Technical Papers
The SEI Digital Library houses thousands of technical papers and other documents, ranging from SEI Technical Reports on groundbreaking research to conference proceedings, survey results, and source code.
-
Securing UEFI: An Underpinning Technology for Computing
May 2023 White Paper
Vijay S. Sarvepalli
This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.
Download -
Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure
May 2023 Technical Report
Timothy A. ChickScott PavettiNataliya Shevchenko
This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.
Download -
Program Managers—The DevSecOps Pipeline Can Provide Actionable Data
April 2023 White Paper
Julie B. CohenWilliam Richard Nichols
This paper describes the Automated Continuous Estimation for a Pipeline of Pipelines research project, which automates data collection to track program progress.
Download -
Zero Trust Industry Day 2022: Areas of Future Research
January 2023 White Paper
Matthew NicolaiTrista PolaskiTimothy Morrow
This paper describes the future research discussed at the 2022 Zero Trust Industry Day event.
Download -
Industry Best Practices for Zero Trust Architecture
December 2022 White Paper
Matthew NicolaiNathaniel RichmondTimothy Morrow
This paper describes best practices identified during the SEI’s Zero Trust Industry Day 2022, and provides ways to help organizations shift to zero trust.
Download -
A Strategy for Component Product Lines: Report 1: Scoping, Objectives, and Rationale
December 2022 Special Report
Sholom G. CohenJohn J. HudakJohn McGregor
This report establishes a Component Product Line Strategy to address problems in systematically reusing and integrating components built to conform to component specification models.
Download -
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
November 2022 Technical Note
Christopher J. AlbertsMichael S. BandorCharles M. Wallen
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
Download -
Zero Trust Industry Day Experience Paper
October 2022 White Paper
Timothy MorrowMary PopeckRhonda Brown
This paper describes the results of the 2022 Zero Trust Industry Day event.
Download -
Challenge Development Guidelines for Cybersecurity Competitions
October 2022 Technical Report
Jarrett BoozLeena AroraJoseph Vessella
This paper draws on the SEI’s experience to provide general-purpose guidelines and best practices for developing effective cybersecurity challenges.
Download -
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
October 2022 White Paper
Christopher J. AlbertsMichael S. BandorCharles M. Wallen
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
Download -
Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
September 2022 Special Report
Allen D. Householder
This report proposes a formal protocol specification for MPCVD to improve the interoperability of both CVD and MPCVD processes.
Download -
Common Sense Guide to Mitigating Insider Threats, Seventh Edition
September 2022 White Paper
The guide describes 22 best practices for mitigating insider threat based on the CERT Division's continued research and analysis of more than 3,000 insider threat cases.
Download -
Coordinated Vulnerability Disclosure User Stories
August 2022 White Paper
Brad RunyonEric HatlebackAllen D. Householder
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
Download -
Digital Engineering Effectiveness
May 2022 White Paper
Alfred SchenkerTyler Smith (Adventium Labs, Inc.)William Richard Nichols
This paper explores the reluctance of developers of cyber-physical systems to embrace digital engineering (DE), how DE methods should be tailored to achieve their stakeholders' goals, and how to measure the effectiveness of DE-enabled workflows.
Download -
A Brief Introduction to the Evaluation of Learned Models for Aerial Object Detection
May 2022 White Paper
Eric Heim
The SEI AI Division assembled guidance on the design, production, and evaluation of machine-learning models for aerial object detection.
Download -
Guidance for Tailoring DoD Request for Proposals (RFPs) to Include Modeling
April 2022 Special Report
Julie B. CohenTom MerendinoRobert Wojcik
This report provides guidance for government program offices that are including digital engineering/modeling requirements into a request for proposal.
Download -
Modeling to Support DoD Acquisition Lifecycle Events (Version 1.4)
April 2022 White Paper
Julie B. CohenTom MerendinoRob Wojcik
This document provides suggestions for producing requirement, system, and software models that will be used to support various DoD system acquisition lifecycle events.
Download -
Experiences with Deploying Mothra in Amazon Web Services (AWS)
April 2022 Technical Report
Brad PowellDaniel RuefJohn Stogoski
The authors describe development of an at-scale prototype of an on-premises system to test the performance of Mothra in the cloud and provide recommendations for similar deployments.
Download -
Augur: A Step Towards Realistic Drift Detection in Production ML Systems
April 2022 White Paper
Sebastián EcheverríaLena PonsJeff Chrabaszcz (Govini)
The toolset and experiments reported in this paper provide an initial demonstration of (1) drift behavior analysis (2) metrics and thresholds (3) libraries for drift detection.
Download -
Extensibility
April 2022 Technical Report
Rick KazmanSebastián EcheverríaJames Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for extensibility.
Download -
TwinOps: Digital Twins Meets DevOps
March 2022 Technical Report
Jerome HuguesJohn J. HudakJoseph D. Yankel
This report describes ModDevOps, an approach that bridges model-based engineering and software engineering using DevOps concepts and code generation from models, and TwinOps, a specific ModDevOps pipeline.
Download -
Robustness
March 2022 Technical Report
Rick KazmanPhilip BiancoSebastián Echeverría
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for robustness.
Download -
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
March 2022 White Paper
Jonathan Spring
This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
Download -
Using XML to Exchange Floating Point Data
February 2022 White Paper
John Klein
This paper explains issues of using XML to exchange floating point values, how to address them, and the limits of technology to enforce a correct implementation.
Download -
Using Machine Learning to Increase NPC Fidelity
December 2021 Technical Report
Dustin D. UpdykeThomas G. PodnarGeoffrey B. Dobson
The authors describe how they used machine learning (ML) modeling to create decision-making preferences for non-player characters (NPCs).
Download -
A Prototype Set of Cloud Adoption Risk Factors
October 2021 White Paper
Christopher J. Alberts
Alberts discusses the results of a study to identify a prototype set of risk factors for adopting cloud technologies.
Download -
Cloud Security Best Practices Derived from Mission Thread Analysis
September 2021 Technical Report
Timothy MorrowVincent LaPianaDonald Faatz
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource businesses.
Download -
Accenture: An Automation Maturity Journey
July 2021 Technical Report
Rajendra T. Prasad (Accenture)
This paper describes work in the area of automation that netted Accenture the 2020 Watts Humphrey Software Process Achievement Award.
Download -
Planning and Design Considerations for Data Centers
July 2021 Technical Note
Lyndsi A. HughesDavid SweeneyMark Kasunic
This report shares important lessons learned from establishing small- to mid-size data centers.
Download -
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
July 2021 Special Report
Allen D. HouseholderJonathan Spring
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
Download -
Human-Centered AI
June 2021 White Paper
Hollen BarmerRachel DzombakMatt Gaston
This white paper discusses Human-Centered AI: systems that are designed to work with, and for, people.
Download -
Robust and Secure AI
June 2021 White Paper
Hollen BarmerRachel DzombakMatt Gaston
This white paper discusses Robust and Secure AI systems: AI systems that reliably operate at expected levels of performance, even when faced with uncertainty and in the presence of danger or threat.
Download -
Scalable AI
June 2021 White Paper
Hollen BarmerRachel DzombakMatt Gaston
This white paper discusses Scalable AI: the ability of AI algorithms, data, models, and infrastructure to operate at the size, speed, and complexity required for the mission.
Download -
The Sector CSIRT Framework: Developing Sector-Based Incident Response Capabilities
June 2021 Technical Report
Justin NovakBrittany ManleyDavid McIntire
This framework guides the development and implementation of a sector CSIRT.
Download -
Foundation of Cyber Ranges
May 2021 Technical Report
Thomas G. PodnarGeoffrey B. DobsonDustin D. Updyke
This report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.
Download -
Software Assurance Guidance and Evaluation (SAGE) Tool
May 2021 White Paper
Luiz AntunesEbonie McNeilHasan Yasar
The Software Assurance Guidance and Evaluation (SAGE) tool helps an organization assess the security of its systems development and operations practices.
Download -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
April 2021 White Paper
Jonathan SpringAllen D. HouseholderEric Hatleback
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
Download -
Modeling and Validating Security and Confidentiality in System Architectures
March 2021 Technical Report
Aaron GreenhouseJörgen Hansson (University of Skovde)Lutz Wrage
This report presents an approach for modeling and validating confidentiality using the Bell–LaPadula security model and the Architecture Analysis & Design Language.
Download -
Overview of Practices and Processes of the CMMC 1.0 Assessment Guides (CMMC 1.0)
March 2021 White Paper
Douglas Daniel Gardner
This document is intended to help anyone unfamiliar with cybersecurity standards get started with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
Download -
Zero Trust: Risks and Research Opportunities
March 2021 White Paper
Geoffrey T. SandersTimothy Morrow
This paper describes a zero trust vignette and three mission threads that highlight risks and research areas to consider for zero trust environments.
Download -
Artificial Intelligence (AI) and Machine Learning (ML) Acquisition and Policy Implications
February 2021 White Paper
William E. Novak
This paper reports on a high-level survey of a set of both actual and potential acquisition and policy implications of the use of Artificial Intelligence (AI) and Machine Learning (ML) technologies.
Download -
Security Engineering Risk Analysis (SERA) Threat Archetypes
December 2020 White Paper
Christopher J. AlbertsCarol Woody, PhD
This report examines the concept of threat archetypes and how analysts can use them during scenario development.
Download -
Loss Magnitude Estimation in Support of Business Impact Analysis
December 2020 Technical Report
Daniel J. KambicAndrew P. MooreDavid Tobar
The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
Download -
Emerging Technologies 2020: Six Areas of Opportunity
December 2020 White Paper
This study seeks to understand what the software engineering community perceives to be key emerging technologies. The six technologies described hold great promise and, in some cases, have already attracted the interest of the Department of Defense.
Download -
Maintainability
December 2020 Technical Report
Rick KazmanPhilip BiancoJames Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for maintainability.
Download -
Advancing Risk Management Capability Using the OCTAVE FORTE Process
November 2020 Technical Note
Brett Tucker
OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.
Download -
Analytic Capabilities for Improved Software Program Management
November 2020 White Paper
David ZubrowChristopher Miller
This white paper describes an update to the SEI Quantifying Uncertainty in Early Lifecycle Cost Estimation approach.
Download -
AI Engineering for Defense and National Security: A Report from the October 2019 Community of Interest Workshop
October 2020 Special Report
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for AI Engineering for Defense and National Security.
Download -
NICE Framework Cybersecurity Evaluator
August 2020 White Paper
Christopher Herr
This cybersecurity evaluator is designed to assess members of the cyber workforce within the scope of the NICE Cybersecurity Workforce Framework.
Download -
Current Ransomware Threats
August 2020 White Paper
Marisa MidlerKyle O'Meara
This report by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.
Download -
An Updated Framework of Defenses Against Ransomware
August 2020 White Paper
Timur D. SnokeTimothy J. Shimeall
This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.
Download -
Historical Analysis of Exploit Availability Timelines
August 2020 White Paper
Allen D. HouseholderJeff Chrabaszcz (Govini)Trent Novelly
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
Download -
Architecture Evaluation for Universal Command and Control
August 2020 White Paper
John KleinPatrick DonohoePhilip Bianco
The SEI developed an analysis method to assess function allocations in existing C2 systems and reason about design choices and tradeoffs during the design of new C2 systems.
Download -
A Risk Management Perspective for AI Engineering
June 2020 White Paper
Brett Tucker
This paper describes several steps of OCTAVE FORTE in the context of adopting AI technology.
