http://www.sei.cmu.edu//library/reportspapers.cfmLibrary - Reports and PapersTue, 18 Jun 2013 22:14:25 +0000CommonSpot Content ServerSoftware Engineering InstituteThis report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.http://www.sei.cmu.edu/library/abstracts/reports/13tn014.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn014.cfmTue, 11 Jun 2013 17:49:49 +0000Presents a summary of the findings that emerged from the Socio-Adaptive Systems Challenge Problem Workshop in Pittsburgh, held in April 2012. The workshop’s goal was to identify the challenges associated with resource allocation for warfighters operating at the tactical edge, where networks are often unreliable, and bandwidth limited and inconsistent.http://www.sei.cmu.edu/library/abstracts/reports/13sr010.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13sr010.cfmMon, 10 Jun 2013 16:45:54 +0000This technical note explores the applicability of application virtualization as a strategy for cyber foraging in resource-constrained environments. Cyber foraging is a technique to enable resource-poor, mobile devices to leverage external computing power. Application virtualization emulates operating system services for applications. While it involves some challenges, it provides a promising strategy for cyber foraging in resource-constrained environments because of it is a lightweight approach that offers high portability.http://www.sei.cmu.edu/library/abstracts/reports/13tn007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn007.cfmWed, 22 May 2013 17:00:43 +0000This technical note defines intellectual property (IP) and insider theft of IP, gives a snapshot of the insiders involved in these cases, summarizes some of the cases, and provides recommendations for mitigating the risk of similar incidents of insider threat.http://www.sei.cmu.edu/library/abstracts/reports/13tn009.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn009.cfmMon, 20 May 2013 17:20:28 +0000This Software Assurance Competency Model helps create a foundation for assessing and advancing the capability of software assurance professionals.http://www.sei.cmu.edu/library/abstracts/reports/13tn004.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn004.cfmThu, 09 May 2013 14:01:46 +0000This paper describes a proposal for integrating Verified Design by Contract into PSP in order to reduce the amount of defects present at the Unit Testing phase, while preserving or improving productivity.http://www.sei.cmu.edu/library/abstracts/reports/13tr005.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tr005.cfmTue, 07 May 2013 17:54:37 +0000The work described in this report, part of a larger SEI research effort on Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), aims to develop and validate methods for calibrating expert judgment. Reliable expert judgment is crucial across the program acquisition lifecycle for cost estimation, and perhaps most critically for tasks related to risk analysis and program management. This research is based on three field studies that compare and validate training techniques aimed at improving the participants’ skills to enable more realistic judgments commensurate with their knowledge.http://www.sei.cmu.edu/library/abstracts/reports/13tr001.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tr001.cfmTue, 19 Mar 2013 14:50:27 +0000This analysis justifies applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders,” which helps organizations plan, prepare, and implement a strategy to mitigate the risk of insider theft of IP.http://www.sei.cmu.edu/library/abstracts/reports/13tn013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn013.cfmTue, 19 Mar 2013 13:52:41 +0000This report presents methods that can be used to detect and prevent data exfiltration using a Linux-based proxy server in a Microsoft Windows environment.http://www.sei.cmu.edu/library/abstracts/reports/13tn012.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn012.cfmTue, 12 Mar 2013 18:48:52 +0000This report presents the results of the Malware Analysis Lexicon (MAL) initiative, a small project to develop the first common vocabulary for malware analysis.http://www.sei.cmu.edu/library/abstracts/reports/13tn010.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn010.cfmWed, 27 Feb 2013 18:35:05 +0000This report presents methods to audit USB device use within a Microsoft Windows environment.http://www.sei.cmu.edu/library/abstracts/reports/13tn003.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn003.cfmMon, 21 Jan 2013 17:44:47 +0000This report focuses on the theft of intellectual property using removable media, in particular, USB devices. We present methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. We also explore OpenDLP, an open source tool for identifying where sensitive data resides on organizational systems.http://www.sei.cmu.edu/library/abstracts/reports/13tn002.