opens up the potential for running into program pitfalls (programmatic IEDs) that aren’t acknowledged on the map at hand.

06/01/2009

Measurement for Improvement: Successful Measurement Practices Used in Army Software Acquisition

This report summarizes the findings of a study conducted for the Army to find and describe software measurement practices that are being used successfully.

06/01/2009

Incorporating Software Requirements into the System RFP: Survey of RFP Language for Software by Topic, v. 2.0

The 2009 report defines and communicates software engineering and management events necessary to support the successful acquisition of software-intensive systems.

04/24/2009

A Technical Overview of Risk and Opportunity Management

A technical overview of systemic risk and opportunity management for distributed environments.

04/23/2009

Acquisition Archetypes: Robbing Peter to Pay Paul

This April 2009 whitepaper is one in a short series of acquisition failures. This paper focuses on the problems of underspending, which can result in funds being shifted from one program to another.

04/23/2009

Acquisition Archetypes: Longer Begets Bigger

Planning for a long development period doesn't always solve acquisition scheduling problems. Sometimes it makes them worse.

04/20/2009

MFESA One-Day Tutorial SSTC 2009

Donald Firesmith of the SEI presented a one-day tutorial in the Method Framework for Engineering Systems Architectures (MFESA) at the 2009 SSTC in April 2009.

03/24/2009

Acquisition Process Improvement in Stealth Mode: is It IDEAL?

This presentation was given by Joe Wickless of the Software Engineering Institute (SEI) in March 2010 at SEPG North America 2009, held in San Jose, CA.

03/23/2009

Tutorial: The Method-Framework for Engineering System Architectures (MFESA)

Tutorial: The Method-Framework for Engineering System Architectures (MFESA). Delivered by Donald Firesmith at the IEEE International Systems Conference, March 23-26, 2009.

03/23/2009

An Innovative Requirements Solution: Combining Six Sigma KJ Language Data Analysis With Automated Content Analysis

This March 2009 presentation, An Innovative Requirements Solution, was presented by Ira Monarch, Dennis Goldenson, and Robert W. Stoddard at SEPG North America 2009.

03/23/2009

Method Framework for Engineering System Architecture

This brief tutorial of the Method Framework for Engineering System Architecture was delivered in March 2009 at the IEEE International Systems Conference by Donald Firesmith.

03/23/2009

New Directions in Risk: A Success-Oriented Approach (2009)

presented in San Jose, California, at the 21st Annual SEPG North America 2009 conference March 23-26, 2009

03/06/2009

Acquisition Archetypes: Everything for Everybody

When projects attempt to please too many customers, complexity mounts, schedules slip, costs expand ... and no one is happy.

03/01/2009

Secure Design Patterns

This 2009 SEI report describes a set of secure design patterns, which are meant to eliminate the accidental insertion of vulnerabilities into code.

01/01/2009

High-Fidelity E-Learning: The SEI's Virtual Training Environment (VTE)

This 2009 document describes the tenets of high-fidelity e-learning, describes how VTE reflects these, and summarizes how organizations have used and are using VTE.

12/10/2008

The Method Framework for Engineering System Architectures (MFESA)

A tutorial on the Method Framework for Engineering System Architectures (MFESA) delivered at ICSSEA 2008 on December 10, 2008.

12/01/2008

Survey of Systems Engineering Effectiveness - Initial Results, A

This survey quantifies the relationship between the application of Systems Engineering (SE) best practices to projects and programs, and the performance of those projects and programs.

11/15/2008

Process Improvement and CMMI: Developing Complex Systems Using CCMI to Achieve Effective Systems and Software Engineering Integration

Presentation by Kenneth Nidiffer, Director of Strategic Plans for Government Programs (SEI), from the 8th Annual CMMI Technology Conference and User Group, November 2008.

11/12/2008

The Last Phase of Process Change - Deployment

A presentation made by Rick Barbour and Barbara Tyson at the 8th Annual CMMI Technology and Users Conference in November 2008. The Last Phase of Process Change - Deployment

10/18/2008

How Future Trends in Systems and Software Engineering Bode Well for Enabling Improved Acquisition and Performance of Defense Systems

Kenneth Nidiffer delivered this presentation at the 11th Annual Systems Engineering Conference in October 2008.

10/14/2008

CERT C Secure Coding Standard

This book documents the first official release of the CERT C Secure Coding Standard, which itemizes those coding errors that are the root causes of software vulnerabilities in C.

10/10/2008

Principles in a DoD Acquisition Principles in a DoD Acquisition

Presented: October 2008

09/22/2008

Acquisition Archetypes: Staff Burnout and Turnover

Applying more pressure on staff can temporarily increase productivity, but burnout soon sets in.

09/22/2008

Acquisition Archetypes: Underbidding the Contract

From the Acquisition Support Program, one in a series of short papers on acquisition patterns of failure. Acquisition Archetype: Underbidding the Contract

09/08/2008

Renewing the Product Line Vision

Renewing the Product Line Vision was presented by Brady Campbell (SEI) at the 12th International Software Product Line Conference in September 2008.

08/01/2008

Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments

The purpose of this 2008 document is to preview a core set of activities and outputs that define a MAAP assessment.

06/11/2008

Podcast: Becoming A Smart Buyer of Software

In this podcast, Brian Gallagher, former director of the Acquisition Support Program at the SEI, discusses what business leaders need to know when acquiring or purchasing software, along with implications for security.

06/04/2008

Future Trends in Systems and Software Engineering

presentation from the Second Annual Systems Engineering Conference of the National Reconnaissance Office on June 4, 2008

06/01/2008

Building More Secure Software

Building More Secure Software

06/01/2008

Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools

This report describes a study to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects.

05/01/2008

Software Security Engineering: A Guide for Project Managers

With this book, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and its operation.

05/01/2008

Incorporating Security Quality Requirements Engineering (SQUARE) into Standard Life-Cycle Models

This 2008 report describes how SQUARE can be incorporated in standard life-cycle models for security-critical projects.

05/01/2008

Survivability Assurance for System of Systems

An SEI team built an analysis framework to evaluate the quality of the linkage among roles, dependencies, constraints, and risks for critical technology capabilities in the face of change. This report outlines the team's progress.

05/01/2008

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures

04/08/2008

Identifying Acquisition Patterns of Failure Using System Archetypes

This presentation was given by Linda Levine and Bill Novak of the SEI’s Acquisition Support Program at the IEEE Systems Conference in April 2008.

03/17/2008

Using the Mission Diagnostic: Lessons Learned (2008)

presented at SEPG 2008, March 17-20, 2008 Tampa, Florida

03/12/2008

The Method-Framework for Engineering Systems Architectures (MFESA)

Presented by Don Firesmith on March 12, 2008

03/10/2008

Acquisition Archetypes: Firefighting

All hands on deck helps put out the immediate blazes threatening projects, but falling into a routine of constant firefighting is not the way to guide a project across the finish line.