Download -
Attack Surface Analysis - Reduce System and Organizational Risk
June 2020 White Paper
Carol Woody, PhDRobert J. Ellison
This paper offers system defenders an overview of how threat modeling can provide a systematic way to identify potential threats and prioritize mitigations.
Download -
Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments
April 2020 Technical Report
Jose A. MoralesRichard TurnerSuzanne Miller
This Technical Report provides guidance to projects interested in implementing DevSecOps (DSO) in defense or other highly regulated environments, including those involving systems of systems.
Download -
Integrability
February 2020 Technical Report
Rick KazmanPhilip BiancoJames Ivers
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for integrability.
Download -
Comments on NISTIR 8269 (A Taxonomy and Terminology of Adversarial Machine Learning)
February 2020 White Paper
April GalyardtNathan M. VanHoudnosJonathan Spring
Feedback to the U.S. National Institute of Standards and Technology (NIST) about NIST IR 8269, a draft report detailing the proposed taxonomy and terminology of Adversarial Machine Learning (AML).
Download -
Penetration Tests Are The Check Engine Light On Your Security Operations
January 2020 White Paper
Allen D. HouseholderDan J. Klinedinst
A penetration test serves as a lagging indicator of a network security operations problem. Organizations should implement and document several security controls before a penetration test can be useful.
Download -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
December 2019 White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
Download -
AI Engineering: 11 Foundational Practices
September 2019 White Paper
This initial set of recommendations can help organizations that are beginning to build, acquire, and integrate artificial intelligence capabilities into business and mission systems.
Download -
Machine Learning in Cybersecurity: A Guide
September 2019 Technical Report
Jonathan SpringJoshua FallonApril Galyardt
This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems.
Download -
Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems
September 2019 White Paper
Carol Woody, PhDChristopher J. AlbertsJohn Klein
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud computing.
Download -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2018: U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate
August 2019 Technical Report
Victor A. Elias (U.S. Army CCDC Armaments Center, Fire Control Systems and Technology Directorate)
This report presents a systemic approach to software development process improvement and its impact for the U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate (FCSTD) and its stakeholders.
Download -
Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud
July 2019 Technical Report
Timothy MorrowKelwyn PenderCarrie Lee (U.S. Department of Veteran Affairs)
This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud services.
Download -
Automatically Detecting Technical Debt Discussions
June 2019 White Paper
Ipek OzkayaZachary KurtzRobert Nord
This study introduces (1) a dataset of expert labels of technical debt in developer comments and (2) a classifier trained on those labels.
Download -
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
June 2019 White Paper
Andrew P. MooreAllen D. Householder
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
Download -
SCAIFE API Definition Beta Version 0.0.2 for Developers
June 2019 White Paper
Lori FlynnEbonie McNeil
This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
Download -
Creating xBD: A Dataset for Assessing Building Damage from Satellite Imagery
May 2019 White Paper
We present a preliminary report for xBD, a new large-scale dataset for the advancement of change detection and building damage assessment for humanitarian assistance and disaster recovery research.
Download -
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
May 2019 Technical Report
Lori FlynnEbonie McNeilDavid Svoboda
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
Download -
Cybersecurity Career Paths and Progression
May 2019 White Paper
Dennis M. AllenMarie BakerMelissa Burns
This paper explores the current state of cybersecurity careers, from the importance of early exposure, to methods of entry into the field, to career progression.
Download -
Cybersecurity Talent Identification and Assessment
May 2019 White Paper
Dennis M. AllenChristopher HerrMarie Baker
To help fill cybersecurity roles, this paper explores how organizations identify talent, discusses assessment capabilities, and provides recommendations on recruitment and talent evaluations.
Download -
Cybersecurity Careers of the Future
May 2019 White Paper
Dennis M. Allen
Using workforce data analysis, this paper identifies key cybersecurity skills the workforce needs to close the cybersecurity workforce gap.
Download -
A Targeted Improvement Plan for Service Continuity
April 2019 Technical Note
Andrew F. HooverGavin JureckoJeffrey L. Pinckard
Describes how an organization can leverage the results of a Cyber Resilience Review to create a Targeted Improvement Plan for its service continuity management.
Download -
Exploring the Use of Metrics for Software Assurance
March 2019 Technical Note
Carol Woody, PhDRobert J. EllisonCharlie Ryan
This report proposes measurements for each Software Assurance Framework (SAF) practice that a program can select to monitor and manage the progress it's making toward software assurance.
Download -
Common Sense Guide to Mitigating Insider Threats, Sixth Edition
February 2019 Technical Report
Michael C. TheisRandall F. TrzeciakDaniel L. Costa
The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.
Download -
An Approach for Integrating the Security Engineering Risk Analysis (SERA) Method with Threat Modeling
February 2019 White Paper
Christopher J. AlbertsCarol Woody, PhD
This report examines how cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
Download -
Infrastructure as Code: Final Report
January 2019 White Paper
John KleinDoug Reynolds
This project explored the feasibility of infrastructure as code, developed prototype tools, populated a model of the deployment architecture, and automatically generated IaC scripts from the model.
Download -
Incident Management Capability Assessment
December 2018 Technical Report
Audrey J. DorofeeRobin RuefleMark Zajicek
The capabilities presented in this report provide a benchmark of incident management practices.
Download -
Program Manager's Guidebook for Software Assurance
December 2018 Special Report
Kenneth NidifferCarol Woody, PhDTimothy A. Chick
This guidebook helps program managers address the software assurance responsibilities critical in defending software-intensive systems, including mission threads and cybersecurity.
Download -
DoD Developer’s Guidebook for Software Assurance
December 2018 Special Report
William NicholsTom Scanlon
This guidebook helps software developers for DoD programs understand expectations for software assurance and standards and requirements that affect assurance.
Download -
Towards Improving CVSS
December 2018 White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
Download -
GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation
December 2018 Technical Report
Dustin D. UpdykeGeoffrey B. DobsonThomas G. Podnar
This report outlines how the GHOSTS (General HOSTS) framework helps create realism in cyber-warfare simulations and discusses how it was used in a case study.
Download -
Composing Effective Software Security Assurance Workflows
October 2018 Technical Report
William NicholsJim McHaleDavid Sweeney
In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static analysis tools—had on costs and benefits.
Download -
FedCLASS: A Case Study of Agile and Lean Practices in the Federal Government
October 2018 Special Report
Nanette BrownJeff DavenportLinda Parker Gates
This study reports the successes and challenges of using Agile and Lean methods and cloud-based technologies in a government software development environment.
Download -
Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation
September 2018 White Paper
Nataliya ShevchenkoBrent FryeCarol Woody, PhD
This paper compares threat modeling methods for cyber-physical systems and recommends which methods (and combinations of methods) to use.
Download -
Software Architecture Publications
September 2018 White Paper
The SEI compiled this bibliography of publications about software architecture as a resource for information about system architecture throughout its lifecycle.
Download -
Practical Precise Taint-flow Static Analysis for Android App Sets
August 2018 White Paper
William KlieberLori FlynnWilliam Snavely
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
Download -
Threat Modeling: A Summary of Available Methods
August 2018 White Paper
Nataliya ShevchenkoTimothy A. ChickPaige O'Riordan
This paper discusses twelve threat modeling methods from a variety of sources that target different parts of the development process.
Download -
Navigating the Insider Threat Tool Landscape: Low-Cost Technical Solutions to Jump-Start an Insider Threat Program
July 2018 White Paper
Derrick SpoonerGeorge SilowashDaniel L. Costa
This paper explores low cost technical solutions that can help organizations prevent, detect, and respond to insider incidents.
Download -
Blacklist Ecosystem Analysis: July - December 2017
April 2018 White Paper
Eric HatlebackLeigh B. Metcalf
This short report provides a summary of the various analyses of the blacklist ecosystem performed from July 1, 2017, through December 31, 2017.
Download -
ROI Analysis of the System Architecture Virtual Integration Initiative
April 2018 Technical Report
Jörgen Hansson (University of Skovde)Steve Helton (The Boeing Company)Peter H. Feiler
This report presents an analysis of the economic effects of the System Architecture Virtual Integration approach on the development of software-reliant systems for aircraft compared to existing development paradigms.
Download -
Implementing DevOps Practices in Highly Regulated Environments
April 2018 White Paper
Jose A. MoralesHasan YasarAaron Volkmann
In this paper, the authors layout the process with insights on performing a DevOps assessment in a highly regulated environment.
Download -
A Mapping of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the Cyber Resilience Review (CRR)
March 2018 Technical Note
Greg Porter (Heinz College at Carnegie Mellon University)Matthew TrevorsRobert A. Vrtis
This technical note describes mapping of HIPAA Security Rule requirements to practice questions found in the CERT Cyber Resilience Review for organizations' use in HIPAA compliance.
Download -
A Hybrid Threat Modeling Method
March 2018 Technical Note
Nancy R. MeadForrest ShullKrishnamurthy Vemuru (University of Virginia)
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
Download -
Cyber Mutual Assistance Workshop Report
February 2018 Special Report
Jonathon Monken (PJM Interconnection)Fernando Maymi, PhD (Army Cyber Institute)Dan Bennett, PhD (Army Cyber Institute)
The Army Cyber Institute hosted a Cyber Mutual Assistance Workshop to identify challenges in defining cyber requirements for Regional Mutual Assistance Groups.
Download -
Embedded Device Vulnerability Analysis Case Study Using Trommel
December 2017 White Paper
Madison OliverKyle O'Meara
This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities.
Download -
2017 Emerging Technology Domains Risk Survey
October 2017 Technical Report
Dan J. KlinedinstJoel LandKyle O'Meara
This report describes our understanding of future technologies and helps US-CERT identify vulnerabilities, promote security practices, and understand vulnerability risk.
Download -
R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises
September 2017 Technical Report
Geoffrey B. DobsonThomas G. PodnarAdam D. Cerini
R-EACTR is a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience.
Download -
Architecture Practices for Complex Contexts
September 2017 White Paper
John Klein
This doctoral thesis, completed at Vrije Universiteit Amsterdam, focuses on software architecture practices for systems of systems, including data-intensive systems.
Download -
Defining a Progress Metric for CERT-RMM Improvement
September 2017 Technical Note
Gregory Crabb (United States Postal Service)Nader Mehravari (Axio Global)David Tobar
Describes the Cybersecurity Program Progress Metric and how its implementation in a large, diverse U.S. national organization can serve to indicate progress toward improving cybersecurity and resilience capabilities.
Download -
Blacklist Ecosystem Analysis: January - June, 2017
August 2017 White Paper
Eric HatlebackLeigh B. Metcalf
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from January through June 2017.
Download -
The CERT Guide to Coordinated Vulnerability Disclosure
August 2017 Special Report
Allen D. HouseholderGarret WassermannArt Manion
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.
Download -
Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers
July 2017 Special Report
Joel Land
This report describes a test framework that the CERT/CC developed to identify systemic and other vulnerabilities in CPE routers.
Download -
Department of Defense Software Factbook
July 2017 Technical Report
Brad ClarkChristopher MillerJames McCurley
In this report, the Software Engineering Institute has analyzed data related to DoD software projects and translated it into information that is frequently sought-after across the DoD.