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/13tn002.cfmWed, 16 Jan 2013 17:24:27 +0000This fourth edition of the Common Sense Guide to Mitigating Insider Threats introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, outlines current patterns and trends, and describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so.http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfmWed, 12 Dec 2012 17:28:38 +0000This report describes the SEI research study aimed at helping organizations to know the business value of implementing resilience processes and practices, and determine which ones to implement.http://www.sei.cmu.edu/library/abstracts/reports/12tn025.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn025.cfmTue, 11 Dec 2012 15:27:48 +0000This report describes the data collection and analysis process used to support the assessment of project performance for the systems engineering (SE) effectiveness study.http://www.sei.cmu.edu/library/abstracts/reports/12sr010.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr010.cfmTue, 11 Dec 2012 15:11:15 +0000This report summarizes the results of a survey that had the goal of quantifying the connection between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs.http://www.sei.cmu.edu/library/abstracts/reports/12sr009.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr009.cfmFri, 30 Nov 2012 13:30:17 +0000This report discusses the reliability validation and improvement framework developed by the SEI. The purpose of this framework is to provide a foundation for addressing the challenges of qualifying increasingly software-reliant, safety-critical systems. It aims to overcome the limitations of current reliability engineering approaches, leverage the best emerging engineering technologies and practices to complement the process focus of current practice, find acceptance in industry, and lead to a new set of reliability improvement metrics.http://www.sei.cmu.edu/library/abstracts/reports/12sr013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr013.cfmTue, 27 Nov 2012 19:39:16 +0000This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives.http://www.sei.cmu.edu/library/abstracts/reports/12tn024.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn024.cfmFri, 16 Nov 2012 15:01:46 +0000The 2012 TSP Symposium was organized by the Software Engineering Institute (SEI) and took place September 18–20 in St. Petersburg, FL. The goal of the TSP Symposium is to bring together practitioners and academics who share a common passion to change the world of software engineering for the better through disciplined practice. The conference theme was “Delivering Agility with Discipline.” This report contains the six papers selected by the TSP Symposium Technical Program Committee.http://www.sei.cmu.edu/library/abstracts/reports/12sr015.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr015.cfmThu, 08 Nov 2012 17:48:36 +0000This technical note provides guidance to help DoD acquisition programs address software security in acquisitions. It provides background on the development of secure coding standards, sample request for proposal (RFP) language, and a mapping of the Application Security and Development STIG to the CERT(R) C Secure Coding Standard.http://www.sei.cmu.edu/library/abstracts/reports/12tn016.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn016.cfmThu, 25 Oct 2012 19:53:06 +0000When warfighting missions are conducted in a dynamic environment, the allocation of resources needed for mission operation can change from moment to moment. This report addresses two challenges of resource allocation in dynamic environments: overstatement of resource needs and unpredictable network availability.http://www.sei.cmu.edu/library/abstracts/reports/12tr011.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr011.cfmThu, 25 Oct 2012 15:28:33 +0000This report describes an algorithm that efficiently reverts bits from the fuzzed file to those found in the original seed file, keeping only the minimal bits required to recreate the crash under investigation.http://www.sei.cmu.edu/library/abstracts/reports/12tn018.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn018.cfmFri, 19 Oct 2012 18:08:14 +0000This report explores the role of standards in cloud-computing interoperability. It covers cloud-computing basics and standard-related efforts, discusses several use cases, and provides recommendations for cloud-computing adoption.http://www.sei.cmu.edu/library/abstracts/reports/12tn012.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn012.cfmFri, 19 Oct 2012 18:07:13 +0000This technical note presents a strategy to overcome the challenges of obtaining sufficient computation power to run applications needed for warfighting and disaster relief missions. It discusses the use of cloudlets-- localized, stateless servers running one or more virtual machines--on which soldiers can offload resource-intensive computations from their handheld mobile devices.http://www.sei.cmu.edu/library/abstracts/reports/12tn015.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn015.cfmFri, 05 Oct 2012 22:09:51 +0000This technical note describes three factors that can help or hinder the cooperation of incident responders.http://www.sei.cmu.edu/library/abstracts/reports/12tn028.