03/04/2008

Acquisition Archetypes: PMO versus Contractor Hostility

Everyone intends the best in project-driven marriages of PMOs and contractors, but good intentions can't overcome the hostility generated by loss of trust and squabbles in poorly developed relationships.

03/04/2008

Acquisition Archetypes: Feeding the Sacred Cow

Some programs take on a life of their own--privileged, and woven into an organization's existence. But when "sacred cow" projects begin to go wrong, that privilege and protection makes fixing them even more difficult.

03/01/2008

Cyber Attack Scenarios Test Responses

Cyber Attack Scenarios Test Responses

03/01/2008

Lessons Learned Applying the Mission Diagnostic

This technical note describes the adaptation of the Mission Diagnostic (MD) necessary for a customer and the lessons we learned from its use.

03/01/2008

Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success

This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP).

03/01/2008

Incident Management Mission Diagnostic Method, Version 1.0

This 2008 report provides a quick evaluation of the potential for success of an organization’s computer security or cyber-security incident management capability (IMC).

02/01/2008

Tackling the Growing Botnet Threat

Tackling the Growing Botnet Threat

12/01/2007

Software-Intensive Systems Producibility: A Vision and Roadmap (v 0.1)

This 2007 document is a draft in progress of a technology vision and roadmap to improve the ability of the DoD and industry to deliver needed SiS capability in a timely, cost-effective, and predictable manner.

11/01/2007

A Survey of Systems Engineering Effectiveness: Initial Results

This survey quantifies the relationship between the application of systems engineering best practices to projects and the performance of those projects.

10/25/2007

Acquisition Archetypes: The Bow Wave Effect

From the Acquisition Support Program, one in a series of short papers on acquisition patterns of failure.

10/01/2007

COTS and Reusable Software Management Planning: A Template for Life-Cycle Management

This 2007 report presents a COTS and Reusable Software Management Plan that can serve as a guide for how to manage multiple COTS and other reusable software components in complex systems.

09/01/2007

Governing for Enterprise Security (GES) Implementation Guide

This 2007 implementation guide, geared toward senior leaders, provides prescriptive guidance for creating and sustaining an enterprise security governance program.

09/01/2007

How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods

This 2007 report describes SQUARE, and outlines other methods used for identifying security requirements and compares them with SQUARE.

09/01/2007

Process Improvement Should Link to Security: SEPG 2007 Security Track Recap

This document summarizes the content shared at the 2007 SEPG conference and identifies several subsequent steps underway toward strengthening those ties.

09/01/2007

Ranged Integers for the C Programming Language

This 2007 report describes an extension to the C programming language to introduce the notion of ranged integers, that is, integer types with a defined range of values.

06/01/2007

Survivability Challenges for Systems of Systems

Survivability Challenges for Systems of Systems

05/31/2007

Engineering Safety- and Security-Related Requirement for Software-Intensive Systems

Full day tutorial presented in May 2007

05/01/2007

OCTAVE Allegro Speeds Up the Risk Assessment Process

OCTAVE Allegro Speeds Up the Risk Assessment Process

05/01/2007

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

This 2007 report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods.

05/01/2007

Incident Management Capability Metrics Version 0.1

This document presents metrics to provide a baseline or benchmark of incident management practices.

05/01/2007

Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes

This report explores the transformation of the disciplines of security and business continuity into processes designed to support and sustain operational resiliency.

04/01/2007

Computer Forensics for Business Leaders: A Primer

Computer Forensics for Business Leaders: A Primer

03/15/2007

Assuring Mission Success in Complex Settings

Presented: March 2007

03/01/2007

Executive Overview of SEI MOSAIC: Managing for Success Using a Risk-Based Approach

This 2007 report provides an overview of the concepts and foundations of MOSAIC, a suite of advanced, risk-based analysis methods for assessing complex, distributed programs, processes, and information-technology systems.

03/01/2007

Modeling and Analysis of Information Technology Change and Access Controls in the Business Context

This report presents an overview of CERT progress in developing a system dynamics model of organizations’ typical use of change and access controls to support IT operations.

03/01/2007

Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks

This 2006 report describes the MERIT insider threat model and simulation results.

03/01/2007

Global Information Grid Survivability: Four Studies

Four studies from 2006 that explore an issue relevant to the survivability of networks which are systems of systems.

02/27/2007

Engineering Safety- and Security-Related Requirements for Software-Intensive Systems

presentation given at the 6th IEEE International Conference on COTS-Based Software Systems (ICCBSS) 2007, Alberta, Canada (February-March 2007)

02/01/2007

Protecting Against Insider Threat

Protecting Against Insider Threat

12/01/2006

Technology Foundations for Computational Evaluation of Software Security Attributes

10/27/2006

Tutorial: Quality Assessment Of System Architectures and Their Requirements (QUASAR)

A tutorial presented by Donald Firesmith at the 9th Annual Systems Engineering Conference, October 23-27, 2006, in San Diego, California.

10/26/2006

Quality Assessment of System Architectures that their Requirements (QUASAR) Version 3.0

Presentation by Donald Firesmith (SEI) on QUASAR, V3.0 (February 2008).

10/26/2006

Getting Program Decision- Makers to Use and be Part of Risk Management Process

presentation made at International Council on Systems Engineering (INCOSE) 2007, San Diego, June 24-29, 2007

10/26/2006

Quality Assessment of System Architectures and Their Requirements

Presented: March 2007

10/26/2006

Process and Procedure Definition: A Primer

Presented: March 2007

10/26/2006

Software-Intensive Systems Producibility

Presented: May 2006

10/26/2006

Acquisition Support: Helping Programs Succeed (2008)

Presentation by Brian Gallagher, Director, Acquisition Support Program (SEI) on acquisition support. Provides a number of real-world examples relevant to the defense industry.

10/26/2006

SCAMPI-B for Contract Monitoring

Presented: March 2007

10/26/2006

Identifying Acquisition Patterns of Failure Using Systems Archetypes

Presentation by Brian Gallagher which discusses acquisition archetypes and how they can be used to detect acquisition problems in an organization (April 2008).

10/26/2006

Using a Service Oriented Approach in TSAT

Presentation by Neal London, Dr. Carl Sunshine, and Dr. Charles Hammons on using the TSAT approach to service identification, classification, and definition (October 2006).

10/26/2006

Engineering Safety- and Security-Related Requirements for Software-Intensive Systems (SEPG 2006)

Presented by Donald Firesmith at SEPG 2006.