Download -
DidFail: Coverage and Precision Enhancement
July 2017 Technical Report
Karan Dwivedi (No Affiliation)Hongli Yin (No Affiliation)Pranav Bagree (No Affiliation)
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
Download -
The Hard Choices Game Explained
June 2017 White Paper
Nanette BrownPhilippe KruchtenErin Lim
The Hard Choices game is a simulation of the software development cycle meant to communicate the concepts of uncertainty, risk, and technical debt.
Download -
Federal Virtual Training Environment (FedVTE)
June 2017 White Paper
Marie BakerApril GalyardtDominic A. Ross
The Federal Virtual Training Environment (FedVTE) is an online, on‐demand training system containing cybersecurity and certification prep courses, at no cost to federal, state, and local government employees.
Download -
Blacklist Ecosystem Analysis: July – December 2016
June 2017 White Paper
Eric HatlebackLeigh B. Metcalf
This report provides a summary of various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from July 1 through December 31, 2016.
Download -
Guide to Software Architecture Tools
May 2017 White Paper
This document discusses tools and methods for analyzing the architecture, establishing requirements, evaluating the architecture, and defining the architecture.
Download -
System-of-Systems Software Architecture Evaluation
May 2017 White Paper
System-of-Systems Software Architecture Evaluation
Download -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
May 2017 White Paper
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
Download -
SEI-Certified PSP Developer Examination: Sample Questions
May 2017 White Paper
This page contains sample questions similar to those found on the PSP Developer examination.
Download -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2016: Raytheon Integrated Defense Systems
April 2017 Technical Report
Neal Mackertich (Raytheon)Peter Kraus (Raytheon)Kurt Mittelstaedt (Raytheon)
The Raytheon Integrated Defense Systems DFSS team has been recognized with the 2016 Watts Humphrey Software Process Achievement Award.
Download -
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement (SPA) Award 2016: Nationwide
April 2017 Technical Report
Will J.M. Pohlman (Nationwide IT)
This report describes the 10-year history of Nationwide's software process improvement journey. Nationwide received the 2016 Watts Humphrey Software Process Achievement Award from the SEI and IEEE.
Download -
Prototype Software Assurance Framework (SAF): Introduction and Overview
April 2017 Technical Note
Christopher J. AlbertsCarol Woody, PhD
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
Download -
15 Tips for Preparing and Delivering a Great Presentation at SATURN
March 2017 White Paper
You submitted a proposal to SATURN, and it got accepted. Congratulations! Here are 15 tips for creating and giving a great presentation at SATURN.
Download -
The CISO Academy
February 2017 White Paper
Pamela D. CurtisSummer C. FowlerDavid Tobar
In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.
Download -
Agile Acquisition and Milestone Reviews
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 4
Download -
Management and Contracting Practices for Agile Programs
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 3
Download -
Estimating in Agile Acquisition
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 5
Download -
Agile Development and DoD Acquisitions
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 1
Download -
Agile Culture in the DoD
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 2
Download -
Adopting Agile in DoD IT Acquisitions
February 2017 White Paper
Acquisition & Management Concerns for Agile Use in Government Series - 6
Download -
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
January 2017 White Paper
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
Download -
COTS-Based Systems
January 2017 White Paper
This paper presents a summary of SEI commercial off-the-shelf (COTS) software documents and COTS tools.
Download -
Create a CSIRT
January 2017 White Paper
This white paper discusses the issues and decisions organizations should address when planning, implementing, and building a CSIRT.
Download -
Skills Needed When Staffing Your CSIRT
January 2017 White Paper
This white paper describes a set of skills that CSIRT staff members should have to provide basic incident-handling services.
Download -
CSIRT Frequently Asked Questions (FAQ)
January 2017 White Paper
This FAQ addresses CSIRTS, organizations responsible for receiving, reviewing, and responding to computer security incident reports and activity.
Download -
CERT-RMM Capability Appraisals
January 2017 White Paper
The white paper describe CERT-RMM appraisals and the benefits they offer organizations.
Download -
A Technical History of the SEI
January 2017 Special Report
Larry Druffel
This report chronicles the technical accomplishments of the Software Engineering Institute and its impact on the Department of Defense software community, as well as on the broader software engineering community.
Download -
SQUARE Frequently Asked Questions (FAQ)
January 2017 White Paper
This paper contains information about SQUARE, a process that helps organizations build security into the early stages of the software production lifecycle.
Download -
Common Sense Guide to Mitigating Insider Threats, Fifth Edition
December 2016 Technical Report
Matthew L. CollinsMichael C. TheisRandall F. Trzeciak
Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.
Download -
Architecture-Led Safety Process
December 2016 Technical Report
Peter H. FeilerJulien DelangeDavid P. Gluch
Architecture-Led Safety Analysis (ALSA) is a safety analysis method that uses early architecture knowledge to supplement traditional safety analysis techniques to identify faults as early as possible.
Download -
The Critical Role of Positive Incentives for Reducing Insider Threats
December 2016 Technical Report
Andrew P. MooreJeff SavindaElizabeth A. Monaco
This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.
Download -
Update 2016: Considerations for Using Agile in DoD Acquisition
December 2016 Technical Note
Suzanne MillerDan Ward (Dan Ward Consulting)Mary Ann Lapham
This report updates a 2010 technical note, addressing developments in commercial Agile practices as well as the Department of Defense (DoD) acquisition environment.
Download -
Scaling Agile Methods for Department of Defense Programs
December 2016 Technical Note
Will HayesMary Ann LaphamSuzanne Miller
This report discusses methods for scaling Agile processes to larger software development programs in the Department of Defense.
Download -
Low Cost Technical Solutions to Jump Start an Insider Threat Program
December 2016 Technical Note
George SilowashDerrick SpoonerDaniel L. Costa
This technical note explores free and low cost technical solutions to help organizations prevent, detect, and respond to malicious insiders.
Download -
RFP Patterns and Techniques for Successful Agile Contracting
December 2016 Special Report
Mary Ann LaphamLarri Ann Rosser (Raytheon Intelligence Information and Services)Steven Martin (Space and Missile Systems Center)
This report discusses request-for-proposal patterns and techniques for successfully contracting a federal Agile project.
Download -
Ultra-Large-Scale Systems: Socio-adaptive Systems
December 2016 White Paper
Scott HissamMark H. KleinGabriel Moreno
Ultra-large-scale systems are interdependent webs of software, people, policies, and economics. In socio-adaptive systems, human and software interact as peers.
Download -
Cyber-Physical Systems
December 2016 White Paper
Bjorn AnderssonSagar ChakiDionisio de Niz
Cyber-physical systems (CPS) integrate computational algorithms and physical components. SEI promotes efficient development of high-confidence, distributed CPS.
Download -
Pervasive Mobile Computing
December 2016 White Paper
William AndersonJeff BolengBen W. Bradshaw
Pervasive mobile computing focuses on how soldiers and first responders can use smartphones, tablets, and other mobile/wearable devices at the tactical edge.
Download -
Predictability by Construction
December 2016 White Paper
Sagar ChakiScott HissamGabriel Moreno
Predictability by construction (PBC) makes the behavior of a component-based system predictable before implementation, based on known properties of components.
Download -
Blacklist Ecosystem Analysis: January – June, 2016
December 2016 White Paper
Leigh B. MetcalfEric Hatleback
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this report covers the time period from January through June 2016.
Download -
FAA Research Project on System Complexity Effects on Aircraft Safety: Testing the Identified Metrics
November 2016 White Paper
Michael D. KonradSarah SheardCharles B. Weinstock
This report describes a test of an algorithm for estimating the complexity of a safety argument.
Download -
FAA Research Project on System Complexity Effects on Aircraft Safety: Estimating Complexity of a Safety Argument
November 2016 White Paper
Michael D. KonradSarah SheardCharles B. Weinstock
This report presents a formula for estimating the complexity of an avionics system and directly connects that complexity to the size of its safety argument.
Download -
FAA Research Project on System Complexity Effects on Aircraft Safety: Identifying the Impact of Complexity on Safety
November 2016 White Paper
Sarah SheardCharles B. WeinstockMichael D. Konrad
This report organizes our work on the impact of software complexity on aircraft safety by asking, “How can complexity complicate safety and, thus, certification?”
Download -
FAA Research Project on System Complexity Effects on Aircraft Safety: Candidate Complexity Metrics
November 2016 White Paper
William NicholsSarah Sheard
This special report identifies candidate measures of complexity for systems with embedded software that relate to safety, assurability, or both.
Download -
FAA Research Project on System Complexity Effects on Aircraft Safety: Literature Search to Define Complexity for Avionics Systems
November 2016 White Paper
Michael D. KonradSarah Sheard
This special report describes the results of a literature review sampling what is known about complexity for application in the context of safety and assurance.
Download -
Seven Proposal-Writing Tips That Make Conference Program Committees Smile
November 2016 White Paper
Bill Pollak
Writing a great session proposal for a conference is difficult. Here are seven tips for writing a session proposal that will make reviewers go from frown to smile.
Download -
Definition and Measurement of Complexity in the Context of Safety Assurance
October 2016 Technical Report
Sarah SheardMichael D. KonradCharles B. Weinstock
This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.
Download -
Establishing Trusted Identities in Disconnected Edge Environments
October 2016 White Paper
Sebastián Echeverría (Universidad de los Andes)Dan J. KlinedinstKeegan M. Williams
he goal of this paper is to present a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field.
Download -
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
October 2016 Technical Note
Jeffrey L. PinckardMichael RattiganRobert A. Vrtis
To help financial organizations assess cyber resilience, we map FFIEC Cybersecurity Assessment Tool (CAT) statements to Cyber Resilience Review (CRR) questions.
Download -
Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
September 2016 White Paper
John HallerCharles M. Wallen
A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.
Download -
Agile Development in Government: Myths, Monsters, and Fables
September 2016 White Paper
David J. CarneySuzanne MillerMary Ann Lapham
This volume is a reflection on attitudes toward Agile software development now current in the government workplace.
Download -
Striving for Effective Cyber Workforce Development
September 2016 White Paper
Marie Baker
This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.
Download -
Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks
August 2016 Technical Report
Junsung KimBjorn AnderssonDionisio de Niz
This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks.
Download -
Creating Centralized Reporting for Microsoft Host Protection Technologies: The Enhanced Mitigation Experience Toolkit (EMET)
August 2016 Technical Note
Craig LewisJoseph Tammariello
This report describes how to set up a centralized reporting console for the Windows Enhanced Mitigation Experience Toolkit.
Download -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
August 2016 Technical Note
Sarah Sheard
This technical note introduces Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), a method for estimating program costs early in development.
Download -
Blacklist Ecosystem Analysis: 2016 Update
August 2016 White Paper
Leigh B. MetcalfEric HatlebackJonathan Spring
This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.
Download -
Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2
June 2016 Technical Report
Peter H. FeilerJohn J. HudakJulien Delange
This report describes the Error Model Annex, Version 2 (EMV2), notation for architecture fault modeling, which supports safety, reliability, and security analyses.
Download -
A Requirement Specification Language for AADL
June 2016 Technical Report
Peter H. FeilerJulien DelangeLutz Wrage
This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.
Download -
DMPL: Programming and Verifying Distributed Mixed-Synchrony and Mixed-Critical Software
June 2016 Technical Report
Sagar ChakiDavid Kyle
DMPL is a language for programming distributed real-time, mixed-criticality software. It supports distributed systems in which each node executes a set of periodic real-time threads that are scheduled by priority and criticality.