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn028.cfmTue, 16 Oct 2012 17:12:23 +0000Assurance cases provide an argument and evidence explaining why a claim about some system property holds. This report presents a framework for thinking about (and determining) confidence in assurance case arguments. The framework uses argumentation theory as developed in philosophy, jurisprudence, mathematics, and artificial intelligence to provide a justified basis for asserting some level of confidence in the truth of assurance case claims.http://www.sei.cmu.edu/library/abstracts/reports/12tr002.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr002.cfmWed, 26 Sep 2012 14:50:52 +0000This report compiles seven papers based on presentations given at SEPG Europe 2012.http://www.sei.cmu.edu/library/abstracts/reports/12sr005.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr005.cfmFri, 21 Sep 2012 21:10:21 +0000This technical note describes the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness.http://www.sei.cmu.edu/library/abstracts/reports/12tn020.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn020.cfmTue, 11 Sep 2012 16:58:20 +0000This report describes an algorithm to automate selection of seed files and other parameters used in black-box fuzz testing.http://www.sei.cmu.edu/library/abstracts/reports/12tn019.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn019.cfmThu, 30 Aug 2012 13:29:48 +0000This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data.http://www.sei.cmu.edu/library/abstracts/reports/12tr006.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr006.cfmThu, 23 Aug 2012 19:58:06 +0000This report describes the line-funded exploratory new starts (LENS) projects that were undertaken during fiscal year 2011. For each project, the report presents a brief description and a recounting of the research that was done, as well as a synopsis of the results of the project.http://www.sei.cmu.edu/library/abstracts/reports/12tr004.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr004.cfmThu, 23 Aug 2012 19:43:50 +0000This report describes a new insider threat study in which researchers extracted technical and behavioral patterns from fraud cases and developed insights and risk indicators of malicious insider activity within the banking and finance sector.http://www.sei.cmu.edu/library/abstracts/reports/12sr004.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12sr004.cfmThu, 26 Jul 2012 15:33:14 +0000This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.http://www.sei.cmu.edu/library/abstracts/reports/12tr001.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr001.cfmThu, 12 Jul 2012 11:37:20 +0000Presents the Virtual Upgrade Validation (VUV) method, an approach that uses architecture-centric, model-based analysis to identify system-level problems early in the upgrade process to complement established test qualification techniques.http://www.sei.cmu.edu/library/abstracts/reports/12tr005.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr005.cfmThu, 14 Jun 2012 16:33:25 +0000This report describes the first CERT RMM Users Group (RUG) Workshop Series and relays the experiences of participating members and CERT staff.http://www.sei.cmu.edu/library/abstracts/reports/12tn008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn008.cfmWed, 30 May 2012 13:08:24 +0000This report presents an example of an enterprise architectural pattern, Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders, to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP.http://www.sei.cmu.edu/library/abstracts/reports/12tr008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr008.cfmThu, 03 May 2012 14:35:45 +0000This report details the CERT Program's Source Code Analysis Laboratory (SCALe), a proof-of-concept demonstration that software systems can be conformance tested against secure coding standards, and provides an analysis of selected software systems.http://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfmTue, 01 May 2012 20:19:48 +0000This technical report describes the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the threat to organizations from its own insiders. The ITSRA draws from existing best practices and standards as well as from analysis of real insider threat cases to provide actionable guidance for organizations to improve their posture against the insider threat.http://www.sei.cmu.edu/library/abstracts/reports/12tr007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr007.cfmTue, 01 May 2012 14:21:10 +0000This technical note maps CERT® Resilience Management Model (CERT®-RMM) process areas to certain National Institute of Standards and Technology (NIST) special publications in the 800 series.http://www.sei.cmu.edu/library/abstracts/reports/11tn028.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn028.cfmTue, 27 Mar 2012 12:25:58 +0000This report provides an overview of changes and improvements to the Architecture Analysis & Design Language (AADL) standard for describing both the software architecture and the execution platform architectures of performance-critical, embedded, real-time systems.http://www.sei.cmu.edu/library/abstracts/reports/11sr011.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr011.cfmThu, 22 Mar 2012 19:42:02 +0000