search menu icon-carat-right cmu-wordmark
Our Research

Cybersecurity Engineering

Cybersecurity engineering (CSE) research builds knowledge and capabilities that enhance acquisition and development lifecycle methods, processes, and practices. CSE reduces security weaknesses and ensures that resulting systems, software components, and compositions address software assurance, information assurance, supply chain risk management, and more.

As organizations capitalize on the opportunities for shared resources and capabilities to improve cost efficiencies and scheduling, they must address the increased cybersecurity risk that these opportunities introduce. Third-party tools and cloud capacity, for example, provide major benefits for organizations, such as quick setup and flexibility. However, these resources are built and controlled by external parties with limited understanding of the impact of security choices. As a result, patterns of operational failure, misuse, and abuse can emerge from a variety of sources, including supply chains as well as weak internal practices in software acquisition or development.

Attackers need three key elements to successfully carry out an attack: they need software to have a vulnerability, they must have access to it, and they must have the capability to exploit it. The first two elements can be directly controlled by good decisions during the acquisition and development process, and the field of cybersecurity engineering aims to ensure that the process is secure from the outset. For these reasons, mission success depends on making sure that stakeholders in the acquisition and development process make good choices.

Many organizations, however, struggle to implement effective and repeatable practices that can respond to changing technology needs, discover vulnerabilities before attackers do, and manage the growing threats stemming from weak acquisition and legacy, as well as from third party or supply chain management (SCRM) practices. These problems are of special concern when it comes to the software products that support critical infrastructure, monitor and manage our money, or control our buildings and transportation, to name just a few examples.


Building Security into Application Lifecycles

The goal of cybersecurity engineering is to ensure that the software you develop or acquire delivers the functionality you expect of it and does not allow actions that might introduce risk. To achieve this goal, the SEI helps prepare managers, engineers, developers, testers, and other groups involved in lifecycle tasks, to build and field effective cybersecurity in current and future software acquisition and development, validate and sustain cybersecurity in systems and software, and deliver the mission impact your organization expects of its software.

The SEI’s CSE team leverages expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that your organization can integrate into its existing acquisition and development lifecycle practices. To these ends, the SEI offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization. These tools include

  • the Security Quality Requirements Engineering (SQUARE) tool, which helps define quality requirements that include sufficient security for development and supports stakeholders’ review of software requirements to ensure vendors properly prepare their software for integration
  • the Security Engineering Risk Analysis (SERA) approach, which helps organizations detect and remediate design weaknesses early in the development or acquisition process
  • the Software Assurance Framework (SAF), a set of practices you can use to evaluate and improve your cybersecurity

The SEI continues to expand CSE research through engagements with the DoD and other federal agencies to address real-world challenges. Over the years, we have shared our findings in many notable publications, including a book on cybersecurity, a paper on assessing DoD risk in acquisition, and a program manager’s guidebook for software assurance.

In addition, the SEI can support colleges and universities as they strive to prepare students to understand the growing threat environment. We provide materials that educational institutions can use to develop curricula and course offerings, and to prepare the future workforce for addressing cybersecurity and SCRM.

What We Offer

Our Vision for the Future of Cybersecurity Engineering

SEI researchers continue to expand available CSE options for use by practitioners. We are currently developing archetypes to support organizations in identifying cybersecurity risks and tailoring them for improved evaluation of mission impact.

To collaborate on these new projects in the field of cybersecurity engineering, contact us .

Contact Us