SEI Blog

SEI Bloghttp://www.sei.cmu.edu/feeds/latest/atom/?utm_source=blog&utm_medium=rss2026-03-04T00:00:00-05:00Updates on changes and additions to the SEI Blog.The Five Pillars of Software Assurance in System Acquisition2026-03-04T00:00:00-05:002026-03-04T00:00:00-05:00Dr. Carol Woody, Christopher Alberts, Michael Bandor, Timothy A. Chickhttps://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post presents five foundational capabilities to support the acquisition of a system with effective software assurance.

An Approach to Accelerate Verification and Software Standards Testing with LLMs2026-02-09T00:00:00-05:002026-02-09T00:00:00-05:00Ryan Karl, Yash Hindka, Shen Zhang, John Roberthttps://www.sei.cmu.edu/blog/an-approach-to-accelerate-verification-and-software-standards-testing-with-llms/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post highlights the work of SEI researchers who sought to prove that LLMs can be used in unclassified environments to rapidly develop tools that could then be used to accelerate software analysis in classified environments.

From Concept to Practice: How SSVC Has Evolved to Make Adoption Possible2026-01-28T00:00:00-05:002026-01-28T00:00:00-05:00Renae Metcalf, Allen Householder, Vijay Sarvepallihttps://www.sei.cmu.edu/blog/from-concept-to-practice-how-ssvc-has-evolved-to-make-adoption-possible/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post traces the milestones of the Stakeholder Specific Vulnerability Categorization and invites the community to participate, contribute, and benefit from the continued maturation of SSVC.

An Open Source Tool to Unravel UEFI and its Vulnerabilities2026-01-22T00:00:00-05:002026-01-22T00:00:00-05:00Vijay Sarvepalli, Renae Metcalf, Cory Cohenhttps://www.sei.cmu.edu/blog/an-open-source-tool-to-unravel-uefi-and-its-vulnerabilities/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post introduces CERT UEFI Parser, a new, open source tool that uses program analysis to reveal the architecture of UEFI software, and explore this veiled source of vulnerabilities.

Upskilling the Federal Cybersecurity Workforce2026-01-20T00:00:00-05:002026-01-20T00:00:00-05:00Christopher Herrhttps://www.sei.cmu.edu/blog/upskilling-the-federal-cybersecurity-workforce/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post details how the SEI Cyber Mission Readiness Team, in partnership with CISA, developed a series of Skilling Continuation Labs to provide unique, hands-on, immersive training to upskill the federal cybersecurity workforce.

The Top 10 Blog Posts of 20252026-01-12T00:00:00-05:002026-01-12T00:00:00-05:00Thomas Longstaffhttps://www.sei.cmu.edu/blog/the-top-10-blog-posts-of-2025/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Every January on the SEI Blog, we present the 10 most-visited posts from the previous year.

Analyzing Partially Encrypted Network Flows with Mid-Encryption2025-12-15T00:00:00-05:002025-12-15T00:00:00-05:00Steven Ibarra, Mark Thomashttps://www.sei.cmu.edu/blog/analyzing-partially-encrypted-network-flows-with-mid-encryption/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Encrypted traffic has come to dominate network flows, which makes it difficult for traditional flow monitoring tools to maintain visibility. In this blog post we take a closer look at a new feature added to CERT’s Yet Another Flowmeter tool (YAF) to capture the attributes of encryption when it occurs after the start of the session. We call this mid-encryption.

Tailoring 9 Zero Trust and Security Principles to Weapon Systems2025-12-09T00:00:00-05:002025-12-09T00:00:00-05:00Christopher Alberts, Timothy Morrow, Rhonda Brown, Charles Wallenhttps://www.sei.cmu.edu/blog/tailoring-9-zero-trust-and-security-principles-to-weapon-systems/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Our latest post outlines how 9 zero trust and security principles might apply to weapon systems.

AI-Powered Memory Safety with the Pointer Ownership Model2025-12-03T00:00:00-05:002025-12-03T00:00:00-05:00David Svoboda, Lori Flynnhttps://www.sei.cmu.edu/blog/ai-powered-memory-safety-with-the-pointer-ownership-model/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post highlights work to automate C Code Security with AI-Powered memory safety.

How to Align Security Requirements and Controls to Express System Threats2025-11-21T00:00:00-05:002025-11-21T00:00:00-05:00Elias Miller, Matthew Siskhttps://www.sei.cmu.edu/blog/how-to-align-security-requirements-and-controls-to-express-system-threats/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This blog post presents a method that combines information about security requirements, controls, and capabilities with analysis regarding cyber threats to enable more effective risk-guided system planning.

