Software Engineering Institute

We Live in Software: Engineering Societal-Scale Systems

May 2023 Podcast

John E. RobertForrest Shull

John Robert, deputy director of the SEI’s Software Solutions Division, and Forrest Shull, lead for defense software acquisition policy research at the SEI, discuss issues that must be considered when engineering societal-scale systems.

Secure by Design, Secure by Default

May 2023 Podcast

Greg Touhill

Gregory J. Touhill, director of the SEI CERT Division, talks with Suzanne Miller about secure by design, secure by default, a longstanding tenet of the work of the SEI and CERT in particular.

Key Steps to Integrate Secure by Design into Acquisition and Development

May 2023 Podcast

Carol Woody, PhDRobert Schiela

Robert Schiela and Carol Woody talk with Suzanne Miller about the importance of integrating the practices and mindset of secure by design into the acquisition and development of software-reliant systems.

An Exploration of Enterprise Technical Debt

April 2023 Podcast

Stephany Bellomo

Stephany Bellomo, a principal engineer in the SEI’s Software Solutions Division, talks with principal researcher Suzanne Miller about identifying and remediating enterprise technical debt.

The Messy Middle of Large Language Models

April 2023 Podcast

Jay PalatRachel Dzombak

Jay Palat and Rachel Dzombak discuss the current landscape of large language models (LLMs) and how to leverage tools built on top of LLMs, such as ChatGPT and Copilot.

An Infrastructure-Focused Framework for Adopting DevSecOps

March 2023 Podcast

Vanessa B. JacksonLyndsi A. Hughes

Vanessa Jackson and Lyndsi Hughes discuss the DevSecOps adoption framework, which guides organizations in the planning and implementation of a roadmap to functional CI/CD pipeline capabilities.

Software Security in Rust

March 2023 Podcast

Joe SibleDavid Svoboda

David Svoboda and Joe Sible talk with Suzanne Miller about the Rust programming language and its security-related features.

Improving Interoperability in Coordinated Vulnerability Disclosure with Vultron

February 2023 Podcast

Allen D. Householder

Allen Householder, a senior vulnerability and incident researcher with the SEI’s CERT Division, talks with SEI principal investigator Suzanne Miller about Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).

Asking the Right Questions to Coordinate Security in the Supply Chain

February 2023 Podcast

Carol Woody, PhD

Carol Woody talks with Suzanne Miller about the SEI’s newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system components.

Securing Open Source Software in the DoD

January 2023 Podcast

Scott HissamLinda Parker Gates

Scott Hissam talks with Linda Parker Gates about the use of free and open-source software (FOSS) in the DoD, building on insights that surfaced in a recent workshop held for producers and consumers of FOSS for DoD systems.

A Model-Based Tool for Designing Safety-Critical Systems

January 2023 Podcast

Sam ProcterLutz Wrage

Sam Procter and Lutz Wrage discuss with Suzanne Miller the Guided Architecture Trade Space Explorer (GATSE), a new SEI-developed model-based tool to help with the design of safety-critical systems.

Managing Developer Velocity and System Security with DevSecOps

December 2022 Podcast

Alejandro Gomez

Alejandro Gomez talks with Suzanne Miller about how his team explored—and eventually resolved—the two competing forces of developer velocity and cybersecurity enforcement by implementing DevSecOps.

A Method for Assessing Cloud Adoption Risks

November 2022 Podcast

Christopher J. Alberts

Chris Alberts discusses with Suzanne Miller a prototype set of cloud adoption risk factors and describes a method that managers can employ to assess their cloud initiatives against these risk factors.

Software Architecture Patterns for Deployability

November 2022 Podcast

Rick Kazman

Rick Kazman, an SEI visiting scientist and coauthor of Software Architecture in Practice, talks with principal researcher Suzanne Miller about using patterns for software deployability.

A Roadmap for Creating and Using Virtual Prototyping Software

October 2022 Podcast

Douglass PostRichard Kendall

Douglass Post and Richard Kendall discuss their experiences applying virtual prototyping in Computational Research and Engineering Acquisition Tools and Environments (CREATE).

ML-Driven Decision-Making in Realistic Cyber Exercises

October 2022 Podcast

Dustin D. UpdykeThomas G. Podnar

Thomas Podnar and Dustin Updyke discuss efforts by the SEI CERT Division to apply machine learning to increase the realism of non-player characters (NPCs) in cyber training exercises.

Software Architecture Patterns for Robustness

September 2022 Podcast

Rick Kazman

Rick Kazman discusses software architecture patterns and the effect that certain architectural patterns have on quality attributes, such as availability and robustness.

A Platform-Independent Model for DevSecOps

September 2022 Podcast

Timothy A. ChickJoseph D. Yankel

Tim Chick and Joe Yankel present a DevSecOps Platform-Independent Model that uses model-based systems engineering (MBSE) to formalize the practices of DevSecOps pipelines and organize relevant guidance.

Using the Quantum Approximate Optimization Algorithm (QAOA) to Solve Binary-Variable Optimization Problems

August 2022 Podcast

Jason LarkinDaniel Justice

Jason Larkin and Daniel Justice, researchers in the SEI’s AI Division, discuss a paper outlining their efforts to simulate the performance of Quantum Approximate Optimization Algorithm (QAOA) for the Max-Cut problem.

A Dive into Deepfakes

August 2022 Podcast

Shannon GallagherDominic A. Ross

Shannon Gallagher, a data scientist with SEI’s CERT Division, and Dominic Ross, multimedia team lead for the SEI, discuss deepfakes, their exponential growth in recent years, and their increasing technical sophistication and realism.

Trust and AI Systems

August 2022 Podcast

Carol J. SmithDustin D. Updyke

Carol Smith, a senior research scientist in human machine interaction, and Dustin Updyke, a senior cybersecurity engineering in the SEI’s CERT Division, discuss the construction of trustworthy AI systems and factors influencing human trust of AI systems.

Challenges and Metrics in Digital Engineering

July 2022 Podcast

William Richard Nichols

Bill Nichols and Suzanne Miller discuss the challenges in making the transition from traditional development practices to digital engineering.

The 4 Phases of the Zero Trust Journey

July 2022 Podcast

Timothy MorrowMatthew Nicolai

Tim Morrow and Matthew Nicolai outline 4 steps that organizations can take to implement and maintain a zero trust architecture.

DevSecOps for AI Engineering

June 2022 Podcast

Hasan YasarJay Palat

Hasan Yasar and Jay Palat discuss how to engineer AI systems with DevSecOps and explore the relationship between MLOps and DevSecOps.

Undiscovered Vulnerabilities: Not Just for Critical Software

June 2022 Podcast

Jonathan Spring

Jonathan Spring discusses the findings in a recent paper that analyzes the number of undiscovered vulnerabilities in information systems.

Explainable AI Explained

May 2022 Podcast

Violet Turri

Violet Turri discusses explainable AI, which encompasses all the techniques that make the decision-making processes of AI systems understandable to humans.

Model-Based Systems Engineering Meets DevSecOps

April 2022 Podcast

Jerome HuguesJoseph D. Yankel

Jerome Hugues and Joe Yankel discuss ModDevOps, an extension of DevSecOps that embraces model-based systems engineering (MBSE) practices and technology.

Incorporating Supply Chain Risk and DevSecOps into a Cybersecurity Strategy

March 2022 Podcast

Carol Woody, PhD

Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about supply-chain issues and the planning needed to integrate software from the supply chain into operational environments.

Software and Systems Collaboration in the Era of Smart Systems

March 2022 Podcast

Paul Nielsen

SEI director Paul Nielsen talks with principal researcher Suzanne Miller about how the advent of smart systems has led to a growing need for effective collaboration between the disciplines of systems engineering and software engineering.

Securing the Supply Chain for the Defense Industrial Base

March 2022 Podcast

Gavin JureckoKatie C. Stewart

Gavin Jurecko, who leads the SEI’s Resilience Diagnostics Team, talks with Katie Stewart about risks associated with defense industrial base (DIB) supply chains and how the SEI works with the U.S. Department of Defense to mitigate those risks.

Building on Ghidra: Tools for Automating Reverse Engineering and Malware Analysis

February 2022 Podcast

Jeff GennariGarret Wassermann

Jeffrey Gennari and Garret Wassermann talk with Suzanne Miller about Kaiju, a series of tools that they have developed that allows for malware analysis and reverse engineering. Kaiju helps analysts take better advantage of the NSA's Ghidra framework.

Envisioning the Future of Software Engineering

January 2022 Podcast

Anita CarletonForrest Shull

Anita Carleton and Forrest Shull discuss the recently published SEI-led study Architecting the Future of Software Engineering: A National Agenda for Software Engineering Research & Development.

Implementing the DoD's Ethical AI Principles

January 2022 Podcast

Alexandrea Van DeusenCarol J. Smith

In this SEI podcast, Alex Van Deusen and Carol Smith, both with the SEI's AI Division, discuss a recent project in which they helped the Defense Innovation Unit of the U.S. Department of Defense to develop guidelines for the responsible use of AI.

Walking Fast Into the Future: Evolvable Technical Reference Frameworks for Mixed-Criticality Systems

December 2021 Podcast

Nickolas GuertinDouglas Schmidt (Vanderbilt University)

In this SEI Podcast, Suzanne Miller talks with Nickolas Guertin and Douglas Schmidt about strategies for creating architectures for large-scale, complex systems that comprise functions with a wide range of requirements.

Software Engineering for Machine Learning

November 2021 Podcast

Grace LewisIpek Ozkaya

Grace Lewis and Ipek Ozkaya discuss their research into software engineering for machine learning (ML) with host Jonathan Spring.

A Discussion on Automation with Watts Humphrey Award Winner Rajendra Prasad

November 2021 Podcast

Rajendra T. Prasad (Accenture)

In this SEI Podcast, 2020 IEEE Computer Society SEI Watts Humphrey Software Quality Award winner Rajendra Prasad of Accenture talks with Mike Konrad of the SEI about automation.

Enabling Transition from Sustainment to Engineering within the DoD

November 2021 Podcast

Thomas EvansDouglas Schmidt (Vanderbilt University)

Thomas Evans and Douglas C. Schmidt discuss challenges sustainment teams face when transitioning from sustainment to engineering in the DoD.

The Silver Thread of Cyber in the Global Supply Chain

October 2021 Podcast

Matthew J. Butkovic

Matt Butkovic, technical director of risk and resilience in the SEI's CERT Division, discusses with Suzanne Miller the importance of cyber in the global supply chain and his team's work with the World Economic Forum.

Measuring DevSecOps: The Way Forward

October 2021 Podcast

William NicholsHasan Yasar

Bill Nichols and Hasan Yasar discuss the ways in which DevSecOps practices yield valuable information about software performance that is likely to lead to innovations in software engineering metrics.

Bias in AI: Impact, Challenges, and Opportunities

September 2021 Podcast

Carol J. SmithJonathan Spring

Carol Smith discusses with Jonathan Spring the hidden sources of bias in artificial intelligence (AI) systems and how systems developers can raise their awareness of bias, mitigate consequences, and reduce risks.

My Story in Computing with Rachel Dzombak

September 2021 Podcast

Rachel Dzombak

In this SEI Podcast, the latest in the “My Story in Computing” series, Rachel Dzombak discusses the journey that led to her current leadership role at the SEI as digital transformation lead in artificial-intelligence (AI) engineering.