Download -
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
June 2016 Special Report
Christopher J. AlbertsAudrey J. DorofeeCarol Woody, PhD
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.
Download -
Report Writer and Security Requirements Finder: User and Admin Manuals
June 2016 Special Report
Nancy R. MeadAnand Sankalp (Carnegie Mellon University)Gupta Anurag (Carnegie Mellon)
This report presents instructions for using the Malware-driven Overlooked Requirements (MORE) website applications.
Download -
Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis
May 2016 Technical Note
Douglas Gray
This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).
Download -
An Insider Threat Indicator Ontology
May 2016 Technical Report
Daniel L. CostaMichael J. AlbrethsenMatthew L. Collins
This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.
Download -
Using Honeynets and the Diamond Model for ICS Threat Analysis
May 2016 Technical Report
John KotheimerKyle O'MearaDeana Shick
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure attackers.
Download -
2016 State of Cybercrime Survey
May 2016 White Paper
This paper examines the current state of cybercrime and explores how organizations and individuals respond to cybercrime threats.
Download -
The QUELCE Method: Using Change Drivers to Estimate Program Costs
April 2016 White Paper
Sarah Sheard
This report introduces the Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method for estimating program costs early in a development lifecycle.
Download -
A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology
April 2016 Technical Report
Deana ShickKyle O'Meara
As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with network or incident data alone.
Download -
On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle
April 2016 White Paper
Dan J. KlinedinstChristopher King
This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.
Download -
2016 Emerging Technology Domains Risk Survey
April 2016 Technical Report
Christopher KingDan J. KlinedinstTodd Lewellen
This 2016 report provides a snapshot of our current understanding of future technologies.
Download -
Malware Capability Development Patterns Respond to Defenses: Two Case Studies
March 2016 White Paper
Kyle O'MearaDeana ShickJonathan Spring
In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
Download -
Cyber-Foraging for Improving Survivability of Mobile Systems
February 2016 Technical Report
Sebastián Echeverría (Universidad de los Andes)Grace LewisJames Root
This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.
Download -
CERT-RMM Version 1.2 Release Notes
February 2016 White Paper
This document contains the release notes for CERT-RMM Version 1.2, released February 2014.
Download -
DoD Software Factbook
December 2015 White Paper
Brad ClarkJames McCurleyDavid Zubrow
This DoD Factbook is an initial analysis of software engineering data from the perspective of policy and management questions about software projects.
Download -
Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 2015 Special Report
Peter H. Feiler
This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.
Download -
Requirements and Architecture Specification of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 2015 Special Report
Peter H. Feiler
This report describes a method for capturing information from requirements documents in AADL and the draft Requirement Definition & Analysis Language Annex.
Download -
Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 2015 Special Report
Peter H. FeilerJohn J. Hudak
This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.
Download -
Extending AADL for Security Design Assurance of Cyber-Physical Systems
December 2015 Technical Report
Robert J. EllisonAllen D. HouseholderJohn J. Hudak
This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of an automotive electronics system.
Download -
Cybersecurity Considerations for Vehicles
December 2015 White Paper
Mark ShermanJens Palluch (Method Park)
In this paper the authors discuss the number of ECUs and software in modern vehicles and the need for cybersecurity to include vehicles.
Download -
Analytic Approaches to Detect Insider Threats
December 2015 White Paper
This paper identifies steps that organizations can use to enhance their security posture to detect potential insider threats.
Download -
Intelligence Preparation for Operational Resilience (IPOR)
December 2015 Special Report
Douglas Gray
The author describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
Download -
Evaluating and Mitigating the Impact of Complexity in Software Models
December 2015 Technical Report
Julien DelangeJim McHaleJohn J. Hudak
This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.
Download -
Cyber + Culture Early Warning Study
November 2015 Special Report
Char Sample
This study was designed to profile cyber actors, and to examine the time interval between cyber and kinetic events in order to gain greater insights into nation-state cyber responses to kinetic events.
Download -
Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
October 2015 White Paper
Andrew P. MooreWilliam E. NovakMatthew L. Collins
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.
Download -
Structuring the Chief Information Security Officer Organization
October 2015 Technical Note
Julia H. AllenGregory Crabb (U.S. Postal Inspection Service)Pamela D. Curtis
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
Download -
Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution
September 2015 Technical Report
Douglas GrayBrian D. WisniewskiJulia H. Allen
This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to help enable their success.
Download -
Secure Coding Analysis of an AADL Code Generator's Runtime System
September 2015 White Paper
David Keaton
This paper describes a secure coding analysis of the PolyORB-HI-C runtime system used by C language code output from the Ocarina AADL code generator.
Download -
Contracting for Agile Software Development in the Department of Defense: An Introduction
August 2015 Technical Note
Eileen WrubelJon Gross
This technical note addresses effective contracting for Agile software development and offers a primer on Agile based on a contracting officer's goals.
Download -
CND Equities Strategy
July 2015 White Paper
Jonathan SpringEd Stoner
In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.
Download -
Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items
July 2015 White Paper
Allen D. HouseholderArt Manion
In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.
Download -
Enabling Incremental Iterative Development at Scale: Quality Attribute Refinement and Allocation in Practice
June 2015 Technical Report
Neil ErnstStephany BellomoRobert Nord
This report describes industry practices used to develop business capabilities and suggests approaches to enable large-scale iterative development, or agile at scale.
Download -
State of Practice Report: Essential Technical and Nontechnical Issues Related to Designing SoS Platform Architectures
May 2015 Technical Report
Sholom G. CohenJohn Klein
This report analyzes the state of the practice in system-of-systems (SoS) development, based on 12 interviews of leading SoS developers in the DoD and industry.
Download -
Emerging Technology Domains Risk Survey
April 2015 Technical Note
Christopher KingJonathan ChuAndrew O. Mellinger
This report provides a snapshot in time of our current understanding of future technologies.
Download -
SCALe Analysis of JasPer Codebase
April 2015 White Paper
David Svoboda
In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.
Download -
Model-Driven Engineering: Automatic Code Generation and Beyond
March 2015 Technical Note
John KleinHarry L. LevinsonJay Marchetti
This report offers guidance on selecting, analyzing, and evaluating model-driven engineering tools for automatic code generation in acquired systems.
Download -
Defining a Maturity Scale for Governing Operational Resilience
March 2015 Technical Note
Katie C. StewartJulia H. AllenAudrey J. Dorofee
Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
Download -
SEI SPRUCE Project: Curating Recommended Practices for Software Producibility
March 2015 White Paper
Michael D. KonradB. Craig MeyersTamara Marshall-Keim
This paper describes the Systems and Software Producibility Collaboration Environment (SPRUCE) project and the resulting recommended practices on five software topics.
Download -
Improving Quality Using Architecture Fault Analysis with Confidence Arguments
March 2015 Technical Report
Peter H. FeilerCharles B. WeinstockJohn B. Goodenough
The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design have been addressed adequately.
Download -
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets
March 2015 Technical Report
Jonathan BurketLori FlynnWill Klieber
In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
Download -
Eliminative Argumentation: A Basis for Arguing Confidence in System Properties
February 2015 Technical Report
John B. GoodenoughCharles B. WeinstockAri Z. Klein
This report defines the concept of eliminative argumentation and provides a basis for assessing how much confidence one should have in an assurance case argument.
Download -
A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
February 2015 Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenPamela D. Curtis
This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.
Download -
Measuring What Matters Workshop Report
February 2015 Technical Note
Katie C. StewartJulia H. AllenMichelle A. Valdez
This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
Download -
A Dynamic Model of Sustainment Investment
February 2015 Technical Report
Sarah SheardRobert FergusonAndrew P. Moore
This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.
Download -
Cybersecurity Assurance
January 2015 White Paper
This paper describes the SEI research and solutions that help organizations gain justified confidence in their cybersecurity posture.
Download -
Blacklist Ecosystem Analysis Update: 2014
January 2015 White Paper
Leigh B. MetcalfJonathan Spring
This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.
Download -
Predicting Software Assurance Using Quality and Reliability Measures
December 2014 Technical Note
Carol WoodyRobert J. EllisonWilliam Nichols
In this report, the authors discuss how a combination of software development and quality techniques can improve software security.
Download -
Regional Use of Social Networking Tools
December 2014 Technical Report
Kate Meeuf
This paper explores the regional use of social networking services (SNSs) to determine if participation with a subset of SNSs can be applied to identify a user's country of origin.
Download -
Domain Parking: Not as Malicious as Expected
December 2014 White Paper
Leigh B. MetcalfJonathan Spring
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be indicative of malicious behavior.
Download -
Pattern-Based Design of Insider Threat Programs
December 2014 Technical Note
Andrew P. MooreMatthew L. CollinsDave Mundie
In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
Download -
Introduction to the Security Engineering Risk Analysis (SERA) Framework
December 2014 Technical Note
Christopher J. AlbertsCarol WoodyAudrey J. Dorofee
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
Download -
Using Malware Analysis to Tailor SQUARE for Mobile Platforms
November 2014 Technical Note
Gregory Paul AliceNancy R. Mead
This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.
Download -
A Method for Aligning Acquisition Strategies and Software Architectures
October 2014 Technical Note
Lisa BrownswordCecilia AlbertDavid J. Carney
This report describes the third year of the SEI's research into aligning acquisition strategies and software architecture.
Download -
Agile Methods in Air Force Sustainment: Status and Outlook
October 2014 Technical Note
Colleen ReganMary Ann LaphamEileen Wrubel
This paper examines using Agile techniques in the software sustainment arena—specifically Air Force programs. The intended audience is the staff of DoD programs and related personnel who intend to use Agile methods during software sustainment.
Download -
Development of an Intellectual Property Strategy: Research Notes to Support Department of Defense Programs
October 2014 Special Report
Charlene Gross
This report is intended to help program managers understand categories of intellectual property, various intellectual property challenges, and approaches to assessing the license rights that the program needs for long-term execution and sustainment.
Download -
AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment
October 2014 Technical Report
Julien DelangePeter H. FeilerDavid P. Gluch
This report describes how the Architecture Analysis and Design Language (AADL) Error Model Annex supports the safety-assessment methods in SAE Standard ARP4761.
Download -
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)
September 2014 Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.
Download -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)
September 2014 Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.
Download -
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)
September 2014 Technical Note
Julia H. AllenGreg Crabb (United States Postal Service)Pamela D. Curtis
This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.
Download -
Smart Collection and Storage Method for Network Traffic Data
September 2014 Technical Report
Angela HornemanNathan Dell
This report discusses considerations and decisions to be made when designing a tiered network data storage solution.
Download -
A Systematic Approach for Assessing Workforce Readiness
August 2014 Technical Report
Christopher J. AlbertsDavid McIntire
In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.
Download -
Assuring Software Reliability
August 2014 Special Report
Robert J. Ellison
This report describes ways to incorporate the analysis of the potential impact of software failures--regardless of their cause--into development and acquisition practices through the use of software assurance.
Download -
Patterns and Practices for Future Architectures
August 2014 Technical Note
Eric WernerScott McMillanJonathan Chu
This report discusses best practices and patterns that will make high-performance graph analytics on new and emerging architectures more accessible to users.
Download -
Abuse of Customer Premise Equipment and Recommended Actions
August 2014 White Paper
Paul VixieChris HallenbeckJonathan Spring
In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
Download -
Performance of Compiler-Assisted Memory Safety Checking
July 2014 Technical Note
David KeatonRobert C. Seacord
This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely available.
Download -
Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector
July 2014 Technical Note
CERT Insider Threat Team
This report analyzes unintentional insider threat cases of phishing and other social engineering attacks involving malware.
Download -
Evaluation of the Applicability of HTML5 for Mobile Applications in Resource-Constrained Edge Environments
July 2014 Technical Note
Bryan Yan (Carnegie Mellon University – Institute for Software Research)Grace Lewis
This technical note presents an analysis of the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in battlefield or natural disaster situations.
Download -
Agile Software Teams: How They Engage with Systems Engineering on DoD Acquisition Programs
July 2014 Technical Note
Eileen WrubelSuzanne MillerMary Ann Lapham
This technical note addresses issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.
Download -
Improving the Automated Detection and Analysis of Secure Coding Violations
June 2014 Technical Note
Daniel PlakoshRobert C. SeacordRobert W. Stoddard
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
Download -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2
June 2014 Technical Note
Kevin G. PartridgeMary PopeckLisa R. Young
This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.
Download -
The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects
June 2014 Special Report
Joseph P. ElmDennis Goldenson
This report analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.
Download -
Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
June 2014 Technical Report
Jennifer Cowley
This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.
Download -
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
May 2014 Technical Note
Christopher J. AlbertsAudrey J. DorofeeRobin Ruefle
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
Download -
A Taxonomy of Operational Cyber Security Risks Version 2
May 2014 Technical Note
James J. CebulaMary PopeckLisa R. Young
This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.
Download -
An Evaluation of A-SQUARE for COTS Acquisition
May 2014 Technical Note
Sidhartha ManiNancy R. Mead
An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.
Download -
Investigating Advanced Persistent Threat 1 (APT1)
May 2014 Technical Report
Deana ShickAngela Horneman
This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.
Download -
Precise Static Analysis of Taint Flow for Android Application Sets
May 2014 White Paper
Amar S. Bhosale (No Affiliation)
This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.
Download -
Data-Driven Software Assurance: A Research Study
May 2014 Technical Report
Michael D. KonradArt ManionAndrew P. Moore
In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
Download -
ALTernatives to Signatures (ALTS)
April 2014 White Paper
George JonesJohn Stogoski
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.
Download -
Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management
April 2014 Technical Note
Kenneth NidifferSuzanne MillerDavid J. Carney
This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.
Download -
The Readiness & Fit Analysis: Is Your Organization Ready for Agile?
April 2014 White Paper
Suzanne Miller
This paper summarizes the Readiness & Fit Analysis and describes its extension to support risk identification for organizations that are adopting agile methods.
Download -
International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany
April 2014 Technical Report
Lori FlynnCarly L. HuthPalma Buttles-Valdez
This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All Nations.”
Download -
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
March 2014 Special Report
The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.
Download -
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service
February 2014 Special Report
Carol WoodyRobert J. Ellison
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.
Download -
Wireless Emergency Alerts: Trust Model Simulations
February 2014 Special Report
Timothy MorrowRobert W. StoddardJoseph P. Elm
This report presents four types of simulations run on the public trust model and the alert originator trust model developed for the Wireless Emergency Alerts (WEA) service, focusing on how to increase both alert originators' and the public's trust in WEA.
Download -
Wireless Emergency Alerts: Trust Model Technical Report
February 2014 Special Report
Robert W. StoddardJoseph P. ElmJames McCurley
This report describes a trust model to enable the Federal Emergency Management Agency to maximize the effectiveness of the Wireless Emergency Alerts (WEA) service and provides guidance for alert originators in using WEA to maximize public safety.
Download -
Commercial Mobile Alert Service (CMAS) Scenarios
February 2014 Special Report
The WEA Project Team
This report provides operational and development mission threads to help emergency alert originators analyze scenarios that will aid them in adopting and integrating the Commercial Mobile Alert Service (CMAS) into their emergency management systems.
Download -
Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy
February 2014 Technical Report
The WEA Project Team
This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about required CMAS operations.
Download -
Wireless Emergency Alerts: New York City Demonstration
February 2014 Special Report
Elizabeth Trocki Stark (SRA International, Inc.)Jennifer Lavan (SRA International, Inc.)Tamara Marshall-Keim
This report describes the adoption of the Wireless Emergency Alerts (WEA) service by the New York City Office of Emergency Management. As the first alert originator to adopt WEA, its experiences provide lessons learned for other emergency managers.
Download -
Best Practices in Wireless Emergency Alerts
February 2014 Special Report
John McGregorJoseph P. ElmElizabeth Trocki Stark (SRA International, Inc.)
This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, and cybersecurity risk management.
Download -
Study of Integration Strategy Considerations for Wireless Emergency Alerts
February 2014 Special Report
The WEA Project Team
This report identifies key challenges and offers recommendations for alert originators navigating the process of adopting and integrating the Wireless Emergency Alerts (WEA) service into their emergency management systems.
Download -
Results in Relating Quality Attributes to Acquisition Strategies
February 2014 Technical Note
Lisa BrownswordCecilia AlbertDavid J. Carney
This technical note describes the second phase of a study that focuses on the relationships between software architecture and acquisition strategy -- more specifically, their alignment or misalignment.
Download -
Agile Metrics: Progress Monitoring of Agile Contractors
January 2014 Technical Note
Will HayesSuzanne MillerMary Ann Lapham
This technical note offers a reference for those working to oversee software development on the acquisition of major systems from developers using Agile methods.
Download -
Agile Methods and Request for Change (RFC): Observations from DoD Acquisition Programs
January 2014 Technical Note
Mary Ann LaphamMichael S. BandorEileen Wrubel
This technical note looks at the evaluation and negotiation of technical proposals that reflect iterative development approaches that in turn leverage Agile methods.
Download -
Unintentional Insider Threats: Social Engineering
January 2014 Technical Note
CERT Insider Threat Center
In this report, the authors explore the unintentional insider threat (UIT) that derives from social engineering.
Download -
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using the CERT® Resilience Management Model
January 2014 Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenNader Mehravari
In this report, the authors describe how to improve the resilience of U.S. Postal Service products and services
Download -
A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure
January 2014 Technical Note
Greg Crabb (United States Postal Service)Julia H. AllenPamela D. Curtis
In this report, the authors describe a method of identifying physical security gaps in international mail processing centers and similar facilities.
Download -
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations
January 2014 Technical Note
Lori FlynnGreg Porter (Heinz College at Carnegie Mellon University)Chas DiFatta (No Affiliation)
In this report, the authors discuss the countermeasures that cloud service providers use and how they understand the risks posed by insiders.
Download -
TSP Symposium 2013 Proceedings
January 2014 Special Report
Sergio Cardona (Universidad del Quindío)Silvana Moreno (Universidad de la República)William Nichols
This special report contains proceedings of the 2013 TSP Symposium. The conference theme was “When Software Really Matters,” which explored the idea that when product quality is critical, high-quality practices are the best way to achieve it.
Download -
Understanding Patterns for System-of-Systems Integration
December 2013 Technical Report
Rick KazmanClaus Nielsen (No Affiliation)Klaus Schmid
This report discusses how a software architect can address the system-of-systems integration challenge from an architectural perspective.
Download -
Foundations for Software Assurance
December 2013 White Paper
Carol WoodyNancy R. MeadDan Shoemaker (University of Detroit Mercy)
In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.
Download -
The Topological Properties of the Local Clustering Coefficient
December 2013 White Paper
Leigh B. Metcalf
In this paper, Leigh Metcalf examines the local clustering coefficient for and provides a new formula to generate the local clustering coefficient.
Download -
Using Software Development Tools and Practices in Acquisition
December 2013 Technical Note
Harry L. LevinsonRichard Librizzi
This technical note provides an introduction to key automation and analysis techniques.
Download -
Spotlight On: Programmers as Malicious Insiders–Updated and Revised
December 2013 White Paper
Matthew L. CollinsDawn CappelliThomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)
In this paper, the authors describe the who, what, when, where, and how of attacks by insiders using programming techniques and includes case examples.
Download -
Software Assurance Measurement – State of the Practice
November 2013 Technical Note
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
Download -
A Defect Prioritization Method Based on the Risk Priority Number
November 2013 White Paper
Julie B. CohenRobert FergusonWill Hayes
This paper describes a technique that helps organizations address and resolve conflicting views and create a better value system for defining releases.
Download -
Agile Security - Review of Current Research and Pilot Usage
November 2013 White Paper
Carol Woody
This white paper was produced to focus attention on the opportunities and challenges for embedding information assurance considerations into Agile development and acquisition.
Download -
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase I
November 2013 Technical Note
Greg Porter (Heinz College at Carnegie Mellon University)
In this report, Greg Porter documents preliminary findings from interviews with cloud service providers on their insider threat controls.
Download -
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
November 2013 Technical Report
Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering)Lori FlynnLimin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering)
In this report, the authors describe Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project.
Download -
Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale
November 2013 Technical Note
Matthew J. ButkovicRichard A. Caralli
In this report, the authors review the specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed.
Download -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk
October 2013 Technical Note
Lisa R. YoungMa-Nyahn Kromah (SunGard Availability Services)
In this report, the authors map CERT-RMM process areas to key activities in NIST Special Publication 800-66 Revision 1.
Download -
Passive Detection of Misbehaving Name Servers
October 2013 Technical Report
Leigh B. MetcalfJonathan Spring
In this report, the authors explore name-server flux and two types of data that can reveal it.
Download -
Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time
October 2013 Technical Note
Todd LewellenGeorge SilowashDaniel L. Costa
In this report, the authors describe how an insider threat control can monitor an organization's web request traffic for text-based data exfiltration.
Download -
Introduction to the Mission Thread Workshop
October 2013 Technical Report
Michael J. GagliardiWilliam G. WoodTimothy Morrow
This report introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems. It describes the three phases of the workshop and explains the steps of each.
Download -
Parallel Worlds: Agile and Waterfall Differences and Similarities
October 2013 Technical Note
Steve PalmquistMary Ann LaphamSuzanne Garcia-Miller
This report helps readers understand Agile. The report assembles terms and concepts from both the traditional world of waterfall-based development and the Agile environment to show the many similarities and differences.
Download -
Everything You Wanted to Know About Blacklists But Were Afraid to Ask
September 2013 White Paper
Leigh B. MetcalfJonathan Spring
This document compares the contents of 25 different common public-internet blacklists in order to discover any patterns in the shared entries.
Download -
Roadmap to Software Assurance Competency
September 2013 White Paper
This white paper describes the Software Assurance (SwA) Core Body of Knowledge and SwA competency levels.
Download -
Team Software Process (TSP) Coach Mentoring Program Guidebook, Version 2.0
September 2013 Special Report
Timothy A. ChickJim McHaleWilliam Nichols
This guidebook explains the mentoring process required to become an SEI-Certified Team Software Process (TSP) Associate Coach, SEI-Certified TSP Coach, or SEI-Certified TSP Mentor Coach.
Download -
TSP Performance and Capability Evaluation (PACE): Customer Guide
September 2013 Special Report
William NicholsMark KasunicTimothy A. Chick
This guide describes the evaluation process and lists the steps organizations and programs must complete to earn a TSP-PACE certification.
Download -
TSP Performance and Capability Evaluation (PACE): Team Preparedness Guide
September 2013 Special Report
William NicholsMark KasunicTimothy A. Chick
This document describes the TSP team data that teams normally produce and that are required as input to the TSP-PACE process.