From Hype to Adoption: Guiding Organizations in Their AI Journey2025-11-10T00:00:00-05:002025-11-10T00:00:00-05:00Ipek Ozkaya, Anita Carleton, Erin Harper, Natalie Schieber, Robert Edmanhttps://www.sei.cmu.edu/blog/from-hype-to-adoption-guiding-organizations-in-their-ai-journey/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

After a flurry of initial investments in artificial intelligence, including generative and agentic AI, many organizations are facing mixed results. The SEI is examining how organizations adopt AI and what methods they can use to measure and improve their adoption for long-term success.

A Model-Based Approach for Software Acquisition2025-11-03T00:00:00-05:002025-11-03T00:00:00-05:00Colin Dempsey, Jerome Hugueshttps://www.sei.cmu.edu/blog/a-model-based-approach-for-software-acquisition/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The Department of War (DoW) is undergoing a significant transformation in how it acquires and develops software systems. Central to this evolution is the shift from traditional document-based processes to model-centric methodologies.

Modeling Services with Model-Based Systems Engineering (MBSE)2025-10-28T00:00:00-04:002025-10-28T00:00:00-04:00Nataliya Shevchenko, Grigoriy Shevchenkohttps://www.sei.cmu.edu/blog/modeling-services-with-model-based-systems-engineering-mbse/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post explores an approach to designing services using model-based systems engineering (MBSE) with OMG’s Unified Architecture Framework (UAF).

Radio-Frequency Attacks: Securing the OSI Stack2025-10-20T00:00:00-04:002025-10-20T00:00:00-04:00Joseph McIlvennyhttps://www.sei.cmu.edu/blog/radio-frequency-attacks-securing-the-osi-stack/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This blog post reviews common radio frequency attacks and investigates how software and cybersecurity play key roles in these exploitations.

What’s New in SSVC: Build, Explore, and Evolve Your Decision Models2025-10-13T00:00:00-04:002025-10-13T00:00:00-04:00Bon Jin Koo, Renae Metcalf, Vijay Sarvepalli, Allen Householderhttps://www.sei.cmu.edu/blog/whats-new-in-ssvc-build-explore-and-evolve-your-decision-models/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

Recent updates to the Stakeholder-Specific Vulnerability Categorization (SSVC) framework help different stakeholders to prioritize vulnerabilities according to their distinct risk appetites.

Enhancing Security with Cloud Flow Logs2025-10-06T00:00:00-04:002025-10-06T00:00:00-04:00Timothy Shimeallhttps://www.sei.cmu.edu/blog/enhancing-security-with-cloud-flow-logs/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The SEI has a history of support for flow log analysis, including its 2025 releases (for Azure or AWS) of open-source scripts to facilitate cloud flow log analysis. This blog explores challenges with correlating events across multiple CSPs.

5 Essential Questions for Implementing the Software Acquisition Pathway and the Tools to Tackle Them2025-09-23T00:00:00-04:002025-09-23T00:00:00-04:00Eileen Wrubel, Rita Creel, Brigid O'Hearnhttps://www.sei.cmu.edu/blog/five-essential-questions-for-implementing-the-software-acquisition-pathway/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This post outlines 5 essential questions to ask before implementing the Software Acquisition Pathway (SWP) and an SEI toolset to assist in the effort.

A Call to Action: Building a Foundation for Model-Based Systems Engineering in Digital Engineering2025-09-15T00:00:00-04:002025-09-15T00:00:00-04:00Peter Capell, William Hayes, Jerome Hugues, Nataliya Shevchenkohttps://www.sei.cmu.edu/blog/a-call-to-action-building-a-foundation-for-model-based-systems-engineering-in-digital-engineering/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

The SEI brought together stakeholders who have been engaging and actively innovating in the dynamic environment of digital engineering. This blog post highlights calls to action for future work in MBSE and digital engineering from practitioners in the field.

My AI System Works…But Is It Safe to Use?2025-09-09T00:00:00-04:002025-09-09T00:00:00-04:00David Schulker, Matt Walsh, Emil Mathewhttps://www.sei.cmu.edu/blog/my-ai-system-worksbut-is-it-safe-to-use/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

This blog post introduce System Theoretic Process Analysis (STPA), a hazard analysis technique uniquely suitable for dealing with the complexity of AI systems.

7 Recommendations to Improve SBOM Quality2025-08-25T00:00:00-04:002025-08-25T00:00:00-04:00David Tobar, Jessie Jamieson, Mark Priest, Jason Frickehttps://www.sei.cmu.edu/blog/7-recommendations-to-improve-sbom-quality/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates

There is growing interest in using SBOMs to support software supply chain risk management. This post recommends seven ways to improve SBOM accuracy.