Agile Strategic Planning: Concepts and Methods for Success

September 2021 Podcast

Linda Parker GatesSuzanne Miller

Linda Parker Gates, initiative lead, Software Acquisition Pathways, and Suzanne Miller, principal researcher in the SEI's Software Solutions Division, discuss the principles of Agile strategic planning and methods for success.

Applying Scientific Methods in Cybersecurity

August 2021 Podcast

Leigh B. MetcalfJonathan Spring

Leigh Metcalf and Jonathan Spring discuss with Suzanne Miller the application of scientific methods to cybersecurity, a subject of their recently published book, Using Science in Cybersecurity.

Zero Trust Adoption: Benefits, Applications, and Resources

August 2021 Podcast

Geoffrey T. Sanders

Geoff Sanders, a senior network defense analyst in the SEI's CERT Division, discusses zero trust adoption and its benefits, applications, and available resources.

Uncertainty Quantification in Machine Learning: Measuring Confidence in Predictions

August 2021 Podcast

Eric Heim

Eric Heim, a senior machine learning research scientist at the Software Engineering Institute at Carnegie Mellon University, discusses the quantification of uncertainty in machine-learning (ML) systems.

11 Rules for Ensuring a Security Model with AADL and Bell–LaPadula

July 2021 Podcast

Aaron Greenhouse

Aaron Greenhouse, a senior software architecture researcher, discusses 11 analysis rules that must be enforced over an AADL instance to ensure the consistency of a security model.

Benefits and Challenges of Model-Based Systems Engineering

July 2021 Podcast

Nataliya ShevchenkoMary Popeck

Nataliya [Natasha] Shevchenko and Mary Popeck discuss the use of model-based systems engineering (MBSE), which, in contrast to document-centric engineering, puts models at the center of system design.

Fostering Diversity in Software Engineering

July 2021 Podcast

Grace LewisIpek OzkayaJay Palat

Grace Lewis hosts a panel discussion with Ipek Ozkaya, Nathan West, and Jay Palat about diversity in software engineering.

Can DevSecOps Make Developers Happier?

July 2021 Podcast

Hasan Yasar

Hasan Yasar discusses the cultural aspects of DevSecOps practices.

Is Your Organization Ready for AI?

June 2021 Podcast

Carol J. SmithRachel Dzombak

Digital transformation lead Dr. Rachel Dzombak and research scientist Carol Smith discuss how AI Engineering can support organizations to implement AI systems.

My Story in Computing with Marisa Midler

June 2021 Podcast

Marisa Midler

Marisa Midler discusses the career path that led to her work as a cybersecurity engineer in the SEI's CERT Division. In all life choices, Midler has been guided by the mantra: never settle.

Managing Vulnerabilities in Machine Learning and Artificial Intelligence Systems

June 2021 Podcast

Nathan M. VanHoudnosJonathan SpringAllen D. Householder

Allen Householder, Jonathan Spring, and Nathan VanHoudnos discuss how to manage vulnerabilities in AI/ML systems.

AI Workforce Development

May 2021 Podcast

Rachel DzombakJay Palat

Rachel Dzombak and Jay Palat discuss growth in the field of artificial intelligence (AI) and how organizations can hire and train staff to take advantage of the opportunities afforded by AI and machine learning.

Moving from DevOps to DevSecOps

May 2021 Podcast

Hasan Yasar

Hasan Yasar discusses how organizations can transition from DevOps to DevSecOps.

My Story in Computing with Dave Zubrow

April 2021 Podcast

David Zubrow

David Zubrow discusses his career journey, which led from a PhD in applied history and social sciences to his role as a manager and technical leader at the SEI.

Mission-Based Prioritization: A New Method for Prioritizing Agile Backlogs

April 2021 Podcast

Keith Korzec

Keith Korzec discusses the Misson-Based Prioritization method for prioritizing Agile backlogs.

My Story in Computing with Carol Smith

April 2021 Podcast

Carol J. Smith

Carol Smith, who trained as a photojournalist, transitioned a love of telling people's stories to a career in human-computer interaction working in artificial intelligence with the SEI's Emerging Technology Center.

Digital Engineering and DevSecOps

March 2021 Podcast

David James Shepard

David Shepard, a software developer with the SEI's Software Solutions Division, discusses digital engineering and its relationship with DevSecOps.

A 10-Step Framework for Managing Risk

March 2021 Podcast

Brett Tucker

Brett Tucker outlines OCTAVE FORTE, a 10-step framework to guide organizations in managing risk.

7 Steps to Engineer Security into Ongoing and Future Container Adoption Efforts

February 2021 Podcast

Tom ScanlonRichard Laughlin

Thomas Scanlon and Richard Laughlin discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.

Ransomware: Evolution, Rise, and Response

February 2021 Podcast

Marisa MidlerTimothy J. Shimeall

Marisa Midler and Tim Shimeall, analysts with the SEI's CERT Division, discuss steps and strategies that organizations can adopt to minimize their exposure to the risks and threats associated with ransomware.

VINCE: A Software Vulnerability Coordination Platform

January 2021 Podcast

Emily SarnesoArt Manion

Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.

Work From Home: Threats, Vulnerabilities, and Strategies for Protecting Your Network

January 2021 Podcast

Phil Groce

Phil Groce, a senior network defense analyst in the SEI's CERT Division, discusses the security implications of remote work.

An Introduction to CMMC Assessment Guides

December 2020 Podcast

Katie C. StewartAndrew F. Hoover

In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC 1.0 model, discuss the CMMC assessment guides, how they were developed, and how they can be used.

The CMMC Level 3 Assessment Guide: A Closer Look

December 2020 Podcast

Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the CMMC 1.0 model, discuss the Level 3 Assessment Guide for the CMMC and how it differs from the Level 1 Assessment Guide.

The CMMC Level 1 Assessment Guide: A Closer Look

December 2020 Podcast

Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the CMMC 1.0 model, discuss the Level 1 Assessment Guide for the CMMC.

Achieving Continuous Authority to Operate (ATO)

November 2020 Podcast

Hasan YasarShane Ficorilli

Shane Ficorilli and Hasan Yasar sit down with Suzanne Miller to discuss Continuous ATO, including challenges, the role of DevSecOps, and cultural issues that organizations must address.

Challenging the Myth of the 10x Programmer

November 2020 Podcast

William Nichols

Bill Nichols, a researcher in the SEI's Software Solution Division, recently examined the veracity and relevance of the widely held notion that some programmers are much better than others (the 10x, programmer).

A Stakeholder-Specific Vulnerability Categorization

October 2020 Podcast

Allen D. HouseholderEric HatlebackJonathan Spring

Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.

Optimizing Process Maturity in CMMC Level 5

October 2020 Podcast

Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the CMMC 1.0 model, discuss the Level 5 process maturity requirements, which are standardizing and optimizing a documented approach for CMMC.

Reviewing and Measuring Activities for Effectiveness in CMMC Level 4

October 2020 Podcast

Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss reviewing and communicating CMMC activities and measuring those activities for effectiveness, which are requirements of Level 4 of the model.

Situational Awareness for Cybersecurity: Beyond the Network

October 2020 Podcast

Timothy MorrowAngela Horneman

Angela Horneman and Timothy Morrow discuss the importance of looking beyond the network to gain situational awareness for cybersecurity.

Quantum Computing: The Quantum Advantage

September 2020 Podcast

Jason Larkin

Dr. Jason Larkin discusses the challenges of working in the NISQ era and the work that the SEI is doing in quantum computing.

CMMC Scoring 101

September 2020 Podcast

Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the Cybersecurity Maturity Model Certification (CMMC) 1.0, discuss how assessed DIB organizations are scored according to the model.

Developing an Effective CMMC Policy

August 2020 Podcast

Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the Cybersecurity Maturity Model Certification (CMMC) 1.0, present guidelines for developing an effective CMMC policy.

The Future of Cyber: Educating the Cybersecurity Workforce

August 2020 Podcast

Dr. Diana BurleyRoberta (Bobbie) Stempfley

Bobbie Stempfley, director of the SEI's CERT Division, interviews Dr. Diana Burley, executive director and chair of I3P, and vice provost for research for American University.

Documenting Process for CMMC

July 2020 Podcast

Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the Cybersecurity Maturity Model Certification (CMMC) 1.0, discuss process documentation, a Level 2 requirement.

Agile Cybersecurity

July 2020 Podcast

Carol Woody, PhDWill Hayes

Dr. Carol Woody and Will Hayes discuss an approach that allows organizations to integrate cybersecurity into the agile pipeline.

CMMC Levels 1-3: Going Beyond NIST SP-171

July 2020 Podcast

Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, CMMC architects, discuss Levels 1-3 of the model and what steps organizations need to take to move beyond NIST 800-171. 

The Future of Cyber: Secure Coding

June 2020 Podcast

Steve LipnerRoberta (Bobbie) Stempfley

Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft.

Challenges to Implementing DevOps in Highly Regulated Environments

May 2020 Podcast

Hasan YasarJose A. Morales

Hasan Yasar and Jose Morales discuss challenges to implementing DevOps in highly regulated environment (HREs), exploring issues such as environment parity, the approval process, and compliance.

The Future of Cyber: Cybercrime

May 2020 Podcast

David HicktonRoberta (Bobbie) Stempfley

David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, sits down with Bobbie Stempfley, director of the SEI's CERT Division, to talk about the future of cybercrime and secure elections.

Designing Trustworthy AI

April 2020 Podcast

Carol J Smith

Carol Smith discusses a framework that builds upon the importance of diverse teams and ethical standards to ensure that AI systems are trustworthy and able to effectively augment warfighters.

My Story in Computing with Madison Quinn Oliver

April 2020 Podcast

Madison Oliver

Madison Quinn Oliver, an associated vulnerability engineer in the SEI's CERT Division, discusses her career journey and obstacles and mentors that she encountered along the way.

The CERT Guide to Coordinated Vulnerability Disclosure

March 2020 Podcast

Allen D. HouseholderDavid Warren

Allen Householder and David Warren discuss the CERT Guide to Coordinated Vulnerability Disclosure, which is used by security researchers, software vendors, and other stakeholders in informing others about security vulnerabilities.

Women in Software and Cybersecurity: Dr. April Galyardt

March 2020 Podcast

April Galyardt

Dr. April Galyardt, a machine learning research scientist in the SEI's CERT Division, discusses her career journey, challenges, and lessons learned along the way.

The Future of Cyber: Security and Privacy

February 2020 Podcast

Dr. Lorrie CranorRoberta (Bobbie) Stempfley

Dr. Lorrie Faith Cranor, director of CyLab, sits down with Bobbie Stempfley, director of the SEI's CERT Division, to talk about the future of cyber in security and privacy.

The Future of Cyber: Security and Resilience

February 2020 Podcast

J. Michael McQuade, Ph.D.Roberta (Bobbie) Stempfley

Bobbie Stempfley, director of the CERT Division of the SEI, and Dr. Michael McQuade, vice-president for research at Carnegie Mellon University, discuss the future of cyber in security and resilience.

Reverse Engineering Object-Oriented Code with Ghidra and New Pharos Tools

February 2020 Podcast

Jeff GennariCory Cohen

Jeff Gennari and Cory Cohen discuss updates to the Pharos Binary Analysis Framework in GitHub, including a new plug-in to import OOAnalyzer analysis into the NSA's recently released Ghidra software reverse engineering tool suite.