Download -
Best Practices Against Insider Threats in All Nations
August 2013 Technical Note
Lori FlynnCarly L. HuthRandall F. Trzeciak
In this report, the authors summarize best practices for mitigating insider threats in international contexts.
Download -
The Role of Computer Security Incident Response Teams in the Software Development Life Cycle
August 2013 White Paper
Robin Ruefle
In this paper, Robin Ruefle describes how an incident management can provide input to the software development process.
Download -
State of Cyber Workforce Development
August 2013 White Paper
Marie Baker
This paper summarizes the current posture of the cyber workforce and several initiatives designed to strengthen, grow, and retain cybersecurity professionals.
Download -
Training and Awareness
August 2013 White Paper
Carol A. SledgeKen Van Wyk (No Affiliation)
In this paper, the authors provide guidance on training and awareness opportunities in the field of software security.
Download -
Evidence of Assurance: Laying the Foundation for a Credible Security Case
August 2013 White Paper
Charles B. WeinstockHoward F. Lipson
In this paper, the authors provide examples of several of the kinds of evidence that can contribute to a security case.
Download -
Security and Project Management
August 2013 White Paper
Robert J. Ellison
In this paper, Robert Ellison explains what project managers should consider because they relate to security needs.
Download -
An Evaluation of Cost-Benefit Using Security Requirements Prioritization Methods
August 2013 White Paper
Nancy R. MeadTravis Christian
In this paper, the authors provide background information on penetration testing processes and practices.
Download -
Unintentional Insider Threats: A Foundational Study
August 2013 Technical Note
CERT Insider Threat Team
In this report, the CERT Insider Threat team examines unintentional insider threat (UIT), a largely unrecognized problem.
Download -
Teaching Security Requirements Engineering Using SQUARE
July 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Jeff Ingalsbe (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software.
Download -
Trustworthy Composition: The System Is Not Always the Sum of Its Parts
July 2013 White Paper
Robert J. Ellison
In this paper, Robert Ellison surveys several profound technical problems faced by practitioners assembling and integrating secure and survivable systems.
Download -
Development of a Master of Software Assurance Reference Curriculum - 2013 IJSSE
July 2013 White Paper
Andrew J. Kornecki (Embry-Riddle Aeronautical University)James McDonald (Monmouth University)Julia H. Allen
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes
Download -
Strengthening Ties Between Process and Security
July 2013 White Paper
Carol Woody
In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases.
Download -
Estimating Benefits from Investing in Secure Software Development
July 2013 White Paper
Ashish AroraRahul TelangSteven Frank
In this paper, the authors discuss the costs and benefits of incorporating security in software development and presents formulas for calculating security costs and security benefits.
Download -
What Measures Do Vendors Use for Software Assurance?
July 2013 White Paper
Jeremy Epstein
In this paper, Jeremy Epstein examines what real vendors do to ensure that their products are reasonably secure.
Download -
The Development of a Graduate Curriculum for Software Assurance
July 2013 White Paper
Mark A. Ardis (Stevens Institute of Technology)Nancy R. Mead
In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more.
Download -
Secure Software Development Life Cycle Processes
July 2013 White Paper
Noopur Davis
In this paper, Noopur Davis presents information about processes, standards, and more that support or could support secure software development.
Download -
Applicability of Cultural Markers in Computer Network Attack Attribution
July 2013 White Paper
Char Sample
In this 2013 white paper, Char Sample discusses whether cultural influences leave traces in computer network attack (CAN) choices and behaviors.
Download -
Improving Software Assurance
July 2013 White Paper
Carol WoodyRobert J. Ellison
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
Download -
Scale: System Development Challenges
July 2013 White Paper
Carol WoodyRobert J. Ellison
In this paper, the authors describe software assurance challenges inherent in networked systems development and propose a solution.
Download -
Requirements Prioritization Case Study Using AHP
July 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead describes a tradeoff analysis that can select a suitable requirements prioritization method and the results of trying one method.
Download -
Arguing Security - Creating Security Assurance Cases
July 2013 White Paper
Charles B. WeinstockHoward F. LipsonJohn B. Goodenough
In this paper, the authors explain an approach to documenting an assurance case for system security.
Download -
SQUARE Process
July 2013 White Paper
In this paper, Nancy Mead describes the SQUARE process as a means for eliciting, categorizing, and prioritizing security requirements for IT systems.
Download -
Requirements Elicitation Case Studies Using IBIS, JAD, and ARM
July 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead describes a tradeoff analysis that can be used to select a suitable requirements elicitation method.
Download -
The Common Criteria
July 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead discusses how Common Criteria is evaluated, it also presents a standard that is related to developing security requirements.
Download -
Measures and Measurement for Secure Software Development
July 2013 White Paper
Carol DekkersDavid ZubrowJames McCurley
In this paper, the authors discuss how measurement can be applied improve the security characteristics of the software being developed.
Download -
Predictive Models for Identifying Software Components Prone to Failure During Security Attacks
July 2013 White Paper
Laurie Williams
In this paper, the authors describes how the presence of security faults correlates strongly with the presence of a more general category of reliability faults.
Download -
Measuring the Software Security Requirements Engineering Process
July 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead describes a measurement approach to security requirements engineering to analyze projects that were developed with and without SQUARE.
Download -
System-of-Systems Influences on Acquisition Strategy Development
July 2013 White Paper
Rita C. CreelRobert J. Ellison
In this paper, the authors discuss significant new sources of risk and recommend ways to address them.
Download -
Risk-Centered Practices
July 2013 White Paper
Julia H. Allen
In this paper, Julia Allen discusses the role that risk management and risk assessment play in choosing which security practices to implement.
Download -
Supply-Chain Risk Management: Incorporating Security into Software Development
July 2013 White Paper
Carol WoodyRobert J. Ellison
In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.
Download -
Prioritizing IT Controls for Effective, Measurable Security
July 2013 White Paper
Daniel PhelpsGene Kim (IP Services and ITPI)Kurt Milne
In this paper, the authors summarize results from the IT Controls Performance Study conducted by the IT Process Institute.
Download -
Building Security into the Business Acquisition Process
July 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)
In this paper, Dan Shoemaker presents the standard process for acquiring software products and services in business.
Download -
Navigating the Security Practice Landscape
July 2013 White Paper
Julia H. Allen
In this paper, Julia Allen presents a summary of ten leading sources of security practice definition and implementation guidance.
Download -
Assuring Software Systems Security: Life Cycle Considerations for Government Acquisitions
July 2013 White Paper
Rita C. Creel
In this paper, Rita Creel identifies acquirer activities and resources necessary to support contractor efforts to build secure software-intensive systems.
Download -
Plan, Do, Check, Act
July 2013 White Paper
Julia H. Allen
In this paper, Ken van Wyk provides a primer on the most commonly used tools for traditional penetration testing.
Download -
Finding a Vendor You Can Trust in the Global Marketplace
July 2013 White Paper
Art ConklinDan Shoemaker (University of Detroit Mercy)
In this paper, the authors introduce the concept of standardized third-party certification of supplier process capability.
Download -
Results of SEI Line-Funded Exploratory New Starts Projects: FY 2012
July 2013 Technical Report
Bjorn AnderssonLori FlynnDavid P. Gluch
This report describes line-funded exploratory new starts (LENS) projects that were conducted during fiscal year 2012 (October 2011 through September 2012).
Download -
Insider Threat Attributes and Mitigation Strategies
July 2013 Technical Note
George Silowash
In this report, George Silowash maps common attributes of insider threat cases to characteristics important for detecting, preventing, or mitigating the threat.
Download -
Pointer Ownership Model
June 2013 White Paper
David Svoboda
In this paper, David Svoboda describes the Pointer Ownership Model, which can statically identify classes of errors involving dynamic memory in C/C++ programs.
Download -
Common Software Platforms in System-of-Systems Architectures: The State of the Practice
June 2013 White Paper
John KleinSholom G. CohenRick Kazman
System-of-systems (SoS) architectures based on common software platforms have been commercially successful, but progress on creating and adopting them has been slow. This study aimed to understand technical issues for their development and adoption.
Download -
Software Assurance for Executives: Mapping of Common Topics to Specific Materials
June 2013 White Paper
In this paper, the authors present common topics, course materials, and resources related to the Software Assurance for Executives course held in June 2013.
Download -
Software Assurance for Executives
June 2013 White Paper
This legal form was used in the Software Assurance for Executives course that was held in June 2013.
Download -
Isolating Patterns of Failure in Department of Defense Acquisition
June 2013 Technical Note
Lisa BrownswordCecilia AlbertDavid J. Carney
This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.
Download -
Socio-Adaptive Systems Challenge Problems Workshop Report
June 2013 Special Report
Scott HissamMark H. KleinTimothy Morrow
This report presents a summary of the findings of the Socio-Adaptive Systems Challenge Problem Workshop, held in Pittsburgh, PA, on April 12-13, 2012.
Download -
Strengths in Security Solutions
May 2013 White Paper
Arjuna Shunn (Microsoft)Carol WoodyRobert C. Seacord
In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.
Download -
Integrating Software Assurance Knowledge into Conventional Curricula
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Jeff Ingalsbe (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors discuss the results of comparing the Common Body of Knowledge for Secure Software Assurance with traditional computing disciplines.
Download -
Maturity of Practice
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen identifies indicators that organizations are addressing security as a governance and management concern, at the enterprise level.
Download -
Integrating Security and IT
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen describes the key relationship between IT processes and security controls.
Download -
Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going?
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)
In this paper, Dan Shoemaker describes existing professional certifications in information assurance and emerging certifications for secure software assurance.
Download -
How Much Security Is Enough?
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen provides guidelines for answering this question, including means for determining adequate security based on risk.
Download -
Models for Assessing the Cost and Value of Software Assurance
May 2013 White Paper
Antonio DrommiDan Shoemaker (University of Detroit Mercy)Jeff Ingalsbe (University of Detroit Mercy)
In this paper, the authors present IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes.
Download -
Adapting Penetration Testing for Software Development Purposes
May 2013 White Paper
Ken Van Wyk (No Affiliation)
In this paper, Ken van Wyk provides background information on penetration testing processes and practices.
Download -
Requirements Engineering Annotated Bibliography
May 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead provides a bibliography of sources related to requirements engineering.
Download -
Defining the Discipline of Secure Software Assurance: Initial Findings from the National Software Assurance Repository
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Jeff Ingalsbe (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors characterize the current state of secure software assurance work and suggest future directions.
Download -
Making the Business Case for Software Assurance
May 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead provides an overview of the Business Case content area.
Download -
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations (2013)
May 2013 Technical Note
Matthew L. CollinsDerrick SpoonerDawn Cappelli
In this report, the authors provide a snapshot of individuals involved in insider threat cases and recommends how to mitigate the risk of similar incidents.
Download -
The Software Assurance Competency Model: A Roadmap to Enhance Individual Professional Capability
May 2013 White Paper
Nancy R. MeadDan Shoemaker (University of Detroit Mercy)
In this paper, the authors describe a software assurance competency model that can be used by professionals to improve their software assurance skills.
Download -
Building a Body of Knowledge for ICT Supply Chain Risk Management
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors propose a set of Supply Chain Risk Management (SCRM) activities and practices for Information and Communication Technologies (ICT).