10/26/2006

2nd International Off-the-Shelf Development Method Workshop Report

presentation given at the 6th IEEE International Conference on COTS-Based Software Systems (ICCBSS) 2007, Alberta, Canada (February-March 2007)

10/26/2006

Specifying Initial Design Review and Final Design Review Criteria

Presented: October 2006

10/26/2006

CMMI for Acquisition Organizations: The Next Wave of Outsourcing SEPG 2006

presentation made at the SEPG 2006 symposium, March 6-9, 2006, Nashville, Tennessee

10/26/2006

Method Engineering using OPFRO

Presented: June 2006

10/26/2006

Model-Based Improvement

Presented: September 2007

10/26/2006

CMMI: The DoD Perspective

Presented: October 2006

10/26/2006

Acquisition Support: Helping Programs Succeed

In this 2007 presentation, Brian Gallagher discusses the state of acquisition support and offers advice for better implementing acquisition support programs in an organization.

10/26/2006

Software Engineering Institute Acquisition Support Program Architecture Product Update

Peter Capell (SEI) discusses QUASAR, a method of assessing system architecture, and MFESA, a method framework that enables the development of system-specific architecture (2008).

10/26/2006

Applying CMMI, Software Architecture Principles, and Process Improvement in a DoD Acquisition

presentation given at the 2007 SEPG Conference, March 2007, Austin, Texas

10/26/2006

Architectural Aspects of Long-Lived Ground Systems

This SEI presentation – “Using System Archetypes to Identify Failure Patterns in Acquisition” – was delivered by Diane Gibson, Linda Levine, and William E. Novak on May 2, 2006.

09/01/2006

Defense-in-Depth: Foundations for Secure and Resilient Enterprises

Materials from the 2006 Defense-in-Depth Foundational Curriculum course are useful for system administrators and IT security personnel who would like to step up to the management level.

09/01/2006

Quantitative Methods for Software Selection and Evaluation

This 2006 report describes methods for selecting candidate commercial off-the-shelf packages for further evaluation, possible methods for evaluation, and other factors besides requirements to be considered.

09/01/2006

Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks

This 2006 report contains an example that illustrates the critical importance of recognizing the need for evolutionary design changes in secure and survivable systems.

08/01/2006

Risk Management Considerations for Interoperable Acquisition

This report addresses interoperable risk management: the interoperability of organizations that engage in risk management in the context of a system of systems.

08/01/2006

Techniques for Developing an Acquisition Strategy by Profiling Software Risks

07/01/2006

QUASAR: A Method for the Quality Assessment of Software-Intensive System Architectures

This 2006 handbook documents the QUASAR (QUality Assessment of System ARchitectures) method for assessing the quality of the architecture of a software-intensive system.

07/01/2006

CERT Launches Secure Coding Standards Web Site

CERT Launches Secure Coding Standards Web Site

06/13/2006

The Adventures of Ricky and Stick

This book isn't an official guide to best practice, and it certainly isn't a textbook. But in a kind of off-beat way, it's an entertaining yet insightful look at some of the things that can really happen in software acquisition.

06/01/2006

Specifying Initial Design Review (IDR) and Final Design Review (FDR) Criteria

This 2006 report presents definitions of IDR and FDR, their context in the acquisition life cycle, a comparison of engineering emphasis during IDR and FDR, IDR and FDR pre- and post-conditions, and IDR and FDR criteria and how to apply it.

05/31/2006

Use of CMMI in Acquisition Environments (2006)

presentation delivered at the Systems & Software Technology Conference (SSTC): Transforming: Business, Security, Warfighting, in Salt Lake City, Utah, 1-4 May 2006

05/31/2006

Integrating Warfighter-Driven System-of-Systems Integration Into the Acquisition Life Cycle

presentation delivered at the Systems & Software Technology Conference (SSTC): Transforming: Business, Security, Warfighting, in Salt Lake City, Utah, 1-4 May 2006

05/31/2006

Transformation of a Software Development Organization Using Software Acquisition Practices: A Case Study

presentation delivered at the Systems & Software Technology Conference (SSTC): Transforming: Business, Security, Warfighting, in Salt Lake City, Utah, 1-4 May 2006

05/01/2006

Specifications for Managed Strings

Specifications for Managed Strings

05/01/2006

Sustaining Software-Intensive Systems

This report, published in 2006, discusses questions about sustaining new and legacy systems; the report presents definitions, related issues, future considerations, and recommendations for sustaining software-intensive systems.

05/01/2006

Applying OCTAVE: Practitioners Report

This document describes how the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method has been used and tailored to fit a wide range of organizational risk assessment needs.

05/01/2006

The ROI of Security

Security Matters [2006 | 05]

05/01/2006

Meet Ricky & Stick

Meet Ricky & Stick

04/01/2006

Common Elements of Risk

This 2006 report explores the questions, "What constitutes risk?" and "What factors put operational missions at risk?"

04/01/2006

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management

This report, published in 2006, describes the fundamental elements and benefits of a process approach to security and operational resiliency and provides a notional view of a framework for process improvement.

04/01/2006

Detecting Scans at the ISP Level

This 2006 report presents an approach to detecting scans against, or passing through, very large networks.

03/09/2006

Acquisition Support Program Overview

In this 2006 presentation, Brian Gallagher, Director of the Software Engineering Institute’s (SEI) Acquisition Support Program (ASP) provides an overview of the ASP.

03/06/2006

Tailoring and Combining the CMMI-ACQ and Quality Models to Improve the Military’s Requirements Process

Presented: March 2006

03/06/2006

SCAMPI Lessons Learned from Experiences in the Field

Presented: March 2006

03/06/2006

Project Management by Functional Capability

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Background

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Project Management

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Engineering

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Support

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Generic Practices

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Using CMMI Acquisition

Presented: March 2006

03/06/2006

Introduction the CMMI Acquisition Module: Conclusion

Presented: March 2006

03/06/2006

CMMI Version 1.2 and Beyond

Presented: March 2006

03/01/2006

Engineering Safety-Related Requirements for Software-Intensive Systems

Presented: March 2006

03/01/2006

Initiative Advocates Building Security In from the Start

Initiative Advocates Building Security In from the Start

03/01/2006

Toward Measures for Software Architectures

This report describes the results of a preliminary investigation into measures for software architecture.

02/01/2006

New CERT “Virtual Training Environment” Provides Online Information Security Education

New CERT “Virtual Training Environment” Provides Online Information Security Education

02/01/2006

How Much Security Is Enough?

How Much Security Is Enough?

12/01/2005

Software Acquisition Planning Guidelines

This 2005 handbook presents guidance for acquisition planning and strategy topics in a condensed form, and references the primary resources available for each topic.

