Software is the engine of innovation in our Internet-connected world. Research yields new ideas that software transforms into new products. Unlike traditional industries such as the automotive and electronics industries, software requires no factories for manufacturing, no costly distribution system, and hence no large infrastructure investment. But it does require the use of disciplined engineering practices by skilled software engineers.

Unfortunately, there continues to be a gap between the state of the art and the state of the practice of software engineering. Commonly used software-development practices result in lost productivity, as time and money are wasted on rework. Data indicate that 60-80% of the cost of software development is rework—that is, fixing defects that are found during testing. While software must still be tested, testing and rework costs would be reduced if better design and implementation practices were used.

Commercial software products today are riddled with defects—commonly known as “bugs”—that are introduced during the software’s design and development. As we come to rely increasingly on systems that are interconnected in networks, the stakes are rising. Defects in products that are accessible to the Internet render them vulnerable to cyber attacks. The SEI’s CERT® Coordination Center (CERT/CC) documented more than 4,000 commercial-product vulnerabilities this year and determined that more than 95% of the 82,000 unique cyber incidents it investigated were a direct result of intruders exploiting such vulnerabilities. Yet the massive number of vulnerabilities seen in commercial software can be attributed to a modest number of root causes. These defects, and hence most cyber attacks, could be prevented if vendors used the proven best design techniques of software engineering.

The SEI’s core purpose is to help others make measured improvements in their software engineering capabilities. In the SEI’s view, the best way to ensure the security of our software is to design software in a way that does not allow defects into software in the first place.

As a college-level unit at Carnegie Mellon University, well known for its highly ranked programs in computer science and engineering, the SEI operates at the leading edge of technical innovation. Since 1984, we at the SEI have been identifying, developing, and advocating practices for designing high-quality software. At the SEI, we emphasize defect prevention through improvement of process and product quality during the early phases of system development.

Our annual report for Fiscal Year 2002 is replete with examples of organizations that have achieved impressive results through the disciplined application of these principles. We continue to believe that the SEI’s vision for software engineering—the right software, delivered defect free, on time and on cost, every time—is achievable. Our annual report provides the evidence.
We hope you enjoy reading it.

Stephen E. Cross
Director and Chief Executive Officer
Software Engineering Institute