Download -
Modeling Tools References
May 2013 White Paper
Samuel T. Redwine
In this paper, Samuel Redwine provides references related to modeling tools.
Download -
Software Assurance Education Overview
May 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead discusses the growing demand for skilled professionals who can build security and correct functionality into software.
Download -
Governance and Management References
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen provides references related to governance and management.
Download -
Getting Secure Software Assurance Knowledge into Conventional Practice
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors describe three educational initiatives in support of software assurance education.
Download -
General Modeling Concepts
May 2013 White Paper
In this paper, Samuel Redwine introduces several concepts related to the Introduction to Modeling Tools for Software Security article and modeling in general.
Download -
A Systemic Approach for Assessing Software Supply-Chain Risk
May 2013 White Paper
Audrey J. DorofeeCarol WoodyChristopher J. Alberts
In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.
Download -
Framing Security as a Governance and Management Concern: Risks and Opportunities
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen describes six "assets" or requirements of being in business that can be compromised by insufficient security investment.
Download -
Assembly, Integration, and Evolution Overview
May 2013 White Paper
Howard F. Lipson
In this paper, Howard Lipson describes the objective of the Assembly, Integration & Evolution content area.
Download -
A Common Sense Way to Make the Business Case for Software Assurance
May 2013 White Paper
Antonio DrommiDan Shoemaker (University of Detroit Mercy)Jeff Ingalsbe (University of Detroit Mercy)
In this article, the authors demonstrate how a true cost/benefit for secure software can be derived.
Download -
Deployment and Operations References
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen provides a list of references related to deployment and operations.
Download -
Deploying and Operating Secure Systems
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen provides a brief overview of deployment and operations security issues and advice for using related practices.
Download -
Two Nationally Sponsored Initiatives for Disseminating Assurance Knowledge
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors describe two efforts that support national cybersecurity education goals.
Download -
Foundations for Software Assurance
May 2013 White Paper
Carol WoodyDan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this paper, the authors highlight efforts underway to address our society's growing dependence on software and the need for effective software assurance.
Download -
Assurance Cases Overview
May 2013 White Paper
Howard F. Lipson
In this paper, Howard Lipson introduces the concepts and benefits of developing and maintaining assurance cases for security.
Download -
It’s a Nice Idea but How Do We Get Anyone to Practice It? A Staged Model for Increasing Organizational Capability in Software Assurance
May 2013 White Paper
Dan Shoemaker (University of Detroit Mercy)
In this paper, Dan Shoemaker presents a standard approach to increasing the security capability of a typical IT function.
Download -
Software Security Engineering: A Guide for Project Managers (white paper)
May 2013 White Paper
Gary McGrawJulia H. AllenNancy R. Mead
In this guide, the authors discuss our reliance on software and systems that use the internet or internet-exposed private networks.
Download -
Requirements Elicitation Introduction
May 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead discusses elicitation methods and the kind of tradeoff analysis that can be done to select a suitable one.
Download -
Requirements Prioritization Introduction
May 2013 White Paper
Nancy R. Mead
In this paper, Nancy Mead discusses using a systematic prioritization approach to prioritize security requirements.
Download -
Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets
May 2013 White Paper
Eric HoughHassan OsmanJonathan Caulkins
In this paper, the authors introduce a novel method of optimizing using integer programming (IP).
Download -
Security Is Not Just a Technical Issue
May 2013 White Paper
Julia H. Allen
In this paper, Julia Allen defines the scope of governance concern as they apply to security.
Download -
PSP-VDC: An Adaptation of the PSP that Incorporates Verified Design by Contract
May 2013 Technical Report
Silvana Moreno (Universidad de la República)Álvaro Tasistro (Universidad ORT Uruguay)Diego Vallespir (Universidad de la República)
This paper describes a proposal for integrating Verified Design by Contract into PSP in order to reduce the amount of defects present at the Unit Testing phase, while preserving or improving productivity.
Download -
How You Can Help Your Utility Clients with a Critical Aspect of Smart Grid Transformation They Might be Overlooking
May 2013 White Paper
The SGMM Communications Team
This paper discusses how you can use the Smart Grid Maturity Model (SGMM) to benefit your utility clients.
Download -
Five Smart Grid Questions Every Utility Executive Should Ask
May 2013 White Paper
The SGMM Communications Team
This paper recommends the Smart Grid Maturity Model (SGMM), a tool utilities can use to plan and measure smart grid progress.
Download -
Application Virtualization as a Strategy for Cyber Foraging in Resource-Constrained Environments
May 2013 Technical Note
Dominik MessingerGrace Lewis
This technical note explores application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning.
Download -
The Perils of Treating Software as a Specialty Engineering Discipline
April 2013 White Paper
Keith KorzecTom Merendino
This paper reviews the perils of insufficiently engaging key software domain experts during program development.
Download -
Four Pillars for Improving the Quality of Safety-Critical Software-Reliant Systems
April 2013 White Paper
Peter H. FeilerJohn B. GoodenoughArie Gurfinkel
This white paper presents an improvement strategy comprising four pillars of an integrate-then-build practice that lead to improved quality through early defect discovery and incremental end-to-end validation and verification.
Download -
MERIT Interactive Insider Threat Training Simulator
April 2013 White Paper
In this paper, the authors describe how state-of-the-art multi-media technologies were used to develop the MERIT InterActive training simulator.
Download -
Software Assurance Competency Model
March 2013 Technical Note
Thomas B. Hilburn (Embry-Riddle Aeronautical University)Mark A. Ardis (Stevens Institute of Technology)Glenn Johnson ((ISC)2)
In this report, the authors describe a model that helps create a foundation for assessing and advancing the capability of software assurance professionals.
Download -
Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
March 2013 Technical Note
George SilowashTodd LewellenJoshua W. Burns
In this report, the authors present methods for detecting and preventing data exfiltration using a Linux-based proxy server in a Microsoft Windows environment.
Download -
Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
March 2013 Technical Note
Andrew P. MooreDavid McIntireDave Mundie
In this report, the authors justify applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders.”
Download -
Quantifying Uncertainty in Expert Judgment: Initial Results
March 2013 Technical Report
Dennis GoldensonRobert W. Stoddard
The work described in this report, part of a larger SEI research effort on Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), aims to develop and validate methods for calibrating expert judgment.
Download -
History of CERT-RMM
February 2013 White Paper
This paper explains the history of how the CERT-RMM came to be.
Download -
The MAL: A Malware Analysis Lexicon
February 2013 Technical Note
Dave MundieDavid McIntire
In this report, the authors present results of the Malware Analysis Lexicon (MAL) initiative, which developed the first common vocabulary for malware analysis.
Download -
Tunisia Case Study
January 2013 White Paper
This case study describes the experiences of the Tunisia CSIRT in getting its organization up and running.
Download -
Columbia CSIRT Case Study
January 2013 White Paper
This case study describes the experiences of the Columbia CSIRT in getting its organization up and running.
Download -
Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders
January 2013 Technical Note
George SilowashTodd Lewellen
In this report, the authors present methods for auditing USB device use in a Microsoft Windows environment.
Download -
Cyber Intelligence Tradecraft Project: Summary of Key Findings
January 2013 White Paper
Melissa LudwickJay McAllisterAndrew O. Mellinger
This study, known as the Cyber Intelligence Tradecraft Project (CITP), seeks to advance the capabilities of organizations performing cyber intelligence by elaborating on best practices and prototyping solutions to shared challenges.
Download -
Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources
January 2013 Technical Note
George SilowashChristopher King
In this report, the authors present methods for controlling removable media devices in a MS Windows environment.
Download -
SEI Product Line Bibliography
December 2012 White Paper
This bibliography lists SEI and non-SEI resources that have informed the SEI Product Lines efforts. Examples cover diverse domains and show the kind of improvements you can achieve using a product line approach.
Download -
A Framework for Software Product Line Practice, Version 5.0
December 2012 White Paper
Linda M. NorthropReed LittleJohn McGregor
This document describes the activities and practices in which an organization must be competent before it can benefit from fielding a product line of software systems.
Download -
Chronological Examination of Insider Threat Sabotage: Preliminary Observations
December 2012 White Paper
William R. ClaycombCarly L. HuthLori Flynn
In this paper, the authors examine 15 cases of insider threat sabotage of IT systems to identify points in the attack time-line.
Download -
The Business Case for Systems Engineering Study: Assessing Project Performance from Sparse Data
December 2012 Special Report
Joseph P. Elm
This report describes the data collection and analysis process used to support the assessment of project performance for the systems engineering (SE) effectiveness study.
Download -
Analyzing Cases of Resilience Success and Failure - A Research Study
December 2012 Technical Note
Julia H. AllenPamela D. CurtisAndrew P. Moore
In this report, the authors describe research aimed at helping organizations to know the business value of implementing resilience processes and practices.
Download -
Common Sense Guide to Mitigating Insider Threats, Fourth Edition
December 2012 Technical Report
George SilowashDawn CappelliAndrew P. Moore
In this report, the authors define insider threats and outline current insider threat patterns and trends.
Download -
Arabic Language Translation of CMMI for Services V1.3
November 2012 White Paper
CMMI Product Team
Arabic translation of CMMI-SVC V1.3
Download -
TSP Symposium 2012 Proceedings
November 2012 Special Report
William NicholsShigeru Kusakabe (Kyushu University)Yoichi Omori (Kyushu University)
The 2012 TSP Symposium was organized by the SoThe goal of the TSP Symposium is to bring together practitioners and academics who share a common passion to change the world of software engineering for the better through disciplined practice.
Download -
DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers
November 2012 Technical Note
Stephany BellomoCarol Woody
This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives.
Download -
Reliability Improvement and Validation Framework
November 2012 Special Report
Peter H. FeilerJohn B. GoodenoughArie Gurfinkel
This report discusses the reliability validation and improvement framework developed by the SEI. The purpose of this framework is to provide a foundation for addressing the challenges of qualifying increasingly software-reliant, safety-critical systems.
Download -
The Business Case for Systems Engineering Study: Results of the Systems Engineering Effectiveness Survey
November 2012 Special Report
Joseph P. ElmDennis Goldenson
This report summarizes the results of a survey that had the goal of quantifying the connection between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs.
Download -
The Business Case for Systems Engineering Study: Detailed Response Data
November 2012 Special Report
Joseph P. ElmDennis Goldenson
This report contains response data from The Business Case for Systems Engineering Study: Results of the Systems Engineering Effectiveness Survey (CMU/SEI-2012-SR-009). Analysis revealed strong relationships between project performance and best practices.
Download -
Maturity Models 101: A Primer for Applying Maturity Models to Smart Grid Security, Resilience, and Interoperability
November 2012 White Paper
Richard A. CaralliMark Knight (CGI Group)Austin Montgomery
In this paper, the authors explain the history and evolution of and applications for maturity models.
Download -
Technical Debt: From Metaphor to Theory and Practice
November 2012 White Paper
Philippe KruchtenRobert NordIpek Ozkaya
This article discusses the technical debt metaphor and considers it beyond a "rhetorical concept." The article explores the role of decision making about developmental activities and future changes and the evolution that the software needs to undergo.
Download -
Architecture-Driven Semantic Analysis of Embedded Systems (Dagstuhl Seminar 12272)
October 2012 Special Report
Peter H. FeilerJerome Hugues (ISAE)
This report documents the program and outcomes of presentations and working groups from Dagstuhl Seminar 12272, "Architecture-Driven Semantic Analysis of Embedded Systems."