12/01/2005

CERT Function Extraction Experiment: Quantifying FX Impact on Software Comprehension and Verification, The

This report describes the results of a controlled experiment that was performed to compare traditional manual methods of comprehension with automated behavior computation using an FX prototype.

11/17/2005

Process In Execution Review (PIER) and the SCAMPI B Method

Presented: November 2005

11/01/2005

Software Outsourcing with CMMI

Presented: November 2005

11/01/2005

Security Quality Requirements Engineering

This 2005 report presents the Security Quality Requirements (SQUARE) Methodology for eliciting and prioritizing security requirements in software development projects

11/01/2005

U.S. Army Acquisition: The Program Office Perspective

10/01/2005

Software Vulnerabilities in Java

This report briefly describes these potential software vulnerabilities in Java version 5.

09/12/2005

Using the OPEN Process Framework to Produce a Situation-Specific Requirements Engineering Method

The OPEN Process Framework (or OPF) is an appropriate focused requirements engineering method (REM) that facilitates the search for a mechanism that will support the flexible creation of a number of tailored REMs from a single base.

09/09/2005

Secure Coding in C and C++

This book identified a number of root causes for exploited software vulnerabilities and encourages programmers to adopt security best practices that can help prevent current and future attacks on vulnerable systems.

09/02/2005

Engineering Safety-Related Requirements for Software-Intensive Systems (September 2005)

Presented: September 2005

09/01/2005

Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments

This 2005 report presents the concepts and underlying theories behind the Mission Assurance Analysis Protocol (MAAP), highlights results from early piloting of the technique, and outlines future research directions.

09/01/2005

Integrated Diagnostics: Operational Missions, Diagnostic Types, Characteristics, and Capability Gaps

This 2005 report attempts to fill in these gaps in knowledge and experience by presenting an overview of the operational diagnostic life cycle of a system.

09/01/2005

A Taxonomy of Operational Risks

This report presents a taxonomy-based method for identifying and classifying risks to operational aspects of an enterprise.

09/01/2005

Building Information Assurance Educational Capacity: Pilot Efforts to Date

This report describes efforts by the SEI to increase the capacity of institutions of higher education to offer IA and IS courses, to expand existing IA and IS offerings, and to include IA and IS topics and perspectives in other courses.

07/01/2005

Impact of Function Extraction Technology on Next-Generation Software Engineering, The

This 2005 report summarizes FX research and development and investigates the impact of FX on software engineering.

07/01/2005

Designing for Reuse of Configurable Logic

This 2005 report provides an overview of a generic FPGA firmware design process and identifies the resulting work products that may be suitable for reuse in future development efforts.

06/01/2005

Governing for Enterprise Security

This 2005 report examines governance thinking, principles, and approaches and applies them to the subject of enterprise security.

06/01/2005

Information Asset Profiling

This 2005 report describes IAP, a documented and repeatable process for developing consistent asset profiles.

06/01/2005

Report on Annual Regional Information Assurance Symposia

06/01/2005

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

This 2004 report outlines the ITS, a study of insider incidents to examine actual cases identified through public reporting or as a computer fraud case investigated by the Secret Service.

05/21/2005

Achieving Quality Requirements with Reused Software Components: Challenges to Successful Reuse

In this MPEC 2005 presentation, Donald Firesmith of the Software Engineering Institute (SEI) discusses how to achieve quality requirements with reusable software.

05/11/2005

Reflections on Software Agility and Agile Methods: Challenges, Dilemmas, & the Way Ahead

Presented: May 2005

05/01/2005

Reflections on Software Agility and Agile Methods: Challenges, Dilemmas, and the Way Ahead

What are the drivers for the burgeoning interest in agile methods? Have these drivers stimulated a similar rethinking on other fronts? What have we discovered? In this 2005 paper, the author takes a reflective stance in order to look at these larger issues and patterns.

05/01/2005

A Taxonomy of Security-Related Requirements

This paper addresses the problems associated with a lack of a clear security taxonomy by identifying four different types of security-related requirements, providing them with clear definitions, and placing them within an organizing hierarchical taxonomy.

05/01/2005

Method Engineering and COTS Evaluation

This position paper argues that a successful COTS evaluation process should be based on the principles of method engineering (ME).

04/01/2005

Secure Coding in C and C++: C-Style Strings

Secure Coding in C and C++: C-Style Strings

04/01/2005

New CERT Course and Handbook Detail Electronic Detective Work

New CERT Course and Handbook Detail Electronic Detective Work

04/01/2005

Governing for Security: Protect Stakeholder Interests

Governing for Security: Protect Stakeholder Interests

04/01/2005

Robustness Testing of Software-Intensive Systems: Explanation and Guide

This 2005 technical note provides guidance and procedures for performing robustness testing as part of DoD or federal acquisition programs that have a software component.

03/01/2005

Shifting Perspective to Achieve and Sustain Enterprise Security

Shifting Perspective to Achieve and Sustain Enterprise Security

03/01/2005

Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements

This 2005 report documents the ways in which the organizational and project management environment for system development can support or reject improved quality requirements elicitation mechanisms.

03/01/2005

U.S. Army Acquisition: The Program Executive Officer Perspective

02/01/2005

Governing for Enterprise Security: Security is a Requirement of Being in Business

Governing for Enterprise Security: Security is a Requirement of Being in Business

02/01/2005

Software Acquisition Survival Skills: Helping the DoD and Government Program Offices Improve Acquisition of Software and Systems

Software Acquisition Survival Skills: Helping the DoD and Government Program Offices Improve Acquisition of Software and Systems

01/01/2005

Internet Denial of Service: Attack and Defense Mechanisms

Internet Denial of Service sheds light on a complex form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide.

01/01/2005

Sustaining Software-Intensive Systems: A Conundrum

Presented: January 2005

01/01/2005

Diagnostic Software: What Your Developer Doesn't Know

Presented: January 2005

01/01/2005

A Method for Reasoning About an Acquisition Strategy

A presentation about software acquisition made in January 2005 by Mary Catherine Ward and Joseph P. Elm

01/01/2005

SSA's Journey to SW-CMM ML3 and Transition to CMMI

Presented: January 2005

01/01/2005

Surveying Systems Engineering Effectiveness

Presented: January 2005

01/01/2005

A Process-Oriented (Practical) Approach to Program Office Systems Engineering Management Using the CMMI-AM as a Guide

Presented: January 2005

01/01/2005

Samsung SDS' Experience Performing SCAMPI Class A with the People CMM

Presented: January 2005

01/01/2005

An Introduction to Governing for Enterprise Security

An Introduction to Governing for Enterprise Security

01/01/2005

University Hubs Help SEI Spread Information Assurance Curricula and Methods

University Hubs Help SEI Spread Information Assurance Curricula and Methods

01/01/2005

Enterprise Security Management: Refocusing Security’s Role

Enterprise Security Management: Refocusing Security’s Role

01/01/2005

OCTAVE-S Implementation Guide, Version 1

This 2004 report provides the detailed guidelines for conducting an OCTAVE-S evaluation.