Women in Software and Cybersecurity: Dr. Carol Woody

January 2020 Podcast

Carol Woody, PhD

Dr. Carol Woody discusses the career path that led to her current role as technical manager for the Cybersecurity Engineering (CSE) team in the SEI's CERT Division.

Benchmarking Organizational Incident Management Practices

December 2019 Podcast

Robin RuefleMark Zajicek

Robin Ruefle and Mark Zajicek discuss recent work that provides a baseline or benchmark of incident management practices for an organization.

Machine Learning in Cybersecurity: 7 Questions for Decision Makers

December 2019 Podcast

Jonathan SpringApril GalyardtAngela Horneman

April Galyardt, Angela Horneman, and Jonathan Spring discuss key questions that managers and decision makers should ask about machine learning to effectively solve cybersecurity problems.

Women in Software and Cybersecurity: Kristi Roth

November 2019 Podcast

Kristi Roth discusses her experience as an intern in the SEI's Software Solutions Division and her journey into the field of software engineering.

Human Factors in Software Engineering

November 2019 Podcast

Andrew O. MellingerSuzanne MillerHasan Yasar

Andrew Mellinger, Suzanne Miller, and Hasan Yasar discuss the human factors that impact software engineering, from the communication tools they use to the environments where they work.

Women in Software and Cybersecurity: Anita Carleton

October 2019 Podcast

Anita Carleton

Anita Carleton discusses the career path that led to her current role as acting director of the SEI's Software Solutions Division and the challenges and mentors (Watts Humphrey) that she encountered along the way.

Improving the Common Vulnerability Scoring System

October 2019 Podcast

Jonathan SpringArt ManionDeana Shick

Art Manion, Deana Shick, and Jonathan Spring discuss a 2019 paper that outlines challenges with the Common Vulnerability Scoring System (CVSS) and proposes changes to improve it.

Why Software Architects Must Be Involved in the Earliest Systems Engineering Activities

October 2019 Podcast

Sarah Sheard

Dr. Sarah Sheard discusses the importance of including software architects in the earliest systems engineering activities.

Selecting Metrics for Software Assurance

September 2019 Podcast

Carol Woody, PhD

Dr. Carol Woody discusses the selection of metrics for measuring the software assurance of a product as it is developed and delivered to function in a specific system context.

AI in Humanitarian Assistance and Disaster Response

September 2019 Podcast

Ritwik Gupta

Ritwik Gupta, a machine learning research scientist in the SEI's Emerging Technology Center, discusses the use of AI in humanitarian assistance and disaster response (HADR) efforts.

The AADL Error Library

August 2019 Podcast

Sam ProcterPeter H. Feiler

Peter Feiler and Sam Procter present the Architecture Analysis and Design Language (AADL) EMV2 Error Library, which is an established taxonomy that draws on a broad range of previous work in classifying system errors.

Women in Software and Cybersecurity: Suzanne Miller

August 2019 Podcast

Suzanne Miller

SEI principal researcher Suzanne Miller discusses the path that led to her present-day career and the challenges and mentors that she encountered along the way.

Privacy in the Blockchain Era

July 2019 Podcast

Dr. Giulia Fanti (Electrical and Computer Engineering, CMU College of Engineering)

Dr. Giulia Fanti, an assistant professor of Electrical and Computer Engineering at Carnegie Mellon University, discusses her latest research including privacy problems in the cryptocurrency and blockchain space.

Cyber Intelligence: Best Practices and Biggest Challenges

July 2019 Podcast

Jared Ettinger

Jared Ettinger, a cyber intelligence researcher in the SEI's Emerging Technology Center, discusses the findings of a report that outlines challenges and best practices in cyber intelligence.

Assessing Cybersecurity Training

July 2019 Podcast

April Galyardt

April Galyardt, a machine learning research scientist, discusses efforts to develop a new approach to assessing the skills of the cybersecurity workforce.

DevOps in Highly Regulated Environments

June 2019 Podcast

Hasan YasarJose A. Morales

Hasan Yasar and Jose Morales discuss the process, challenges, approaches, and lessons learned in implementing DevOps in the software development lifecycle in highly regulated environments.

Women in Software and Cybersecurity: Dr. Ipek Ozkaya

June 2019 Podcast

Ipek Ozkaya

In this podcast, the latest in our Women in Software and Cybersecurity podcast series, Dr. Ipek Ozkaya talks about the educational choices and career path that led to her current work.

Defending Your Organization Against Business Email Compromise

May 2019 Podcast

Anne Connell

Anne Connell discusses recent business email compromise attacks, such as Operation Wire Wire, and offers guidance on how individuals and organizations can protect themselves from these sophisticated new modes of attack.

My Story in Computing with Dr. Eliezer Kanal

May 2019 Podcast

Eliezer Kanal

In this SEI Podcast, the first in the My Story in Computing series, Dr. Kanal discusses his education, career path, and lessons he learned along the way.

Women in Software and Cybersecurity: Eileen Wrubel

April 2019 Podcast

Eileen Wrubel

In this SEI Podcast, which highlights the work of Women in Software and Cybersecurity, Eileen Wrubel, co-lead of the SEI's Agile/DevOps Transformation directorate, discusses her career journey.

Managing Technical Debt: A Focus on Automation, Design, and Architecture

March 2019 Podcast

Ipek OzkayaRobert Nord

Rod Nord and Ipek Ozkaya discuss the SEI's current work in technical debt including the development of analysis techniques to help software engineers and decision makers manage the effect of technical debt on their software projects.

Women in Software and Cybersecurity: Grace Lewis

March 2019 Podcast

Grace Lewis

Grace Lewis discusses her career journey, which led to her leading Tactical Edge Computing at the SEI. This podcast is the latest installment in our Women in Software and Cybersecurity podcast series.

10 Types of Application Security Testing Tools and How to Use Them

February 2019 Podcast

Tom Scanlon

Thomas Scanlon, a researcher in the SEI's CERT Division, discusses the different types of application security testing tools and provides guidance on how and when to use each tool.

Leading in the Age of Artificial Intelligence

January 2019 Podcast

Thomas A. Longstaff

Tom Longstaff, who in 2018 was hired as the SEI's chief technology officer, discusses the challenges of leading a technical organization in the age of artificial intelligence.

Women in Software and Cybersecurity: Dr. Lorrie Cranor

January 2019 Podcast

Dr. Lorrie Cranor

Dr. Lorrie Cranor, director of CyLab, discusses her career, her work in security and privacy, and her upcoming keynote at the Women in Cybersecurity Conference.

Women in Software and Cybersecurity: Bobbie Stempfley

December 2018 Podcast

Roberta (Bobbie) Stempfley

Roberta "Bobbie" Stempfley discusses her career and journey to becoming the director of the SEI's CERT Division.

Blockchain at CMU and Beyond

December 2018 Podcast

Eliezer KanalEugene Leventhal

Eliezer Kanal and Eugene Leventhal discuss blockchain research at Carnegie Mellon University and beyond.

Applying Best Practices in Network Traffic Analysis

November 2018 Podcast

Timothy J. ShimeallTimur D. Snoke

Tim Shimeall and Timur Snoke, both researchers in the SEI's CERT Division, highlight some best practices (and application of these practices) that they have observed in network traffic analysis.

Deep Learning in Depth: The Future of Deep Learning

November 2018 Podcast

Ritwik GuptaCarson Sestili

Ritwik Gupta and Carson Sestili discuss the future of deep learning.

Deep Learning in Depth: Adversarial Machine Learning

November 2018 Podcast

Ritwik GuptaCarson Sestili

Ritwik Gupta of the SEI's Emerging Technology Center and Carson Sestili, formerly of the SEI's CERT Division and now with Google, discuss adversarial machine learning.

System Architecture Virtual Integration: ROI on Early Discovery of Defects

November 2018 Podcast

Peter H. Feiler

Peter Feiler discusses the cost savings (26.1 percent) realized when using the System Architecture Virtual Integration approach on the development of software-reliant systems for aircraft.

Deep Learning in Depth: The Importance of Diverse Perspectives

November 2018 Podcast

Ritwik GuptaCarson Sestili

Ritwik Gupta of the SEI's Emerging Technology Center and Carson Sestili, formerly of the SEI's CERT Division and now with Google, discuss the importance of diverse perspectives in deep learning.

A Technical Strategy for Cybersecurity

November 2018 Podcast

Roberta (Bobbie) Stempfley

Roberta "Bobbie" Stempfley, who was appointed director of the SEI's CERT Division in June 2017, discusses a technical strategy for cybersecurity.

Best Practices for Security in Cloud Computing

October 2018 Podcast

Donald FaatzTimothy Morrow

Don Faatz and Tim Morrow, researchers with the SEI's CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud services.

Risks, Threats, and Vulnerabilities in Moving to the Cloud

October 2018 Podcast

Donald FaatzTimothy Morrow

Tim Morrow and Donald Faatz outline the risks, threats, and vulnerabilities that organizations face when moving applications or data to the cloud.

Deep Learning in Depth: IARPA's Functional Map of the World Challenge

October 2018 Podcast

Ritwik GuptaCarson Sestili

Ritwik Gupta and Carson Sestili describe their use of deep learning in IARPA's Functional Map of the World Challenge.

Deep Learning in Depth: Deep Learning versus Machine Learning

October 2018 Podcast

Ritwik GuptaCarson Sestili

In this podcast excerpt, Ritwik Gupta and Carson Sestili describe deep learning and how it differs from machine learning.

Using Test Suites for Static Analysis Alert Classifiers

September 2018 Podcast

Lori FlynnZachary Kurtz

CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts.

How to Be a Network Traffic Analyst

September 2018 Podcast

Timothy J. ShimeallTimur D. Snoke

Tim Shimeall and Timur Snoke, researchers in the SEI's CERT Division, examine the role of the network traffic analyst in capturing and evaluating ever-increasing volumes of network data.

Workplace Violence and Insider Threat

August 2018 Podcast

Tracy CassidyCarrie Gardner

Tracy Cassidy and Carrie Gardner, researchers with the CERT National Insider Threat Center, discuss research on using technology to detect an employee's intent to cause physical harm.

The Role of the Software Factory in Acquisition and Sustainment

August 2018 Podcast

Paul Nielsen

Dr. Paul Nielsen discusses his involvement on a Defense Science Board Task Force that concluded that the software factory should be a key player in the acquisition and sustainment of software for defense.

Why Does Software Cost So Much?

August 2018 Podcast

Michael D. KonradRobert W. Stoddard

Mike Konrad and Bob Stoddard discuss an approach known as causal learning that can help the Department of Defense identify which factors cause software costs to escalate and, therefore, serve as a better basis for guidance on how to intervene.

Cybersecurity Engineering & Software Assurance: Opportunities & Risks

July 2018 Podcast

Carol Woody, PhD

Carol Woody discusses opportunities and risks in cybersecurity engineering, software assurance, and the resulting CERT Cybersecurity Engineering and Software Assurance Professional Certificate.

Software Sustainment and Product Lines

July 2018 Podcast

Mike PhillipsHarry L. Levinson

Mike Phillips and Harry Levinson examine the intersection of three themes that emerged during the SEI's work with one government program: product line practices, software sustainment, and public-private partnerships.

