Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University
SEI Podcast Series
July 14, 2017

Ransomware: Best Practices for Prevention and Response

 Jeffrey Smith (Microsoft)

Alexander Volynkin

 Jeffrey Smith (Microsoft)

Angela Horneman

"Newer versions of ransomware seem to be targeting not just your storage of data on your documents, folders, and things like this, but also go after backups, data-baseed backups, and so on, either on the personal computers or on the network storage and other storage devices. It is important to have this, what we call, air gap between the network that is currently running and the database backup that needs to exist elsewhere."

"Newer versions of ransomware seem to be targeting not just your storage of data on your documents, folders, and things like this, but also go after backups, data-baseed backups, and so on, either on the personal computers or on the network storage and other storage devices. It is important to have this, what we call, air gap between the network that is currently running and the database backup that needs to exist elsewhere."

Categories:

June 29, 2017

Integrating Security in DevOps

 Jeffrey Smith (Microsoft)

Hasan Yasar

"There are many steps in the lifecycle that can be checked. But security operational folks, as I said at the beginning, do more at the end, which is too late because then it is costing so much time in terms of fixing any known vulnerabilities, or fixing anything that has been discovered late, because it’s going to go back to the sprint plan, depending on what type of application development method they were using."

"There are many steps in the lifecycle that can be checked. But security operational folks, as I said at the beginning, do more at the end, which is too late because then it is costing so much time in terms of fixing any known vulnerabilities, or fixing anything that has been discovered late, because it’s going to go back to the sprint plan, depending on what type of application development method they were using."
June 15, 2017

SEI Fellows Series: Peter Feiler

 Jeffrey Smith (Microsoft)

Peter H. Feiler

"You can talk about the function of software, but if you want to talk, say performance, you only can talk about that in the context of it running on some hardware. If you want to talk about safety you have to talk about how it distributed on the hardware, how good the hardware is, in addition to how good the software is, and how well it interacts with the physical environment. These interactions present the majority of problems in embedded software systems."

"You can talk about the function of software, but if you want to talk, say performance, you only can talk about that in the context of it running on some hardware. If you want to talk about safety you have to talk about how it distributed on the hardware, how good the hardware is, in addition to how good the software is, and how well it interacts with the physical environment. These interactions present the majority of problems in embedded software systems."

Categories: Software Architecture

May 25, 2017

NTP Best Practices

 Jeffrey Smith (Microsoft)

Timur D. Snoke

"A lot of the banking applications that we are using now are using one-time passwords that are only valid for a very distinct period of time. If you can mess with what the computer thinks the time is, then you might be able to set up a window of opportunity."

"A lot of the banking applications that we are using now are using one-time passwords that are only valid for a very distinct period of time. If you can mess with what the computer thinks the time is, then you might be able to set up a window of opportunity."
May 18, 2017

Establishing Trust in Disconnected Environments

 Jeffrey Smith (Microsoft)

Grace Lewis

"One of the key features of the tactical cloudlets, like I said, is that they are discoverable. So a mobile device in the field is going to say, Are there any cloudlets around me? From a mobile-device perspective, I want to make sure that cloudlet is a friendly one. Is it a good cloudlet, right? And the other way around is also true. If I am a cloudlet and the mobile device says, I would like to connect to you, I need to know it is a good one."

"One of the key features of the tactical cloudlets, like I said, is that they are discoverable. So a mobile device in the field is going to say, Are there any cloudlets around me? From a mobile-device perspective, I want to make sure that cloudlet is a friendly one. Is it a good cloudlet, right? And the other way around is also true. If I am a cloudlet and the mobile device says, I would like to connect to you, I need to know it is a good one."

Categories: