Cybersecurity Engineering

The Software Engineering Institute (SEI) stands on the front lines of defense against cyber adversaries. Our cybersecurity engineering (CSE) research protects and defends national security systems, software components, and data from unauthorized access, cyberattacks, and other malicious activities.

With new vulnerabilities emerging daily, staying ahead of threats in today’s fast-paced cybersecurity landscape is a race against time. At the SEI, our mission-driven focus is to strengthen our nation's cybersecurity infrastructure by securing the country's most critical systems and protecting agencies and systems from a loss of confidentiality, integrity, or availability (CIA) due to cyber threats.

It's vital to balance opportunities, such as shared resources and capabilities, third-party tools, and cloud capacity, with the increased cybersecurity risk that these opportunities introduce to the defense industrial base (DIB). To reduce risk, it's imperative to implement effective and repeatable practices that can respond to changing technology needs, discover vulnerabilities before attackers do, manage the growing threats against software products that support critical infrastructure, enable warfighters, monitor and manage money, and control physical resources, buildings, and transportation.

The SEI’s CSE researchers aim to ensure that the acquisition and development process is secure from the start. Our mission success is dependent on making sure that stakeholders make choices that protect them against legacy or weak supply chain management (SCRM), software acquisition, or development practices and strengthen cybersecurity resilience. With a deep, scalable understanding of how to detect and defend against security weaknesses and exploitation, our cybersecurity professionals are driven to harden the nation’s vulnerability surface and protect national security interests.

Advance Cybersecurity Resilience

The goal of CSE is to ensure that the software the Department of Defense (DoD) and federal agencies develop or acquire delivers the expected functionality and blocks actions that might introduce risk. To achieve this goal, the SEI helps prepare managers, engineers, developers, testers, and other groups involved in lifecycle tasks, to build and field effective cybersecurity in current and future software acquisition and development, validate and sustain cybersecurity in systems and software, and deliver the mission impact your organization expects of its software.

• The CERT Cybersecurity Engineering and Software Assurance Professional Certificate program explores software-reliant systems engineering and acquisition activities to help information systems professionals improve their awareness of cybersecurity and establish an approach to identifying security requirements.
• In the SEI’s CERT Applied Data Science for Cybersecurity Professional Certificate, CERT machine learning research scientists and cybersecurity experts at the SEI share their expertise in a suite of courses teaching machine learning (ML) and artificial intelligence (AI) techniques and best practices for the analysis of cybersecurity data using the tools of data science.

Build Security into Application Lifecycles

The SEI’s CSE team leverages expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that you can integrate into your existing acquisition and development lifecycle practices. To this end, the SEI offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization.

• Employ the Security Quality Requirements Engineering (SQUARE) tool to define quality requirements that include sufficient security for development and support stakeholders’ review of software requirements to ensure vendors properly prepare their software for integration.
• Implement the Security Engineering Risk Analysis (SERA) approach to detect and remediate design weaknesses early in the development or acquisition process.
• Utilize the Software Assurance Framework (SAF) practices to evaluate and improve your cybersecurity.
• Incorporate the Redemption tool to make automated repairs to C and C++ source code based on defect alerts produced by static-analysis tools.

The SEI continues to expand CSE research through engagements with the DoD and other federal agencies to address real-world challenges. Over the years, we have shared our findings in many notable publications, including a book on cybersecurity, a paper on assessing DoD risk in acquisition, and a program manager’s guidebook for software assurance.