Best Practices in Cyber Intelligence

June 2018 Podcast

Jared Ettinger

Jared Ettinger describes preliminary findings and best practices in cyber intelligence identified through a study sponsored by the U.S. Office of the Director of National Intelligence.

Deep Learning in Depth: The Good, the Bad, and the Future

June 2018 Podcast

Ritwik GuptaCarson Sestili

Ritwik Gupta and Carson Sestili describe deep learning, a popular and quickly growing subfield of machine learning.

The Evolving Role of the Chief Risk Officer

May 2018 Podcast

Summer C. FowlerAri Lightman

Summer Fowler and Ari Lightman discuss the evolving role of the chief risk officer and a Chief Risk Officer Program that is developed and delivered jointly by CMU's Heinz College of Information Systems and the SEI's CERT Division.

Obsidian: A Safer Blockchain Programming Language

May 2018 Podcast

Eliezer KanalMichael Coblenz (Carnegie Mellon School of Computer Science)

Eliezer Kanal and Michael Coblenz discuss the creation of Obsidian, a novel programming language specifically tailored to secure blockchain software development that significantly reduces the risk of coding errors.

Agile DevOps

April 2018 Podcast

Hasan YasarEileen Wrubel

Eileen Wrubel and Hasan Yasar discuss how Agile and DevOps can be deployed together to meet organizational needs.

Kicking Butt in Computer Science: Women in Computing at Carnegie Mellon University

April 2018 Podcast

Jeria QuesenberryCarol FriezeGrace Lewis

Carol Frieze, Grace Lewis, and Jeria Quesenberry discuss CMU's approach to creating a more inclusive environment for all computer science students, regardless of gender.

Is Software Spoiling Us? Technical Innovations in the Department of Defense

March 2018 Podcast

Jeff Boleng

In this podcast, the panel discusses technical innovations that can be applied to the Department of Defense including improved situational awareness, human-machine interactions, artificial intelligence, machine learning, data, and continuous integration.

Is Software Spoiling Us? Innovations in Daily Life from Software

February 2018 Podcast

Jeff Boleng

In this podcast, which was excerpted from the webinar Is Software Spoiling Us?, the panel discusses awesome innovations in daily life that are made possible because of software.

How Risk Management Fits into Agile & DevOps in Government

February 2018 Podcast

Timothy A. ChickWill HayesEileen Wrubel

In this podcast, Eileen Wrubel, technical lead for the SEI's Agile-in-Government program leads a roundtable discussion into how Agile, DevOps, and the Risk Management Framework can work together.

5 Best Practices for Preventing and Responding to Insider Threat

December 2017 Podcast

Randall F. Trzeciak

Randy Trzeciak, technical manager of the CERT National Insider Threat Center, discusses five best practices for preventing and responding to insider threat.

Pharos Binary Static Analysis: An Update

December 2017 Podcast

Jeff Gennari

Jeff Gennari discusses updates to the Pharos framework, which automates reverse engineering of malware analysis, including new tools, improvements, and bug fixes.

Positive Incentives for Reducing Insider Threat

November 2017 Podcast

Andrew P. MooreDaniel Bauer

Andrew Moore and Daniel Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat.

Mission-Practical Biometrics

November 2017 Podcast

Satya Venneti

Satya Venneti presents exploratory research undertaken by the SEI's Emerging Technology Center to design algorithms to extract heart rate from video capture of non-stationary subjects in real-time.

At Risk Emerging Technology Domains

October 2017 Podcast

Dan J. Klinedinst

In this podcast, CERT vulnerability analyst Dan Klinedinst discusses research aimed at helping the Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT) understand future technologies and their risks.

DNS Blocking to Disrupt Malware

October 2017 Podcast

Vijay S. Sarvepalli

In this podcast, CERT researcher Vijay Sarvepalli explores Domain Name System or DNS Blocking, the idea of disrupting communications from malicious code such as ransomware that is used to lock up your digital assets.

Best Practices: Network Border Protection

September 2017 Podcast

Rachel Kartch

In this podcast, the latest in a series on best practices for network security, Rachel Kartch explores best practices for network border protection at the Internet router and firewall.

Verifying Software Assurance with IBM’s Watson

September 2017 Podcast

Mark Sherman

In this podcast, Mark Sherman discusses research aimed at examining whether developers could build an IBM Watson application to support an assurance review.

The CERT Software Assurance Framework

August 2017 Podcast

Carol Woody, PhDChristopher J. Alberts

In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework, a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

Scaling Agile Methods

August 2017 Podcast

Eileen WrubelWill Hayes

In this podcast, Will Hayes and Eileen Wrubel present five perspectives on scaling Agile from leading thinkers in the field, including Scott Ambler, Steve Messenger, Craig Larman, Jeff Sutherland, and Dean Leffingwell.

Ransomware: Best Practices for Prevention and Response

July 2017 Podcast

Alexander VolynkinAngela Horneman

In this podcast, CERT researchers spell out several best practices for prevention and response to a ransomware attack.

Integrating Security in DevOps

June 2017 Podcast

Hasan Yasar

In this podcast, Hasan Yasar discusses how Secure DevOps attempts to shift the paradigm for tough security problems from following rules to creatively determining solutions.

SEI Fellows Series: Peter Feiler

June 2017 Podcast

Peter H. Feiler

Peter Feiler was named an SEI Fellow in August 2016. This podcast is the second in a series highlighting interviews with SEI Fellows.

NTP Best Practices

May 2017 Podcast

Timur D. Snoke

In this podcast, Timur Snoke explores the challenges of NTP and prescribes some best practices for securing accurate time with this protocol.

Establishing Trust in Disconnected Environments

May 2017 Podcast

Grace Lewis

In this podcast, Grace Lewis presents a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field, as well as an evaluation and implementation of the solution.

Distributed Artificial Intelligence in Space

April 2017 Podcast

James Edmondson

In this podcast, James Edmondson discusses his work to bring distributed artificial intelligence to a next generation, renewable power grid in space.

Verifying Distributed Adaptive Real-Time Systems

March 2017 Podcast

Sagar ChakiJames Edmondson

In this podcast, James Edmondson and Sagar Chaki describe an architecture and approach to engineering high-assurance software for Distributed Adaptive Real-Time (DART) systems.

10 At-Risk Emerging Technologies

March 2017 Podcast

Christopher King

Researchers in the SEI's CERT Division recently examined the security of a large swath of technology domains being developed in industry and maturing over the next five years.

Technical Debt as a Core Software Engineering Practice

February 2017 Podcast

Ipek Ozkaya

In this podcast, Ipek Ozkaya talks about managing technical debt as a core software engineering practice and its importance in the education of future software engineers.

DNS Best Practices

February 2017 Podcast

Mark Langston

In this podcast, Mark Langston discusses best practices for designing a secure, reliable DNS infrastructure.

Three Roles and Three Failure Patterns of Software Architects

January 2017 Podcast

John Klein

This podcast explores three roles and three failure patterns of software architects that he has observed working with industry and government software projects.

Security Modeling Tools

January 2017 Podcast

Julien Delange

In this podcast, Julien Delange discusses security modeling tools that his team developed and how to use them to capture vulnerabilities and their propagation path in an architecture.

Best Practices for Preventing and Responding to Distributed Denial of Service (DDoS) Attacks

December 2016 Podcast

Rachel Kartch

In this podcast, CERT researcher Rachel Kartch provides an overview of DDoS attacks and best practices for mitigating and responding to them.

Cyber Security Engineering for Software and Systems Assurance

December 2016 Podcast

Nancy R. MeadCarol Woody, PhD

In this podcast Nancy Mead and Carol Woody discuss their new book, Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, which introduces a set of seven principles for software assurance.

Moving Target Defense

November 2016 Podcast

Andrew O. Mellinger

In this podcast, Andrew Mellinger, a senior software developer in the SEI's Emerging Technology Center discusses work to develop a platform to organize dynamic defenses.

Improving Cybersecurity Through Cyber Intelligence

November 2016 Podcast

Jared Ettinger

In this podcast, Jared Ettinger of the SEI's Emerging Technology Center (ETC) talks about the ETC's work in cyber intelligence as well as the Cyber Intelligence Research Consortium.

A Requirement Specification Language for AADL

October 2016 Podcast

Peter H. Feiler

In this podcast, Peter Feiler describes a textual requirement specification language for the Architecture Analysis & Design Language (AADL) called ReqSpec.

Becoming a CISO: Formal and Informal Requirements

October 2016 Podcast

Darrell Keeling (Parkview Health)Lisa R. Young

In this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO in today's fast-paced cybersecurity field.

Predicting Quality Assurance with Software Metrics and Security Methods

October 2016 Podcast

Carol Woody, PhD

In this podcast, Dr. Carol Woody explores the connection between measurement, methods for software assurance, and security.

Network Flow and Beyond

September 2016 Podcast

Timothy J. Shimeall

In this podcast, Timothy Shimeall discusses approaches for analyzing network security using and going beyond network flow data to gain situational awareness to improve security.

A Community College Curriculum for Secure Software Development

September 2016 Podcast

Girish Seshagiri (Ishpi Information Technologies, Inc)

In this podcast, Girish Seshagiri discusses a two-year community college software assurance program that he developed and facilitated with SEI Fellow Nancy Mead at Illinois Central College.

Security and the Internet of Things

August 2016 Podcast

Art Manion

In this podcast, CERT researcher Art Manion discusses work that his team is doing with the Department of Homeland Security to examine and secure IoT devices.

The SEI Fellow Series: Nancy Mead

August 2016 Podcast

Nancy R. Mead

This podcast is the first in a series highlighting interviews with SEI Fellows.

An Open Source Tool for Fault Tree Analysis

July 2016 Podcast

Julien Delange

In this podcast, Dr. Julien Delange discusses fault tree analysis and introduces a new tool to design and analyze fault trees.

Global Value Chain – An Expanded View of the ICT Supply Chain

July 2016 Podcast

Edna M. Conway (Cisco Systems, Inc.)John HallerLisa R. Young

In this podcast, Edna Conway and John Haller discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.

Intelligence Preparation for Operational Resilience

June 2016 Podcast

Douglas GrayLisa R. Young

In this podcast, Douglas Gray, a member of the CERT Cyber Risk Management team, discusses how to operationalize intelligence products to build operational resilience of organizational assets and services using IPOR.

Evolving Air Force Intelligence with Agile Techniques

May 2016 Podcast

Harry L. Levinson

In this podcast, Harry Levinson discusses the SEI's work with the Air Force to further evolve the AF DCGS system using Agile techniques working in incremental, iterative approaches to deliver more frequent, more manageable deliveries of capability.

Threat Modeling and the Internet of Things

May 2016 Podcast

Art ManionAllen D. Householder

Art Manion and Allen Householder of the CERT Vulnerability Analysis team, talk about threat modeling and its use in improving the security of the Internet of Things (IoT).

Open Systems Architectures: When & Where to Be Closed

April 2016 Podcast

Donald Firesmith

Don Firesmith discusses how acquisition professionals and system integrators can apply OSA practices to effectively decompose large, monolithic business and technical architectures into manageable and modular solutions.

Effective Reduction of Avoidable Complexity in Embedded Systems

March 2016 Podcast

Julien Delange

Dr. Julien Delange discusses the Effective Reduction of Avoidable Complexity in Embedded Systems (ERACES) project, which aims to identify and remove complexity in software models.

Toward Efficient and Effective Software Sustainment

March 2016 Podcast

Mike Phillips

Mike Phillips discusses effective sustainment engineering efforts in the Army and Air Force, using examples from across their software engineering centers and how they tie in to SEI research.

Quality Attribute Refinement and Allocation

March 2016 Podcast

Neil Ernst

Dr. Neil Ernst discusses industry practices such as slicing and ratcheting used to develop business capabilities and suggests approaches to enable large-scale iteration.

Is Java More Secure Than C?

February 2016 Podcast

David Svoboda

In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

Identifying the Architectural Roots of Vulnerabilities

February 2016 Podcast

Rick KazmanCarol Woody

In this podcast, Rick Kazman and Carol Woody discuss an approach for identifying architecture debt in a large-scale industrial software project by modeling software architecture as design rule spaces.

Build Security In Maturity Model (BSIMM) – Practices from Seventy Eight Organizations

February 2016 Podcast

Gary McGrawLisa R. Young

In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations.

An Interview with Grady Booch

January 2016 Podcast

Grady Booch

During a recent visit to the SEI, Grady Booch, chief scientist for IBM and author of the Unified Modeling Language, sat down for an interview with SEI Fellow Nancy Mead for the SEI Podcast Series.

Structuring the Chief Information Security Officer Organization

December 2015 Podcast

Nader MehravariJulia H. AllenLisa R. Young

In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations.

How Cyber Insurance Is Driving Risk and Technology Management

November 2015 Podcast

Chip BlockLisa R. Young

In this podcast, Chip Block, Vice President at Evolver, discusses the growth of the cyber insurance industry and how it is beginning to drive the way that organizations manage risk and invest in technologies.

A Field Study of Technical Debt

October 2015 Podcast

Neil Ernst

In this podcast, Dr. Neil Ernst discusses the findings of a recent field study to assess the state of the practice and current thinking regarding technical debt and guide the development of a technical debt timeline.

How the University of Pittsburgh Is Using the NIST Cybersecurity Framework

October 2015 Podcast

Sean Sweeney (University of Pittsburgh)Lisa R. Young

In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (PITT), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework).

A Software Assurance Curriculum for Future Engineers

September 2015 Podcast

Nancy R. Mead

In this podcast, Nancy Mead discusses how, with support from the Department of Homeland Security, SEI researchers developed software assurance curricula and programs for graduate, undergraduate, and community colleges.

Four Types of Shift Left Testing

September 2015 Podcast

Donald Firesmith

In this podcast, Donald Firesmith explains the importance of shift left testing and defines four approaches using variants of the classic V model to illustrate them.

Toward Speed and Simplicity: Creating a Software Library for Graph Analytics

August 2015 Podcast

Scott McMillanEric Werner

In this podcast, Scott McMillan and Eric Werner of the SEI's Emerging Technology Center discuss work to create a software library for graph analytics that would take advantage of more powerful heterogeneous supercomputers.

Capturing the Expertise of Cybersecurity Incident Handlers

August 2015 Podcast

Samuel J. PerlRichard O. YoungJulia H. Allen

In this podcast, Dr. Richard Young, a professor with CMU, and Sam Perl, a member of the CERT Division, discuss their research on how expert cybersecurity incident handlers react when faced with an incident.

Improving Quality Using Architecture Fault Analysis with Confidence Arguments

August 2015 Podcast

Peter H. Feiler

The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design have been addressed adequately.

A Taxonomy of Testing Types

July 2015 Podcast

Donald Firesmith

In this podcast, Donald Firesmith introduces a taxonomy of testing types to help testing stakeholders understand and select those that are best for their specific programs.

Reducing Complexity in Software & Systems

July 2015 Podcast

Sarah Sheard

In this podcast, Sarah Sheard discusses research to investigate the nature of complexity, how it manifests in software-reliant systems such as avionics, how to measure it, and how to tell when too much complexity might lead to safety problems.

Designing Security Into Software-Reliant Systems

June 2015 Podcast

Christopher J. Alberts

In this podcast, CERT researcher Christopher Alberts introduces the SERA Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

Agile Methods in Air Force Sustainment

June 2015 Podcast

Eileen Wrubel

This podcast Eileen Wrubel highlights research examining Agile techniques in the software sustainment arena—specifically Air Force programs.

Defect Prioritization With the Risk Priority Number

May 2015 Podcast

Will HayesJulie B. Cohen

In this podcast, Will Hayes and Julie Cohen discuss a generalized technique that could be used with any type of system to assist the program office in addressing and resolving the conflicting views and creating a better value system for defining releases.

SEI-HCII Collaboration Explores Context-Aware Computing for Soldiers

May 2015 Podcast

Jeff BolengDr. Anind Dey

Dr. Jeff Boleng and Dr. Anind Dey discuss joint research to understand the mission, role, and task of dismounted soldiers using context derived from sensors on them and their mobile devices.

An Introduction to Context-Aware Computing

April 2015 Podcast

Dr. Anind DeyDr. Jeff Boleng

Dr. Anind Dey and Dr. Jeff Boleng introduce context-aware computing and explore issues related to sensor-fueled data in the internet of things.

Data Driven Software Assurance

April 2015 Podcast

Michael D. KonradArt Manion

In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.

Applying Agile in the DoD: Twelfth Principle

March 2015 Podcast

Suzanne MillerMary Ann Lapham

In this episode, Suzanne Miller and Mary Ann Lapham explore the application of the 12th Agile principle in the Department of Defense.

Supply Chain Risk Management: Managing Third Party and External Dependency Risk

March 2015 Podcast

John HallerMatthew J. ButkovicJulia H. Allen

In this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."

Introduction to the Mission Thread Workshop

March 2015 Podcast

Michael J. Gagliardi

In this podcast, Mike Gagliardi introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems.

Applying Agile in the DoD: Eleventh Principle

February 2015 Podcast

Mary Ann LaphamSuzanne Miller

In this podcast, the tenth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the eleventh principle:

A Workshop on Measuring What Matters

February 2015 Podcast

Lisa R. YoungMichelle A. ValdezKatie C. Stewart

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop, and identifying improvements for future offerings.

Applying Agile in the DoD: Tenth Principle

February 2015 Podcast

Suzanne MillerMary Ann Lapham

In this podcast, part of an ongoing series, Mary Ann Lapham and Suzanne Miller discuss the application of the tenth Agile principle: Simplicity—the art of maximizing the amount of work done done—is essential.

Predicting Software Assurance Using Quality and Reliability Measures

January 2015 Podcast

William NicholsCarol Woody

In this podcast, the authors discuss how a combination of software development and quality techniques can improve software security.

Applying Agile in the DoD: Ninth Principle

January 2015 Podcast

Mary Ann LaphamSuzanne Miller

In this episode, Suzanne Miller and Mary Ann Lapham discuss the application of the ninth Agile principle, "Continuous attention to technical excellence and good design enhances Agile."

Cyber Insurance and Its Role in Mitigating Cybersecurity Risk

January 2015 Podcast

James J. CebulaDavid W. WhiteJulia H. Allen

In this podcast, Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.

AADL and Dassault Aviation

December 2014 Podcast

Thierry Cornilleau (Dassault Aviation)Peter H. Feiler

In this podcast, Peter Feiler and Thierry Cornilleau discuss their experiences with the Architecture Analysis and Design Language.

Tactical Cloudlets

December 2014 Podcast

Grace LewisSuzanne Miller

In this podcast, Grace Lewis discusses five approaches that her team developed and tested for using tactical cloudlets as a strategy for providing infrastructure to support computation offload and data staging at the tactical edge.

Agile Software Teams and How They Engage with Systems Engineering on DoD Acquisition Programs

November 2014 Podcast

Eileen WrubelSuzanne Miller

In this podcast, Eileen Wrubel and Suzanne Miller discuss issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.

Coding with AADL

November 2014 Podcast

Julien DelangeSuzanne Miller

In this podcast, Julien Delange summarizes different perspectives on research related to code generation from software architecture models.

The State of Agile

October 2014 Podcast

Alistair CockburnSuzanne Miller

In this podcast, Alistair Cockburn, an Agile pioneer and one of the original signers of the Agile Manifesto, and SEI principal researcher Suzanne Miller discuss the current state of Agile adoption.

Applying Agile in the DoD: Eighth Principle

October 2014 Podcast

Suzanne MillerMary Ann Lapham

In this episode, the eighth in a series exploring Agile principles across the DoD, Suzanne Miller and Mary Ann Lapham discuss the eighth Agile principle.

A Taxonomy of Operational Risks for Cyber Security

October 2014 Podcast

James J. CebulaJulia H. Allen

In this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.

Agile Metrics

September 2014 Podcast

Will HayesSuzanne Miller

In this podcast Will Hayes and Suzanne Miller discuss research intended to aid U. S. Department of Defense acquisition professionals in the use of Agile software development methods.

Four Principles for Engineering Scalable, Big Data Systems

September 2014 Podcast

Ian GortonSuzanne Miller

In this podcast, Ian Gorton describes four general principles that hold for any scalable, big data system.

An Appraisal of Systems Engineering: Defense v. Non-Defense

August 2014 Podcast

Joseph P. Elm

In this podcast, Joseph P. Elm analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.

HTML5 for Mobile Apps at the Edge

August 2014 Podcast

Grace LewisSuzanne Miller

In this podcast, Grace Lewis discusses research that explores the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in the battlefield.

Applying Agile in the DoD: Seventh Principle

July 2014 Podcast

Suzanne MillerMary Ann Lapham

In this podcast, Suzanne Miller and Mary Ann Lapham explore the application of the seventh Agile principle in the Department of Defense, working software is the primary measure of progress.

AADL and Edgewater

July 2014 Podcast

Serban Gheorghe (Edgewater Computer Systems, Inc.)Peter H. FeilerSuzanne Miller

In this podcast, Peter Feiler and Serban Gheorghe of Edgewater discuss their work on the Architecture Analysis and Design Language.

Security and Wireless Emergency Alerts

June 2014 Podcast

Christopher AlbertsCarol WoodySuzanne Miller

In this podcast Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks.

Safety and Behavior Specification Using the Architecture Analysis and Design Language

June 2014 Podcast

Julien DelangeSuzanne Miller

Julien Delange discusses two extensions to the Architecture Analysis and Design Language: the behavior annex and the error-model annex.

Applying Agile in the DoD: Sixth Principle

May 2014 Podcast

Mary Ann LaphamSuzanne Miller

In this podcast, Suzanne Miller and Mary Ann Lapham discuss the application of the sixth Agile principle in the Department of Defense.

Characterizing and Prioritizing Malicious Code

May 2014 Podcast

Jose A. MoralesJulia H. Allen

In this podcast, Jose Morales discusses how to prioritize malware samples, helping analysts to identify the most destructive malware to examine first.

Using Quality Attributes to Improve Acquisition

May 2014 Podcast

Patrick PlaceSuzanne Miller

In this podcast, Patrick Place describes research aimed at determining how acquisition quality attributes can be expressed and used to facilitate alignment among the software architecture and acquisition strategy.

Best Practices for Trust in the Wireless Emergency Alerts Service

April 2014 Podcast

Robert EllisonCarol WoodySuzanne Miller

In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.

Three Variations on the V Model for System and Software Testing

April 2014 Podcast

Don FiresmithSuzanne Miller

In this podcast, Don Firesmith presents three variations on the V model of software or system development.

Adapting the PSP to Incorporate Verified Design by Contract

March 2014 Podcast

William NicholsSuzanne Miller

In this podcast, Bill Nichols discusses a proposal for integrating the Verified Design by Contract method into PSP to reduce the number of defects present at the unit-esting phase, while preserving or improving productivity.

Comparing IT Risk Assessment and Analysis Methods

March 2014 Podcast

Ben TomhaveErik HeidtJulia H. Allen

In this podcast, the presenters discuss IT risk assessment and analysis, and comparison factors for selecting methods that are a good fit for your organization.

AADL and Aerospace

March 2014 Podcast

Myron Hecht (The Aerospace Corporation)Peter FeilerSuzanne Miller

In this podcast, Peter Feiler and Myron Hecht discuss the use of AADL by the Aerospace Corporation.

Assuring Open Source Software

February 2014 Podcast

Kathryn Ambrose-SerenoNaomi AndersonSuzanne Miller

In this podcast, Kate Ambrose Sereno and Naomi Anderson discuss research aimed at developing adoptable, evidence-based, data-driven approaches to evaluating (open source) software.

Security Pattern Assurance through Roundtrip Engineering

February 2014 Podcast

Rick KazmanSuzanne Miller

In this podcast, Rick Kazman discusses these challenges and a solution he has developed for achieving system security qualities through use of patterns.

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)

February 2014 Podcast

Jason Christopher (U.S. Department of Energy)Nader MehravariJulia H. Allen

ES-C2M2 helps improve the operational resilience of the U.S. power grid.

Applying Agile in the DoD: Fifth Principle

January 2014 Podcast

Mary Ann LaphamSuzanne Miller

In this episode, the fifth in a series, Suzanne Miller and Mary Ann Lapham discuss the application of the fifth principle, Build projects around motivated individuals.

Software Assurance Cases

January 2014 Podcast

Charles (Chuck) WeinstockSuzanne Miller

In this podcast, Charles Weinstock introduces assurance cases and how they can be used to assure safety, security, and reliability.

Raising the Bar - Mainstreaming CERT C Secure Coding Rules

January 2014 Podcast

Robert C. SeacordJulia H. Allen

In this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.

AADL and Télécom Paris Tech

December 2013 Podcast

Etienne BordePeter Feiler

Real-World Applications of the Architecture Analysis and Design Language (AADL)

From Process to Performance-Based Improvement

December 2013 Podcast

Timothy A. ChickGene MilukSuzanne Miller

In this podcast, Tim Chick and Gene Miluk discuss methodology and outputs of the Checkpoint Diagnostic, a tool that provides organizations with actionable performance related information and analysis closely linked to business value.

An Approach to Managing the Software Engineering Challenges of Big Data

November 2013 Podcast

Ian GortonJohn KleinSuzanne Miller

In this episode, Ian Gorton and John Klein discuss big data and the challenges it presents for software engineers. With help from fellow SEI researchers, the two have developed a lightweight risk reduction approach to help software engineers manage the ch

Using the Cyber Resilience Review to Help Critical Infrastructures Better Manage Operational Resilience

November 2013 Podcast

Kevin Dillon (Department of Homeland Security)Matthew J. ButkovicJulia H. Allen

In this podcast, the presenters explain how CRRs allow critical infrastructure owners to compare their cybersecurity performance with their peers.

Situational Awareness Mashups

November 2013 Podcast

Soumya SimantaSuzanne Miller

In this podcast Soumya Simanta describes research aimed at creating a software prototype that allows warfighters and first responders to rapidly integrate or mash geo-tagged situational awareness data from multiple remote data sources.

Applying Agile in the DoD: Fourth Principle

October 2013 Podcast

Mary Ann LaphamSuzanne Miller

In this episode, the fourth in a series about the application of agile principles in the DOD, Suzanne Miller and Mary Ann Lapham discuss the application of the fourth principle, "Business people and developers must work together daily."

Architecting Systems of the Future

October 2013 Podcast

Eric WernerSuzanne Miller

In this episode, Eric Werner discusses research that he and several of his colleagues are conducting to help software developers create systems for the many-core central processing units in massively parallel computing environments.

Acquisition Archetypes

September 2013 Podcast

William NovakSuzanne Miller

In this episode, Bill Novak talks about his work with acquisition archetypes and how they can be used to help government programs avoid problems in software development and systems acquisition.

Human-in-the-Loop Autonomy

September 2013 Podcast

James EdmonsonSuzanne Garcia-Miller

In this episode, James Edmondson discusses his research on autonomous systems, specifically robotic systems and autonomous systems for robotic systems.

Mobile Applications for Emergency Managers

August 2013 Podcast

Adam Miller (Huntingdon County, Pennsylvania, Emergency Management Agency)Bill Pollak

Learn about the SEI's Advanced Mobile Systems Team's work with the Huntingdon County, Pennsylvania, Emergency Management Agency.

Why Use Maturity Models to Improve Cybersecurity: Key Concepts, Principles, and Definitions

August 2013 Podcast

Richard A. CaralliJulia H. Allen

In this podcast, Rich Caralli explains how maturity models provide measurable value in improving an organization's cybersecurity capabilities.

Applying Agile in the DoD: Third Principle

August 2013 Podcast

Mary Ann LaphamSuzanne Garcia-Miller

A discussion of the application of the third Agile principle, "Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale."

DevOps - Transform Development and Operations for Fast, Secure Deployments

July 2013 Podcast

Gene Kim (IP Services and ITPI)Julia H. Allen

In this podcast, Gene Kim explains how the "release early, release often" approach significantly improves software performance, stability, and security.

Application Virtualization as a Strategy for Cyber Foraging

July 2013 Podcast

Grace LewisSuzanne Miller

In this podcast, researcher Grace Lewis discusses application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning.

Common Testing Problems: Pitfalls to Prevent and Mitigate

July 2013 Podcast

Donald FiresmithSuzanne Miller

Don Firesmith discusses problems that occur during testing as well as a framework that lists potential symptoms by which each can be recognized, potential negative consequences, and potential causes, and makes recommendations for preventing them.

Joint Programs and Social Dilemmas

June 2013 Podcast

Bill Novak

In this episode, SEI researcher Bill Novak discusses joint programs and social dilemmas, which have become increasingly common in defense acquisition, and the ways in joint program outcomes can be affected by their underlying structure.

Applying Agile in the DoD: Second Principle

June 2013 Podcast

Mary Ann LaphamSuzanne Miller

In this episode, SEI researchers discuss the application of the second Agile rinciple, “Welcome changing requirements, even late in development.

Managing Disruptive Events - CERT-RMM Experience Reports

June 2013 Podcast

Nader MehravariJulia H. Allen

In this podcast, the participants describe four experience reports that demonstrate how the CERT-RMM can be applied to manage operational risks.

Reliability Validation and Improvement Framework

May 2013 Podcast

Peter Feiler

In this podcast, Peter Feiler discusses his recent work to improve the quality of software-reliant systems through an approach known as the Reliability Validation and Improvement Framework.

Using a Malware Ontology to Make Progress Towards a Science of Cybersecurity

May 2013 Podcast

Dave MundieJulia H. Allen

In this podcast, Dave Mundie explains why a common language is essential to developing a shared understanding to better analyze malicious code.

The Business Case for Systems Engineering

May 2013 Podcast

Joseph ElmSuzanne Miller

Joe Elm discusses the results of a recent technical report, which establishes clear links between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs.

Applying Agile in the DoD: First Principle

April 2013 Podcast

Mary Ann LaphamSuzanne Miller

In this episode, Suzanne Miller and Mary Ann Lapham discuss the application of the first Agile principle, "Our highest priority is to satisfy the customer through early and continuous delivery of valuable software."

The Evolution of a Science Project

April 2013 Podcast

Andrew P. MooreWilliam Novak

In this podcast, Bill Novak and Andy Moore describe a recent technical report, The Evolution of a Science Project, which intends to improve acquisition staff decision-making.

Securing Mobile Devices aka BYOD

March 2013 Podcast

Joe MayesJulia H. Allen

In this podcast, Joe Mayes discusses how to ensure the security of personal mobile devices that have access to enterprise networks.

What's New With Version 2 of the AADL Standard?

March 2013 Podcast

Peter Feiler

In this podcast, Peter Feiler discusses the latest changes to the Architecture Analysis & Design Language (AADL) standard.

The State of the Practice of Cyber Intelligence

March 2013 Podcast

Jay McAllisterTroy TownsendSuzanne Miller

In this podcast, Troy Townsend and Jay McAllister discuss their findings on the state of the practice of cyber intelligence.

Mitigating Insider Threat - New and Improved Practices Fourth Edition

February 2013 Podcast

George SilowashLori FlynnJulia H. Allen

In this podcast, participants explain how 371 cases of insider attacks led to 4 new and 15 updated best practices for mitigating insider threats.

Technology Readiness Assessments

February 2013 Podcast

Michael BandorSuzanne Miller

Michael Bandor discusses technology readiness assessments, which the DoD defines as a formal, systematic, metrics-based process and accompanying report that assess the maturity of critical hardware and software technologies to be used in systems.

Standards in Cloud Computing Interoperability

February 2013 Podcast

Grace Lewis

In this podcast, Grace Lewis discusses her latest research exploring the role of standards in cloud-computing interoperability.

Managing Disruptive Events: Demand for an Integrated Approach to Better Manage Risk

January 2013 Podcast

Nader MehravariJulia H. Allen

In this podcast, Nader Mehravari describes how governments and markets are calling for the integration of plans for and responses to disruptive events.

The Latest Developments in AADL

January 2013 Podcast

Peter FeilerJulien Delange

Julien Delange and Peter Feiler discuss the latest developments with the Architecture Analysis and Design Language (AADL) standard.

The Fundamentals of Agile

January 2013 Podcast

Tim Chick

In this episode, Tim Chick, a senior member of the technical staff in the Team Software Process (TSP) initiative, discusses the fundamentals of agile, specifically what it means for an organization to be agile.

Software for Soldiers who use Smartphones

December 2012 Podcast

Edwin Morris

In this episode, Ed Morris describes research to create a software application for smartphones that allows soldier end-users to program their smartphones to provide an interface tailored to the information they need for a specific mission.

Managing Disruptive Events: Making the Case for Operational Resilience

December 2012 Podcast

Nader MehravariJulia H. Allen

In this podcast, Nader Mehravari describes how today's high-risk, global, fast, and very public business environment demands a more integrated approach.

Architecting Service-Oriented Systems

December 2012 Podcast

Grace Lewis

Grace Lewis discusses general guidelines for architecting service-oriented systems, how common service-oriented system components support these principles, and the effect these principles and their implementation have on system quality attributes.

The SEI Strategic Plan

November 2012 Podcast

Bill Scherlis

In this podcast, Bill Scherlis discusses the development of the strategic plan of the SEI to advance the practice of software engineering for the DoD.

Quantifying Uncertainty in Early Lifecycle Cost Estimation

November 2012 Podcast

Jim McCurleyRobert Stoddard

In this podcast episode, Jim McCurley and Robert Stoddard discuss a new method developed by the SEI's Software Engineering Measurement and Analysis (SEMA) team, Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE).

Using Network Flow Data to Profile Your Network and Reduce Vulnerabilities

October 2012 Podcast

Austin WhisnantSid FaberJulia H. Allen

In this podcast, participants discuss how a network profile can help identify unintended points of entry, misconfigurations, and other weaknesses.