01/01/2005

Structured Approach to Classifying Security Vulnerabilities, A

This 2005 report proposes a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.

12/01/2004

Managing for Enterprise Security

This 2004 report itemizes characteristics of common approaches to security that limit effectiveness and success.

11/17/2004

Model - Appraisal Method Interactions

Presented: November 2004

11/17/2004

The SCAMPI Appraisal Method: Top Ten Myths (2004 Edition)

Presented: November 2004

11/01/2004

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

This 2004 report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects.

10/01/2004

Defining Incident Management Processes for CSIRTs: A Work in Progress

This report presents a prototype best practice model for performing incident management processes and functions.

09/28/2004

A Taxonomy of Safety-Related Requirements

This paper describes a taxonomy of these different kinds of safety-related requirements, and clearly and briefly defines and describes each of the above categories of safety-related requirements.

09/01/2004

Roadmap of Risk Diagnostic Methods: Developing an Integrated View of Risk Identification and Analysis Techniques, A

09/01/2004

Risk Based Diagnostics

The SEI has constructed a tentative "roadmap" for personnel involved in the systems and software acquisition community. This report describes the characteristics that determine whether a risk diagnostic method qualifies for the roadmap.

07/01/2004

Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, The

This report describes the critical success factor method and presents various theories and experience in applying it to enterprise security management.

05/26/2004

Networked Technologies: The Role of Networks in the Diffusion and Adoption of Software Process Improvement (SPI) Approaches

Social networks play a key role in the adoption and diffusion of software process improvement as a networked technology. This panel addressed actual examples of SPI networks and identified key characteristics of and roles in these emergent networks.

05/26/2004

Software Patents: Innovation or Litigation?

This paper summarizes the scope of patent protection in the European Union, the United States, and Japan. In doing so, it examines the patentability of computer software as inventions allowed under E.U. and U.S. patent law.

05/01/2004

Why Isn't Someone Coding Yet (WISCY)?

Presented: May 2004

05/01/2004

Survivable Functional Units: Balancing an Enterprise's Mission and Technology

This 2004 report describes a way to think about enterprise networks and is intended to aid system administrators so that they can more easily see how technology supports the enterprise’s mission.

03/01/2004

Benchmarking for Improvement in Army Acquisition

Benchmarking for Improvement in Army Acquisition

03/01/2004

Install and Use Those Anti-Virus Programs

Install and Use Those Anti-Virus Programs

03/01/2004

Army Strategic Software Improvement Program (ASSIP) Survey of Army Acquisition Managers

This report analyzes a survey that covered four areas of the acquisition system: the acquirer's environment, the developer's environment, communication between the acquirer and developer, and external factors that could affect the acquisition system.

03/01/2004

Advanced Information Assurance Handbook

This handbook helps technical staff members who are charged with administering and securing information systems and networks.

02/01/2004

CERT/CC Instrumental in National Security Effort

CERT/CC Instrumental in National Security Effort

02/01/2004

The Goal of Computer Security or What's Yours is Yours Until You Say Otherwise!

The Goal of Computer Security or What's Yours is Yours Until You Say Otherwise!

02/01/2004

Working with Small Manufacturing Enterprises: An Analysis of TIDE

This 2004 paper documents some of the challenges and risks facing programs or organizations trying to help small manufacturing enterprises (SMEs).

01/28/2004

Improving Acquisition through COTS Risk Identification

A presentation made during the 2004 SIS Conference: Improving Acquisition through COTS Risk Identification.

01/28/2004

Reconsidering the Role of Systems Engineering in DoD Software Problems

This 2004 presentation on reconsidering the role of systems engineering in DoD software problems was delivered by Grady Campell of the Software Engineering Institute (SEI).

01/28/2004

NAVAIR Software Acquisition Improvement

This 2004 presentation on Software Acquisition Process Improvement was delivered by Donald R. Beyron, Debra Borden (NAVAIR), Gerry Imai (STSC), and John Kennedy (MITRE).

01/28/2004

Acquisition Modeling: The Key to Managing Acquisition Complexity?

“Acquisition Modeling: The Key to Managing Acquisition Complexity?” was delivered at the 3rd OSD Conference on the Acquisition of Software-Intensive Systems in January 2004.

01/28/2004

Software Acquisition Best Practices 2004 Edition

This 2004 presentation was delivered at the 3rd OSD Conference on the Acquisition of Software Intensive Systems by Richard J. Adams and others of the Aerospace Corporation.

01/28/2004

Improving the Management of the Software Acquisition Process: a Methodological Approach in Automotive

Presented: January 2004

01/28/2004

Acquisition Pilot: The Application of OAR in a Lead System Integrator Context

Presented: January 2004

01/28/2004

Software Best Practices Clearinghouse

Presented: January 2004

01/28/2004

Software Acquisition Best Practices Workshop (January 2004)

Presented: January 2004

01/28/2004

Identifying Risks in Outsourcing Software-Intensive Projects

Presented: January 2004

01/28/2004

Improving Software Acquisition Processes: A Study of Real Project Costs

Presented: January 2004

01/28/2004

Software Reviews Since Acquisition Reform - The Artifact Perspective

Presented: January 2004

01/28/2004

A Best Practices Survey of the Rail Road Industry

A presentation in January 2004 to survey the U.S. railroad industry to benchmark best practices in the acquisition of software-intensive systems.

01/28/2004

Requirements for a Software Chief Engineer for a Weapons Systems Acquisition

Presented: January 2004

01/28/2004

Using the CMMI® in Acquisition Environments

Presented: January 2004

01/28/2004

Accelerating the Adoption of Improved Practices Using Acquisition Pilots

Presented: January 2004

01/28/2004

Air Force Software Intensive Systems Strategic Improvement Program (AFSSIP)

Presented: January 2004

01/28/2004

Why Not Network Centric Acquisition?

Presented: January 2004

01/28/2004

SOSI: System of Systems Interoperability

Presented: January 2004

01/28/2004

Integrated Architecture Development

Presented: January 2004

01/28/2004

Successful Acquisition of FAA Terminal Doppler Weather Radar

Presented: January 2004

01/28/2004

Systems, Networks and Information Integration Context for Software Assurance

Presented: January 2004

01/28/2004

Evolutionary Acquisition of the Future Combat Systems (FCS)

Presented: January 2004

01/28/2004

Defense Systems Systems Engineering

Presented: January 2004

01/28/2004

US/UK/AUS Trilateral Software Intensive Systems Acquisition Improvement Group (SISAIG)

Presented: January 2004

01/28/2004

Collaborative Government/Contractor SCAMPI Appraisal

Presented: January 2004

01/28/2004

Software Acquisition Life Cycle Measure Plan based on the revised

Presented: January 2004

01/28/2004

SCAMPI B/C Pilots in Acquisition Environments

Presented: January 2004

01/28/2004

Scenario-Driven System Engineering (SDSE) for System of Systems Acquisition

Presented: January 2004

01/28/2004

CMMI Today

Presented: January 2004

01/28/2004

Software Product Maturity in SIS Source Selection

Presented: January 2004

01/28/2004

Software's "Inoperable" Interoperability Problem

Presented: January 2004

01/28/2004

Comanche Process Improvement Vision and Initiatives

Presented: January 2004

01/28/2004

Requirements Nightmare Put to Rest - F/A-18 Advanced Weapons Laboratory

Presented: January 2004

01/28/2004

An Acquirer's Guide to Navigating Contractor Data

Presented: January 2004

01/28/2004

An Alternative to TRLs for COTS Software-Intensive Systems

Presented: January 2004

01/28/2004

Acquisition Oversight as a Function of Program Office Capability

Presented: January 2004

01/27/2004

Guidelines for Acquisition Planning (January 2004)

This 2004 presentation on Guidelines for Acquisition Planning was delivered by Cecilia A. Albert and three others of the Software Engineering Institute (SEI).

01/27/2004

Early Warning Indicators in the Acquisition of Software-Intensive Systems

In this 2004 presentation, Barry Boehm of the University of California (Los Angeles) discusses early warning indicators in the acquisition of software-intensive systems.

01/27/2004

Iterative RFP Project Management

This 2004 presentation on iterative RFP project management was delivered by Chris Armstrong and Bobbi Underbakke of Adaptive Team Collaboration (ADC).

01/01/2004

What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?

What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?

01/01/2004

COTS Acquisition Evaluation Process: Preacher's Practice

This paper outlines a successful effort to apply COTS-based engineering principles to a software acquisition by various groups at the SEI.

12/01/2003

CERT's Function Extraction Project: Exploring Program Behavior for Security Analysis

CERT's Function Extraction Project: Exploring Program Behavior for Security Analysis

12/01/2003

There IS an Intruder in My Computer—What Now?

There IS an Intruder in My Computer—What Now?

12/01/2003

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

This 2003 report describes different organizational models for implementing incident handling capabilities, including each model's advantages and disadvantages and the kinds of incident management services that best fit with it.

10/01/2003

State of the Practice of Computer Security Incident Response Teams (CSIRTs)

This 2003 report provides an objective study of the state of the practice of incident response, based on information about how CSIRTs around the world are operating.

09/12/2003

Reusable Security Requirements

presentation from RE'2003 RHAS'03 Workshop, September 12, 2003

09/01/2003

The Business Case for Requirements Engineering

presentation from RE'2003 RHAS'03 Workshop, September 12, 2003

09/01/2003

Use Care When Reading Email with Attachments

Use Care When Reading Email with Attachments

09/01/2003

Requirements Engineering for Survivable Systems

This 2003 report describes the current state of requirements engineering for survivable systems--systems that are able to complete their mission in a timely manner, even if significant portions are compromised by attack or accident.

09/01/2003

Identifying Commercial Off-the-Shelf (COTS) Product Risks: The COTS Usage Risk Evaluation

This 2003 report describes the development of an approach to reduce the number of program failures attributable to COTS software: the COTS Usage Risk Evaluation (CURE).

09/01/2003

Analyzing and Specifying Reusable Security Requirements

A system cannot have high assurance if it has poor security, and thus, requirements for high assurance systems will logically include security requirement as well as availability, reliability, and robustness requirements.

08/01/2003

From The Monitor August 2003: Ask the SEI

Acquisition Support Program Director answers the question: What is the SEI's long-term strategy for cross-functional integration across the various SEI competencies.

07/01/2003

What About Ada? The State of the Technology in 2003

This 2003 report documents a recent investigation which characterized the technical and programmatic risks in reusing significant quantities of legacy Ada code in a new system.

07/01/2003

International Liability Issues for Software Quality

This 2003 report focuses on international law related to cybercrime, international information security standards, and software liability issues as they relate to information security for critical infrastructure applications.

06/01/2003

Use Care When Downloading and Installing Programs

Use Care When Downloading and Installing Programs

04/01/2003

Handbook for Computer Security Incident Response Teams (CSIRTs)

This 2003 document provides guidance on forming and operating a CSIRT, and helps an organization to define and document the nature and scope of a computer security incident handling service, which is the core service of a CSIRT.

03/01/2003

Assumption Management

Assumption Management

03/01/2003

Can You Prove It?

Can You Prove It?

03/01/2003

OCTAVE Users Forum: Helping to Build a Community of Practice

OCTAVE Users Forum: Helping to Build a Community of Practice

03/01/2003

The Acquisition Support Program

The Acquisition Support Program

02/01/2003

Applying FSQ Engineering Foundations to Automated Calculation of Program Behavior

This report summarizes research on Flow Structures and describes the application of their function-theoretic mathematical foundations to the problem of program behavior calculation.

01/29/2003

SA-CMM in a Large Complex Program

This January 2003 presentation – “SA-CMM in a Large Complex Program” – was delivered by Lloyd Anderson and Hugh Gray at a Software Engineering Institute (SEI) conference in Washington, D.C.

01/29/2003

System of Systems Architecture and TSPR Contractor Model

This presentation was delivered by Jonathan D. Addelston at the Conference on the Acquisition of Software Intensive Systems on January 29, 2003.

01/28/2003

Reducing System Acquisition Risk with Software Architecture Analysis and Evaluation

This 2003 presentation on reducing system acquisition risk with software architecture analysis and evaluation was delivered by J.K. Bergey, Matt Fisher, and Lawrence G. Jones of the Software Engineering Institute (SEI).

01/28/2003

Keynote Address: Conference on the Acquisition of Software-Intensive Systems

This page contains the keynote presentation by Claude M. Bolton at the Acquisition of Software-Intensive Systems Conference, held from January 28-30, 2003.

01/28/2003

Complex Systems of Systems (CSOS): Software Benefits, Risks, and Strategies

In this 2003 presentation, V. Basili and Barry Boehm provide an overview of complex systems of systems, discussing the software benefits, risks, and strategies associated with them.

01/28/2003

A Systems Thinking Approach to Building and Updating C4ISR Architecture Views

Presented: January 2003

01/28/2003

Tri-Service Assessment Initiative Phase 2 Systemic Analysis Results

Presented: January 2003

01/28/2003

Is There Order or Chaos After 5000?

presentation at the Conference on the Acquisition of Software-Intensive Systems, January 28-30, 2003

01/28/2003

Software Sustainability and Acquisition Reform: A View from the Bottom

Presented: January 2003

01/28/2003

Defining Acquisition Measures: The Integrated Software Acquisition Metrics (ISAM) Project

Presented: January 2003

01/28/2003

Enterprise Process Improvement Approach

Presented: January 2003

01/28/2003

The Incompatibility Between Software Component Based Development and Present UK MoD Procurement Approaches

Presented: January 2003

01/28/2003

Developing Enterprise-wide Measures for Tracking Acquisition Performance

Presented: January 2003

01/28/2003

Use of Questionnaire-Based Appraisals in Process Improvement Programs

presentation at the Acquisition of Software-Intensive Systems Conference, January 28, 2003, in Arlington, Virginia

01/28/2003

Software Intensive System Acquisition: Best Practices

Presented: January 2003

01/28/2003

The State of Practice in DoD Acquisitions, and Some Proposed Alternatives

Presented: January 2003

01/28/2003

Managing Software Risks in Software Intensive Systems with Metrics and Measures

presentation at the Conference on the Acquisition of Software-Intensive Systems, January 28-30, 2003

01/28/2003

Enterprise Architecture and COTS Intensive System Acquisition Strategies

Presented: January 2003

01/28/2003

Revitalizing the Software Acquisition Process

presentation from the Acquisition of Software-Intensive Systems Conference, January 28-30, 2003

01/28/2003

Software Regression Testing

Presented: January 2003

01/28/2003

Rapid Improvement Team (RIT) Initiative with GTN 21 - Lessons Learned from GTN 2

Presented: January 2003

01/28/2003

eQualite: Quality Assessment of Software Suppliers

Presented: January 2003

01/28/2003

Software Acquisition Best Practices: Experiences from the Space System Domain

presentation from the Acquisition of Software-Intensive Systems Conference, January 28-30, 2003

01/28/2003

Independent Integrated Verification and Validation

Presented: January 2003

01/28/2003

TRL Corollaries for Practice-Based Technologies

Presented: January 2003

01/28/2003

NAVAIR/SEI/MITRE Strategic Collaboration

presentation from the Acquisition of Software-Intensive Systems Conference, January 28-30, 2003

01/28/2003

Service Level Agreements: An Approach to Software Life-Cycle Quality

Presented: January 2003

01/28/2003

Rapid and Adaptive System Acquisition

Presented: January 2003

01/28/2003

Refining Software Development Estimation Techniques for the Federal Aviation Administration En-Route Systems Acquisition

Presented: January 2003

01/28/2003

Acquisition Practices: Good and Bad

Presented: January 2003

01/28/2003

Fourteen SCEs Around the World in Less than 40 Days

Presented: January 2003

01/28/2003

The Role of the Revised IEEE Standard Dictionary of Measures of the Software Aspects of Dependability in Software Acquisition

Presented: January 2003

01/28/2003

The UK/US Bilateral on Improving Military Software Intensive System Acquisition - A UK View

Presentation by Dr. Dave Thombs, Pricing & Forecasting Group (PFG), made on January 2003.

01/28/2003

Implementing Best Practices in the Joint Battlespace Infosphere (JBI) Program at AFRL

IPresented: January 2003

01/28/2003

The Software Maturity Matrix: A Software Performance Metric

Presented: January 2003

01/28/2003

Experience and Lessons-Learned in Applying the Tri-Service Assessment Initiative Process

This presentation on the experiences and lessons learned in applying the Tri-Service Assessment Initiative Process was delivered by William Bail of MITRE on January 28, 2003.

01/28/2003

Transforming an Agency in an Interagency Environment

This 2003 presentation was delivered by Charles R. Armstrong of the Customs Modernization Office at the Conference on the Acquisition of Software-Intensive Systems.

01/27/2003

Lessons Learned on Cooperative Government-Industry Appraisals

This 2003 presentation was delivered by Melanie Benhoff of Integrity Applications, Inc., in which she presents a number of lessons learned on cooperative government/industry appraisals.

01/26/2003

They Keep Moving the Cheese

“They Keep Moving the Cheese: A Framework for the Evolutionary Acquisition of Large Software Intensive Systems” was delivered by Cecilia Albert and Lisa Brownsword in 2003.

01/01/2003

Advanced Engineering Environments for Small Manufacturing Enterprises

Presented: January 2003

01/01/2003

Outsourcing Managed Security Services

The practices recommended in this 2003 report provide organizations with the guidance necessary to knowledgeably engage MSSPs, so they can make informed use of such services.

12/01/2002

OCTAVE Developers Reach Out to Smaller Organizations with OCTAVE-S

OCTAVE Developers Reach Out to Smaller Organizations with OCTAVE-S

12/01/2002

Installing and Using a Firewall Program

Installing and Using a Firewall Program

12/01/2002

Network Survivability Analysis Using Easel

This 2002 report describes the results of explorations into the use of simulation in examining Internet survivability.

12/01/2002

Rules of Thumb for the Use of COTS Products

This 2002 report provides information to help guide decisions about when COTS products are an appropriate solution—and when they are not.

11/01/2002

Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues

11/01/2002

Evolutionary Process for Integrating COTS-Based Systems (EPIC) Building, Fielding, and Supporting Commercial-off-the-Shelf (COTS) Based Solutions

This 2002 document is the first release of a full description of the EPIC framework along with its activities and artifacts.

10/01/2002

Life-Cycle Models for Survivable Systems

This 2002 report explains survivability concepts, describes a software development life-cycle model for survivability, and illustrates techniques to support survivability goals.

10/01/2002

Trustworthy Refinement Through Intrusion-Aware Design (2002)

10/01/2002

Trustworthy Refinement Through Intrusion-Aware Design

09/01/2002

New Book Helps Organizations Take Charge of Information Security

New Book Helps Organizations Take Charge of Information Security

09/01/2002

Carnegie Mellon Educates Next Generation of Information-Security Experts

Carnegie Mellon Educates Next Generation of Information-Security Experts

09/01/2002

File Cabinets and Pig Latin: Guards for Information Assets

File Cabinets and Pig Latin: Guards for Information Assets

09/01/2002

An Application of an Iterative Approach to DoD Software Migration Planning

This 2002 report outlines the early results of an approach to support software migration planning that focused on deriving actionable plans for focus areas that were identified in an initial increment of an overall migration plan.

07/09/2002

Managing Information Security Risks: The OCTAVE Approach

This book provides organizations with a systematic way to evaluate and manage their information security risks through the use of the OCTAVE approach.