Architecting a Financial System with TSP

October 2012 Podcast

Felix BachmannJim McHale

In this episode, Felix Bachmann and James McHale discuss their work on a project between the SEI and Bursatec to create a reliable and fast new trading system for Groupo Bolsa Mexicana de Valores, the Mexican Stock Exchange.

The Importance of Data Quality

October 2012 Podcast

David Zubrow

In this episode, Dave Zubrow discusses the importance of data quality and research that his team is undertaking in this area.

How to More Effectively Manage Vulnerabilities and the Attacks that Exploit Them

September 2012 Podcast

Art ManionJulia H. Allen

In this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.

Misaligned Incentives

September 2012 Podcast

Bill Novak

In this episode, Novak discusses misaligned incentives, misaligned people incentives in software acquisition programs, and how the wrong incentives can undermine acquisition programs and produce poor outcomes.

How a Disciplined Process Enhances & Enables Agility

September 2012 Podcast

Bill Nichols

In this podcast, Bill Nichols discusses how a disciplined process enables and enhances agility

Agile Acquisition

September 2012 Podcast

Mary Ann LaphamSuzanne Miller

This podcast explores the SEI's research and work to assist the DoD in Agile acquisition.

An Architecture-Focused Measurement Framework for Managing Technical Debt

September 2012 Podcast

Ipek Ozkaya

In this podcast, Ipek Ozkaya discusses the SEI's research on the strategic management of technical debt, which involves decisions made to defer necessary work during the planning or execution of a software project.

Cloud Computing for the Battlefield

September 2012 Podcast

Grace A. Lewis

Grace Lewis discusses her research to overcome challenges for battlefield computing by using cloudlets: localized, lightweight servers running one or more virtual machines on which soldiers can offload expensive computations from their handheld devices.

U.S. Postal Inspection Service Use of the CERT Resilience Management Model

August 2012 Podcast

Greg Crabb (U.S. Postal Inspection Service)Julia H. Allen

In this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.

Insights from the First CERT Resilience Management Model Users Group

July 2012 Podcast

Lisa R. YoungJulia H. Allen

In this podcast, Lisa Young explains that implementing CERT-RMM requires well-defined improvement objectives, sponsorship, and more.

NIST Catalog of Security and Privacy Controls, Including Insider Threat

April 2012 Podcast

Ron Ross (NIST)Joji MontelibanoJulia H. Allen

In this podcast, participants discuss why security controls, including those for insider threat, are necessary to protect information and information systems.

Cisco's Adoption of CERT Secure Coding Standards

February 2012 Podcast

Martin Sebor (Cisco)Julia H. Allen

In this podcast, Martin Sebor explains how implementing secure coding standards is a sound business decision.

How to Become a Cyber Warrior

January 2012 Podcast

Dennis M. AllenJulia H. Allen

In this podcast, Dennis Allen explains that protecting the internet and its users against cyber attacks requires more skilled cyber warriors.

Considering Security and Privacy in the Move to Electronic Health Records

December 2011 Podcast

Deborah Lafky (Healthcare Information Technology (HIT) Security/Cybersecurity)Matthew J. ButkovicJulia H. Allen

In this podcast, participants discuss how using electronic health records bring many benefits along with security and privacy challenges.

Measuring Operational Resilience

October 2011 Podcast

Julia H. AllenPamela D. Curtis

In this podcast, Julia Allen explains that measures of operational resilience should answer key questions, inform decisions, and affect behavior.

Why Organizations Need a Secure Domain Name System

September 2011 Podcast

Alex NicollJulia H. Allen

Use of Domain Name System security extensions can help prevent website hijacking attacks.

Controls for Monitoring the Security of Cloud Services

August 2011 Podcast

Art ManionJonathan SpringJulia H. Allen

In this podcast, participants explain that it depends on the service model how cloud providers and customers can use controls to protect sensitive information.

Building a Malware Analysis Capability

July 2011 Podcast

Jeff GennariJulia H. Allen

In this podcast, Jeff Gennari explains that analyzing malware is essential to assessing the damage and reducing the impact associated with ongoing infection.

Using the Smart Grid Maturity Model (SGMM)

May 2011 Podcast

David W. WhiteJulia H. Allen

In this podcast, David White describes how over 100 electric power utilities are using the Smart Grid Maturity Model.

Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM

March 2011 Podcast

Ron Ross (NIST)James J. CebulaJulia H. Allen

In this podcast, participants explain why and how business leaders must address risk at the enterprise, business process, and system levels.

Conducting Cyber Exercises at the National Level

February 2011 Podcast

Brett Lambo (U.S. Department of Homeland Security)Matthew J. ButkovicJulia H. Allen

In this podcast, participants discuss exercises that help organizations, governments, and nations prepare for, identify, and mitigate cyber risks.

Indicators and Controls for Mitigating Insider Threat

January 2011 Podcast

Michael HanleyJulia H. Allen

In this podcast, Michael Hanley explains how technical controls can be effective in helping to prevent, detect, and respond to insider crimes.

How Resilient Is My Organization?

December 2010 Podcast

Richard A. CaralliDavid W. WhiteJulia H. Allen

In this podcast, Richard Caralli explains how CERT-RMM can ensure that critical assets and services perform as expected in the face of stress and disruption.

Public-Private Partnerships: Essential for National Cyber Security

November 2010 Podcast

Samuel A. MerrellJohn HallerPhilip Huff (Arkansas Electric Cooperative Corporation)

In this podcast, participants explain that knowledge of software assurance is essential to ensure that complex systems function as intended.

Software Assurance: A Master's Level Curriculum

October 2010 Podcast

Nancy R. MeadThomas B. Hilburn (Embry-Riddle Aeronautical University)Richard C. Linger (Oak Ridge National Laboratory)

In this podcast, participants explain how knowledge about software assurance is essential to ensure that complex systems function as intended.

How to Develop More Secure Software - Practices from Thirty Organizations

September 2010 Podcast

Gary McGrawSammy Migues (Cigital)Julia H. Allen

In this podcast, participants discuss how organizations can benchmark their software security practices against 109 observed activities from 30 organizations.

Mobile Device Security: Threats, Risks, and Actions to Take

August 2010 Podcast

Jonathan FrederickJulia H. Allen

In this podcast, Jonathan Frederick explains how internet-connected mobile devices are becoming increasingly attractive targets.

Establishing a National Computer Security Incident Response Team (CSIRT)

August 2010 Podcast

Jeffrey J. CarpenterJohn HallerJulia H. Allen

In this podcast, participants discuss how essential a national CSIRT is for protecting national and economic security and continuity.

Securing Industrial Control Systems

July 2010 Podcast

Art ManionJulia H. Allen

In this podcast, Julia Allen how critical it is to secure systems that control physical switches, valves, pumps, meters, and manufacturing lines.

The Power of Fuzz Testing to Reduce Security Vulnerabilities

May 2010 Podcast

Will DormannJulia H. Allen

In this podcast, Will Dormann urges listeners to subject their software to fuzz testing to help identify and eliminate security vulnerabilities.

Protect Your Business from Money Mules

April 2010 Podcast

Chad DoughertyJulia H. Allen

Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses.

Train for the Unexpected

March 2010 Podcast

Matthew Meyer (M&I Corporation)Julia H. Allen

In this podcast, Matthew Meyer explains that being able to respond effectively when faced with a disruptive event requires becoming more resilient.

The Role of the CISO in Developing More Secure Software

March 2010 Podcast

Pravir Chandra (Fortify Software)Julia H. Allen

In this podcast, Pravir Chandra warns that CISOs must leave no room for doubt that they understand what is expected of them when developing secure software.

Computer and Network Forensics: A Master's Level Curriculum

February 2010 Podcast

Kristopher RushJulia H. Allen

In this podcast, Kris Rush describes how students learn to combine multiple facets of digital forensics and draw conclusions to support investigations.

Introducing the Smart Grid Maturity Model (SGMM)

January 2010 Podcast

Ray Jones (APQC)Julia H. Allen

In this podcast, Ray Jones explains how the SGMM provides a roadmap to guide an organization's transformation to the smart grid.

Leveraging Security Policies and Procedures for Electronic Evidence Discovery

January 2010 Podcast

John Christiansen (Christiansen IT Law)Julia H. Allen

In this podcast, John Christiansen explains that effectively responding to e-discovery requests depends on well-defined policies, procedures, and processes.

Integrating Privacy Practices into the Software Development Life Cycle

December 2009 Podcast

Ralph Hood (Microsoft)Kim Howell (Microsoft)Julia H. Allen

In this podcast, participants explain that addressing privacy during software development is just as important as addressing security.

Using the Facts to Protect Enterprise Networks: CERT's NetSA Team

December 2009 Podcast

Timothy J. ShimeallJulia H. Allen

In this podcast, Timothy Shimeall describes how network defenders and business leaders can use NetSA measures to protect their networks.

Ensuring Continuity of Operations When Business Is Disrupted

November 2009 Podcast

Gary Daniels (Marshall & Ilsley Corporation)Julia H. Allen

In this podcast, Gary Daniels explains that providing critical services during times of stress depends on documented, tested business continuity plans.

Managing Relationships with Business Partners to Achieve Operational Resiliency

October 2009 Podcast

David W. WhiteJulia H. Allen

In this podcast, David White explains why a defined, managed process for third party relationships is essential, particularly when business is disrupted.

The Smart Grid: Managing Electrical Power Distribution and Use

September 2009 Podcast

James F. StevensJulia H. Allen

In this podcast, James Stevens explains how using the smart grid comes with some new privacy and security challenges.

Electronic Health Records: Challenges for Patient Privacy and Security

September 2009 Podcast

Robert Charette (ITABHI Corporation)Julia H. Allen

In this podcast, Robert Charette explains why electronic health records (EHRs) are possibly the most complicated area of IT today.

Mitigating Insider Threat: New and Improved Practices

August 2009 Podcast

Dawn CappelliRandall F. TrzeciakAndrew P. Moore

Two hundred and eighty-two cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat.

Rethinking Risk Management

July 2009 Podcast

Christopher J. AlbertsJulia H. Allen

In this podcast, Christopher Alberts urges business leaders to adopt new approaches to addressing risks across the life cycle and supply chain.

The Upside and Downside of Security in the Cloud

June 2009 Podcast

Tim Mather (RSA)Julia H. Allen

In this podcast, Tim Mather advises business leaders considering cloud services to weigh the economic benefits against the security and privacy risks.

More Targeted, Sophisticated Attacks: Where to Pay Attention

May 2009 Podcast

Martin LinderJulia H. Allen

In this podcast, Martin Linder urges business leaders to take action to better mitigate sophisticated social engineering attacks.

Is There Value in Identifying Software Security "Never Events?"

May 2009 Podcast

Robert Charette (ITABHI Corporation)Julia H. Allen

In this podcast, Robert Charette suggests when to examine responsibilities when developing software with known, preventable errors.

Cyber Security, Safety, and Ethics for the Net Generation

April 2009 Podcast

Rodney Petersen (EDUCAUSE)Julia H. Allen

In this podcast, Rodney Peterson explains why capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs.

An Experience-Based Maturity Model for Software Security

March 2009 Podcast

Brian Chess (Fortify Software)Sammy Migues (Cigital)Gary McGraw

In this podcast, participants discuss how observed practice, represented as a maturity model, can serve as a basis for developing more secure software.