07/01/2002

Reeducation to Expand the Software Engineering Workforce: Successful Industry/University Collaborations

This 2002 paper reports on the study of the Industry/University group (a subgroup of the Working Group on Software Engineering Education and Training) to investigate active collaborations between companies and universities in which non-software professionals and practitioners who lack formal software education are reeducated to become software engineers.

06/01/2002

CERT/CC and Secret Service Collaborate on Security

CERT/CC and Secret Service Collaborate on Security

06/01/2002

Preventing Security-Related Defects

Preventing Security-Related Defects

06/01/2002

Is There an Intruder in My Computer?

Is There an Intruder in My Computer?

06/01/2002

Flow-Service-Quality (FSQ) Engineering: Foundations for Network System Analysis and Development

This 2002 report describes Flow-Service-Quality (FSQ) engineering, an emerging technology for management, acquisition, analysis, development, evolution, and operation of large-scale, network-centric systems.

06/01/2002

Using EVMS with COTS-Based Systems

This 2002 report focuses is on the use of Earned Value in the context of a COTS-Based System (CBS).

03/01/2002

The Internet—Friend or Foe?

The Internet—Friend or Foe?

03/01/2002

Software Acquisition Capability Maturity Model (SA-CMM) Version 1.03

This 2002 version of the SA-CMM incorporates change requests that have been received, as well as the results of lessons learned from conducting appraisals and from the use of Version 1.02.

12/01/2001

TransPlant: Helping Organizations to Make the Transition

TransPlant: Helping Organizations to Make the Transition

12/01/2001

The Internet Security Alliance: Leadership in Information Security

The Internet Security Alliance: Leadership in Information Security

12/01/2001

Attack Scenarios: How to Get There from Here

Attack Scenarios: How to Get There from Here

12/01/2001

Can We Ever Build Survivable Systems from COTS Components?

This paper describes a risk-mitigation framework for deciding when and how COTS components can be used to build survivable systems.

12/01/2001

A Framework for the Specification of Acquisition Models

This special report provides a bibliography of books, articles, and other literature concerning the PSP and TSP methodologies.

09/01/2001

Everyone's a System Administrator

Everyone's a System Administrator

07/10/2001

The IDEAL Model

Presentation from July 2001 on the IDEAL model, an organizational improvement model that serves as a roadmap for initiating, planning, and implementing improvement actions.

06/07/2001

CERT Guide To System and Network Security Practices

This book puts CERT practices and implementations in book form, and offers step-by-step guidance for protecting systems and networks against malicious and inadvertent compromise.

06/01/2001

Securing Information Assets

Securing Information Assets

06/01/2001

CERT System and Network Security Practices

CERT System and Network Security Practices

05/01/2001

Spiral Development and Evolutionary Acquisition

DoD Instruction 5000.2 introduced innovations throughout the acquisition cycle. To address this, a workshop was held September 2000. This 2001 report summarizes the workshop and presents its recommendations.

03/01/2001

Intrusion Detection Systems

Intrusion Detection Systems

03/01/2001

How the FBI Investigates Computer Crime

How the FBI Investigates Computer Crime

08/01/2000

Improving the Acquisition of Software Intensive Systems

The SEI surveyed senior acquisition managers about the performance of their organizations, especially on skills and competencies, and issues surrounding the training needed to develop them. The results of the survey are presented in this report.

06/01/2000

Cybersleuthing: Means, Motive, and Opportunity

Cybersleuthing: Means, Motive, and Opportunity

03/01/2000

Countering the Threat of Internet Denial of Service Attacks

Countering the Threat of Internet Denial of Service Attacks

03/01/2000

Removing Roadblocks to Cyber Defense

Removing Roadblocks to Cyber Defense

03/01/2000

Survivability Blends Computer Security With Business Risk Management

Survivability Blends Computer Security With Business Risk Management

03/01/2000

Survivability Blends Computer Security

Survivability Blends Computer Security

12/01/1999

Protecting Critical Systems in Unbounded Networks

Protecting Critical Systems in Unbounded Networks

10/01/1999

Software Acquisition Risk Management Key Process Area (KPA): A Guidebook Version 1.02

This report provides guidelines for implementing a software acquisition risk management program that satisfies the goals of the ARM KPA of the SA-CMM.

09/01/1999

From Y2K to Security Improvement: A Critical Transition

From Y2K to Security Improvement: A Critical Transition

09/01/1999

From Y2K to Security Improvement; A Critical Transition

From Y2K to Security Improvement: A Critical Transition

06/01/1999

Were You Ready for the Melissa Virus?

Were You Ready for the Melissa Virus?

03/01/1999

Avoiding the Trial-by-Fire Approach to Security Incidents

Avoiding the Trial-by-Fire Approach to Security Incidents

12/01/1998

What Messages Are You Sending to Vendors?

What Messages Are You Sending to Vendors?

12/01/1998

Interview with Richard D. Pethia

Interview with Richard D. Pethia

12/01/1998

Security of the Internet

Security of the Internet

09/01/1998

Security Matters – Doesn't It?

Security Matters – Doesn't It?

07/01/1998

Software Acquisition Improvement Framework (SAIF) Definition

This 1998 document discusses rationale behind the need for the Software Acquisition Improvement Framework (SAIF), the elements constituting the SAIF, and the intended operational usage of the SAIF.

08/01/1997

Software Acquisition Process Maturity Questionnaire

This 1997 report contains a software acquisition process maturity questionnaire, intended for those interested in learning about and performing software acquisition process appraisals.

12/01/1996

Software Acquisition Capability Maturity Model

This 1996 version of the SA-CMM incorporates the results of lessons learned from the use of Version 1.0.

01/01/1996

Continuous Risk Management Guidebook

This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.

06/01/1987

Seeking the Balance Between Government and Industry Interests in Software Acquisition. Volume I. A Basis for Reconciling DoD and Industry Needs for Rights in Software

This 1987 report offers several recommendations for achieving a balanced policy as to government funded software, privately funded software, and mixed funding software that will meet the mission needs of the DoD while enabling contractors to protect their proprietary interests, and commercialize their software products.

01/01/1987

Effect of Software Support Needs on DoD Software Acquisition Policy: Part 1: A Framework for Analyzing Legal Issues, The

This 1987 report summarizes the significant technical and managerial considerations that affect the maintenance and enhancement of software.

09/01/1986

Proposal for a New Rights in Software Clause for Software Acquisitions by the Department of Defense

This report 1986 recommends regulatory strategies for addressing difficulties the DoD has experienced with respect to legal issues related to software acquisitions.

04/01/1986

Toward a Reform of the Defense Department Software Acquisition Policy