Mainstreaming Secure Coding Practices

March 2009 Podcast

Robert C. SeacordJulia H. Allen

In this podcast, Robert Seacord explains how requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities.

Security: A Key Enabler of Business Innovation

March 2009 Podcast

Laura Robinson (Robinson Insight)Roland Cloutier (EMC Corporation)Julia H. Allen

In this podcast, participants describe how making security strategic to business innovation involves seven strategies.

Better Incident Response Through Scenario Based Training

February 2009 Podcast

Christopher MayJulia H. Allen

In this podcast, Christopher May explains how teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine.

An Alternative to Risk Management for Information and Software Security

February 2009 Podcast

Brian Chess (Fortify Software)Julia H. Allen

In this podcast, Brian Chess explain how standards, compliance, and process are better than risk management for ensuring information and software security.

Tackling Tough Challenges: Insights from CERT’s Director Rich Pethia

January 2009 Podcast

Richard D. PethiaJulia H. Allen

In this podcast, Rich Pethia reflects on the CERT Division's 20-year history and discusses its future IT and security challenges.

Climate Change: Implications for Information Technology and Security

December 2008 Podcast

Richard Power (Carnegie Mellon CyLab)Julia H. Allen

In this podcast, Richard Power explains how climate change requires new strategies for dealing with traditional IT and information security risks.

Using High Fidelity, Online Training to Stay Sharp

November 2008 Podcast

Jim WrubelJulia H. Allen

In this podcast, Jim Wrubel explains how virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime.

Integrating Security Incident Response and e-Discovery

November 2008 Podcast

David Matthews (City of Seattle)Julia H. Allen

In this podcast, Julia Allen explains how responding to an e-discovery request involves many of the same steps and roles as responding to a security incident.

Concrete Steps for Implementing an Information Security Program

October 2008 Podcast

Jennifer Bayuk (No Affiliation)Julia H. Allen

In this podcast, Jennifer Bayuk explains how successful security programs are based on strategy, policy, awareness, implementation, monitoring, and remediation.

Virtual Communities: Risks and Opportunities

October 2008 Podcast

Jan Wolynski (Royal Canadian Mounted Police)Julia H. Allen

In this podcast, Jan Wolynski advises business leaders to evaluate risks and opportunities when considering conducting business in online, virtual communities.

Developing Secure Software: Universities as Supply Chain Partners

September 2008 Podcast

Mary Ann Davidson (Oracle)Julia H. Allen

In this podcast, Mary Ann Davidson explains how integrating security into university curricula is a key solution to developing more secure software.

Security Risk Assessment Using OCTAVE Allegro

September 2008 Podcast

Lisa R. YoungJulia H. Allen

In this podcast, Lisa Young describes OCTAVE Allegro, a streamlined assessment method that focuses on risks to information used by critical business services.

Getting to a Useful Set of Security Metrics

September 2008 Podcast

Clint Kreitner (The Center for Internet Security)Julia H. Allen

Well-defined metrics are essential to determine which security practices are worth the investment.

How to Start a Secure Software Development Program

August 2008 Podcast

Gary McGrawJulia H. Allen

In this podcast, Gary McGraw explains how to achieve software security by thinking like an attacker and integrating practices into the development lifecycle.

Managing Risk to Critical Infrastructures at the National Level

August 2008 Podcast

Bradford J. WillkeJulia H. Allen

In this podcast, Bradford Willke explain how protecting critical infrastructures and the information they use are essential for preserving our way of life.

Analyzing Internet Traffic for Better Cyber Situational Awareness

July 2008 Podcast

Derek GabbardJulia H. Allen

In this podcast, Derek Gabbard discusses automation, innovation, reaction, and expansion as the foundation for meaningful network traffic intelligence.

Managing Security Vulnerabilities Based on What Matters Most

July 2008 Podcast

Art ManionJulia H. Allen

In this podcast, Art Manion explains that determining which security vulnerabilities to address should be based on the importance of the information asset.

Identifying Software Security Requirements Early, Not After the Fact

July 2008 Podcast

Nancy R. MeadJulia H. Allen

In this podcast, Nancy Mead explains that during requirements engineering, software engineers need to think about how software should behave when under attack.

Making Information Security Policy Happen

June 2008 Podcast

Paul Love (The Standard)Julia H. Allen

In this podcast, Paul Love argues that targeted, innovative communications and a robust lifecycle are keys for security policy success.

Becoming a Smart Buyer of Software

June 2008 Podcast

Brian P. GallagherJulia H. Allen

Managing software that is developed by an outside organization can be more challenging than building it yourself.

Building More Secure Software

May 2008 Podcast

Bill PollakJulia H. Allen

In this podcast, Julia Allen explains how software security is about building more defect-free software to reduce vulnerabilities targeted by attackers.

Connecting the Dots Between IT Operations and Security

May 2008 Podcast

Gene Kim (IP Services and ITPI)Julia H. Allen

In this podcast, Gene Kim describes how high performing organizations must integrate information security controls into their IT operational processes.

Getting in Front of Social Engineering

April 2008 Podcast

Gary Hinson (No Affiliation)Julia H. Allen

In this podcast, Betsy Nichols tells us how benchmark results can compare results with peers, drive performance, and help determine how much security is enough.

Using Benchmarks to Make Better Security Decisions

April 2008 Podcast

Betsy Nichols (PlexLogic)Julia H. Allen

In this podcast, Betsy Nichols describes how benchmark results can be used to help determine how much security is enough.

Protecting Information Privacy - How To and Lessons Learned

April 2008 Podcast

Kim Hargraves (Microsoft)Julia H. Allen

In this podcast, Kim Hargraves describes three keys to ensuring information privacy in an organization.

Initiating a Security Metrics Program: Key Points to Consider

March 2008 Podcast

Samuel A. MerrellJulia H. Allen

In this podcast, Samuel Merrell explains that a sound security metrics program should select data relevant to consumers from repeatable processes.

Insider Threat and the Software Development Life Cycle

March 2008 Podcast

Dawn CappelliJulia H. Allen

In this podcast, Dawn Cappelli explains how insider threat vulnerabilities can be introduced during all phases of the software development lifecycle.

Tackling the Growing Botnet Threat

February 2008 Podcast

Nicholas IanelliJulia H. Allen

In this podcast, Nicholas Ianelli cautions business leaders to understand the risks to their organizations caused by the proliferation of botnets.

Building a Security Metrics Program

February 2008 Podcast

Betsy Nichols (PlexLogic)Julia H. Allen

In this podcast, Betsy Nichols explains that reporting meaningful security metrics depends on topic selection, context definition, and data access.

Inadvertent Data Disclosure on Peer-to-Peer Networks

January 2008 Podcast

M. Eric Johnson (Dartmouth College)Scott Dynes (Dartmouth College)Julia H. Allen

In this podcast, participants discuss how peer-to-peer networks are being used to unintentionally disclose government, commercial, and personal information.

Information Compliance: A Growing Challenge for Business Leaders

January 2008 Podcast

Tom Smedinghoff (Wildman Harrold)Julia H. Allen

In this podcast, Tom Smedinghoff reminds directors and executives that they are personally accountable for protecting information entrusted to their care.

Internal Audit's Role in Information Security: An Introduction

December 2007 Podcast

Dan Swanson (Dan Swanson and Associates)Julia H. Allen

In this podcast, Dan Swanson explains how an internal audit can serve a key role in establishing an effective information security program.

What Business Leaders Can Expect from Security Degree Programs

November 2007 Podcast

Sean Beggs (Carnegie Mellon University)Stephanie Losi

In this podcast, participants discuss whether information security degree programs meet the needs of business leaders seeking knowledgeable employees.

The Path from Information Security Risk Assessment to Compliance

November 2007 Podcast

William R. WilsonJulia H. Allen

In this podcast, William Wilson explains how an information security risk assessment, performed with operational risk management, can contribute to compliance.

Computer Forensics for Business Leaders: Building Robust Policies and Processes

October 2007 Podcast

Cal WaitsStephanie Losi

In this podcast, participants discuss how business leaders can play a key role in computer forensics by establishing and testing strong policies.

Business Resilience: A More Compelling Argument for Information Security

October 2007 Podcast

Scott Dynes (Dartmouth College)Stephanie Losi

In this podcast, participants discuss how a business resilience argument can bridge the gap between information security officers and business leaders.

Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity

October 2007 Podcast

Lisa R. YoungJulia H. Allen

In this podcast, Lisa Young suggests that by taking a holistic view of business resilience, business leaders can help their organizations stand up to threats.

The Human Side of Security Trade-Offs

September 2007 Podcast

Greg Newby (Arctic Region Supercomputing Center)Stephanie Losi

In this podcast, participants explain that it's easy to think of security as a collection of technologies and tools, but that people are the real key.

Dual Perspectives: A CIO's and CISO's Take on Security

September 2007 Podcast

Patty Morrison (Motorola)Bill Boni (Motorola)Julia H. Allen

In this podcast, participants explain that since you can't secure everything, managing security risk to a "commercially reasonable degree" is best.

Tackling Security at the National Level: A Resource for Leaders

August 2007 Podcast

Jeffrey J. CarpenterJulia H. Allen

In this podcast, Clint Kreitner explains how information security costs can be reduced by enforcing standard configurations for widely deployed systems.

Reducing Security Costs with Standard Configurations: U.S. Government Initiatives

August 2007 Podcast

Clint Kreitner (The Center for Internet Security)Julia H. Allen

In this podcast, participants explain that since you can't secure everything, , managing security risk to a "commercially reasonable degree" is best.

Real-World Security for Business Leaders

July 2007 Podcast

Pamela Fusco (FishNet Security)Bill Pollak

In this podcast, William Wilson advises business leaders to use international standards to create a business- and risk-based information security program.

Using Standards to Build an Information Security Program

July 2007 Podcast

William R. WilsonJulia H. Allen

In this podcast, William Wilson explains how business leaders can use international standards to create a business- and risk-based information security program.

Getting Real About Security Governance

June 2007 Podcast

Julia H. AllenStephanie Losi

In this podcast, participants explain that enterprise security governance can be achieved by implementing a defined, repeatable process.

Convergence: Integrating Physical and IT Security

June 2007 Podcast

Brian Contos (ArcSight)Bill Crowell (No Affiliation)Julia H. Allen

In this podcast, participants recommend deploying common solutions for physical and IT security as a cost-effective way to reduce risk and save money.

IT Infrastructure: Tips for Navigating Tough Spots

May 2007 Podcast

Steve HuthSteve KalinowskiStephanie Losi

In this podcast, participants discuss how organizations may occasionally need to redefine their IT infrastructures and be ready to handle tricky situations.

The Value of De-Identified Personal Data

May 2007 Podcast

Stephanie LosiScott Ganow (Verispan)Mike Hubbard (Womble Carlyle Sandridge & Rice, PLLC)

In this podcast, participants discuss the complex legal compliance landscape and how de-identification can help organizations share data more securely.

Adapting to Changing Risk Environments: Operational Resilience

May 2007 Podcast

Richard A. CaralliStephanie Losi

In this podcast, participants discuss how businesses leaders need to keep their critical processes and services up and running in the face of the unexpected.

Computer Forensics for Business Leaders: A Primer

April 2007 Podcast

Richard NolanStephanie Losi