Download -
Spotlight On: Insider Threat from Trusted Business Partners Version 2: Updated and Revised
October 2012 White Paper
Todd LewellenAndrew P. MooreDawn Cappelli
In this article, the authors focus on cases in which the malicious insider was employed by a trusted business partner of the victim organization.
Download -
The Role of Standards in Cloud-Computing Interoperability
October 2012 Technical Note
Grace Lewis
This report explores the role of standards in cloud-computing interoperability. It covers cloud-computing basics and standard-related efforts, discusses several use cases, and provides recommendations for cloud-computing adoption.
Download -
Cloud Computing at the Tactical Edge
October 2012 Technical Note
Soumya SimantaGrace LewisEdwin J. Morris
This technical note presents a strategy to overcome the challenges of obtaining sufficient computation power to run applications needed for warfighting and disaster relief missions. It discusses the use of cloudlets-- localized, stateless servers running one or more virtual machines--on which soldiers can offload resource-intensive computations from their handheld mobile devices.
Download -
Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
October 2012 Technical Note
Allen D. Householder
In this 2012 report, Allen Householder describes an algorithm for reverting bits from a fuzzed file to those found in the original seed file to recreate the crash.
Download -
Resource Allocation in Dynamic Environments
October 2012 Technical Report
Jeffrey HansenScott HissamB. Craig Meyers
When warfighting missions are conducted in a dynamic environment, the allocation of resources needed for mission operation can change from moment to moment. This report addresses two challenges of resource allocation in dynamic environments: overstatement of resource needs and unpredictable network availability.
Download -
Building an Incident Management Body of Knowledge
September 2012 White Paper
Dave MundieRobin Ruefle
In this paper, the authors describe the components of the CERT Incident Management Body of Knowledge (CIMBOK) and how they were constructed.
Download -
SEPG Europe 2012 Conference Proceedings
September 2012 Special Report
JoseMariaGarcia (Software Quality Assurance)Ana M. Moreno (Universidad Politecnica de Madrid)Radouane Oudrhiri (Systonomy)
This report compiles seven papers based on presentations given at SEPG Europe 2012.
Download -
Competency Lifecycle Roadmap: Toward Performance Readiness
September 2012 Technical Note
Sandra BehrensChristopher J. AlbertsRobin Ruefle
In this report, the authors describe the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness.
Download -
Communication Among Incident Responders – A Study
September 2012 Technical Note
Brett TjadenRobert Floodeen
In this report, the authors describe three factors for helping or hindering the cooperation of incident responders.
Download -
Toward a Theory of Assurance Case Confidence
September 2012 Technical Report
John B. GoodenoughCharles B. WeinstockAri Z. Klein
In this report, the authors present a framework for thinking about confidence in assurance case arguments.
Download -
Insider Fraud in Financial Services
August 2012 White Paper
In this brochure, the authors present the findings of a study that analyzed computer criminal activity in the financial services sector.
Download -
Probability-Based Parameter Selection for Black-Box Fuzz Testing
August 2012 Technical Note
Allen D. HouseholderJonathan M. Foote
In this report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.
Download -
Results of SEI Line-Funded Exploratory New Starts Projects
August 2012 Technical Report
Len BassRick KazmanEdwin J. Morris
This report describes the line-funded exploratory new starts (LENS) projects that were undertaken during fiscal year 2011. For each project, the report presents a brief description and a recounting of the research that was done, as well as a synopsis of the results of the project.
Download -
Network Profiling Using Flow
August 2012 Technical Report
Austin WhisnantSid Faber
In this report, the authors provide a step-by-step guide for profiling and discovering public-facing assets on a network using netflow data.
Download -
Insider Threats to Cloud Computing: Directions for New Research Challenges
July 2012 White Paper
William R. ClaycombAlex Nicoll
In this paper, the authors explain how cloud computing related insider threats are a serious concern, but that this threat has not been thoroughly explored.
Download -
Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
July 2012 Special Report
Adam CummingsTodd LewellenDavid McIntire
In this report, the authors describe insights and risk indicators of malicious insider activity in the banking and finance sector.
Download -
Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions
July 2012 Technical Note
Timothy MorrowRobert C. SeacordJohn K. Bergey
In this report, the authors provide guidance for helping DoD acquisition programs address software security in acquisitions.
Download -
The Evolution of a Science Project: A Preliminary System Dynamics Model of a Recurring Software-Reliant Acquisition Behavior
July 2012 Technical Report
William E. NovakAndrew P. MooreChristopher J. Alberts
This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.
Download -
Introduction to System Strategies
June 2012 White Paper
Robert J. EllisonCarol Woody
In this paper, the authors discuss the effects of the changing operational environment on the development of secure systems.
Download -
Introduction to Modeling Tools for Software Security
June 2012 White Paper
Samuel T. Redwine
In this paper, Samuel Redwine introduces security concepts and tools useful for modeling security properties.
Download -
Security-Specific Bibliography
June 2012 White Paper
Carol DekkersJames McCurleyDavid Zubrow
In this paper, the authors provide a bibliography of sources related to security.
Download -
A Virtual Upgrade Validation Method for Software-Reliant Systems
June 2012 Technical Report
Dionisio de NizPeter H. FeilerDavid P. Gluch
This report presents the Virtual Upgrade Validation (VUV) method, an approach that uses architecture-centric, model-based analysis to identify system-level problems early in the upgrade process to complement established test qualification techniques.
Download -
Report from the First CERT-RMM Users Group Workshop Series
April 2012 Technical Note
Julia H. AllenLisa R. Young
In this report, the authors describe the first CERT RMM Users Group (RUG) Workshop Series and the experiences of participating members and CERT staff.
Download -
Source Code Analysis Laboratory (SCALe)
April 2012 Technical Note
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.
Download -
Insider Threat Security Reference Architecture
April 2012 Technical Report
Joji MontelibanoAndrew P. Moore
In this report, the authors describe the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the insider threat.
Download -
A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
April 2012 Technical Report
Andrew P. MooreMichael HanleyDave Mundie
In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property.
Download -
The Impact of Passive DNS Collection on End-User Privacy
March 2012 White Paper
Jonathan SpringCarly L. Huth
In this paper, the authors discuss whether pDNS allows reconstruction of an end user's DNS behavior and if DNS behavior is personally identifiable information.
Download -
Approaches for Edge-Enabled Tactical Systems
March 2012 White Paper
This booklet contains brief articles about using mobile devices in the areas of edge-enabled systems and cloud computing and a report on cloud offload in hostile environments.
Download -
Digital Investigation Workforce Development
March 2012 White Paper
Dennis M. Allen
In this paper, the authors describe an approach for deriving measures of software security from well-established and commonly used standard practices.
Download -
What’s New in V2 of the Architecture Analysis & Design Language Standard?
March 2012 Special Report
Peter H. FeilerJoe SeibelLutz Wrage
This report provides an overview of changes and improvements to the Architecture Analysis & Design Language (AADL) standard for describing both the software architecture and the execution platform architectures of performance-critical, embedded, real-time systems.
Download -
Principles of Trust for Embedded Systems
March 2012 Technical Note
David Fisher
In this report, David Fisher provides substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems.
Download -
Deriving Software Security Measures from Information Security Standards of Practice
February 2012 White Paper
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this paper, the authors describe an approach for deriving measures of software security from common standard practices for information security.
Download -
Risk-Based Measurement and Analysis: Application to Software Security
February 2012 Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
Download -
Mission Risk Diagnostic (MRD) Method Description
February 2012 Technical Note
Christopher J. AlbertsAudrey J. Dorofee
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.
Download -
Proceedings of the Smart Grid Maturity Model Leadership Workshop
January 2012 Special Report
In January 2012, leaders in the electric power industry collaborated with the SEI to build the future of the Smart Grid Maturity Model at the SGMM Leadership Workshop.
Download -
FloCon 2012 Proceedings
January 2012 Special Report
This report contains a collection of presentations given at FloCon in January 2012.
Download -
Modifying Lanchester's Equations for Modeling and Evaluating Malicious Domain Name Take-Down
January 2012 White Paper
Jonathan Spring
In this paper, Jonathan Spring models internet competition on large, decentralized networks using a modification of Lanchester's equations for combat.
Download -
Passive Detection of Misbehaving Name Servers
January 2012 White Paper
Leigh B. MetcalfJonathan Spring
In this paper, the authors demonstrate that there are name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters.
Download -
Discerning the Intent of Maturity Models from Characterizations of Security Posture
January 2012 White Paper
In this paper, Rich Caralli discusses how using maturity models and characterizing security posture are activities with different intents, outcomes, and uses.
Download -
Communication Among Incident Responders - A Study
January 2012 White Paper
Brett TjadenRobert Floodeen
In this paper, the authors describe preliminary results of a study of how effective nine autonomous incident response organizations are.
Download -
Best Practices for Artifact Versioning in Service-Oriented Systems
January 2012 Technical Note
Marc NovakouskiGrace LewisWilliam Anderson
This report describes some of the challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices.
Download -
Interoperability in the e-Government Context
January 2012 Technical Note
Marc NovakouskiGrace Lewis
This report describes a proposed model through which to understand interoperability in the e-government context.
Download -
Spotlight On: Malicious Insiders and Organized Crime Activity
January 2012 Technical Note
Christopher King
In this report, Christopher King provides a snapshot of who malicious insiders are, what and how they strike, and why.
Download -
A Closer Look at 804: A Summary of Considerations for DoD Program Managers
December 2011 Special Report
Stephany Bellomo
The information in this report is intended to help program managers reason about actions they may need to take to adapt and comply with the Section 804 NDAA for 2010 and associated guidance.
Download -
Standards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
December 2011 Special Report
Sagar ChakiRita C. CreelJeff Davenport
In this report, the authors describe work to develop standards for automated remediation of vulnerabilities and compliance issues on DoD networked systems.
Download -
Using Defined Processes as a Context for Resilience Measures
December 2011 Technical Note
Julia H. AllenPamela D. CurtisLinda Parker Gates
In this report, the authors describe how implementation-level processes can provide context for identifying and defining measures of operational resilience.
Download -
Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE)
December 2011 Technical Report
Robert FergusonDennis GoldensonJames McCurley
The method of quantifying uncertainty described in this report synthesizes scenario building, Bayesian Belief Network (BBN) modeling and Monte Carlo simulation into an estimation method that quantifies uncertainties, allows subjective inputs, visually depicts influential relationships among program change drivers and outputs, and assists with the explicit description and documentation underlying an estimate.
Download -
An Investigation of Techniques for Detecting Data Anomalies in Earned Value Management Data
December 2011 Technical Report
Mark KasunicJames McCurleyDennis Goldenson
This research demonstrated the effectiveness of various statistical techniques for discovering quantitative data anomalies.
Download -
German language translation of CMMI for Development, V1.3
November 2011 White Paper
German language translation of CMMI for Development, V1.3
Download -
Japanese Language Translation of CMMI for Development, V1.3
November 2011 White Paper
Japanese Language Translation of CMMI for Development, V1.3
Download -
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 1
November 2011 Technical Note
Kevin G. PartridgeLisa R. Young
In this report, the authors map CERT-RMM process areas to selected NIST special publications in the 800 series.
Download -
Agile Methods: Selected DoD Management and Acquisition Concerns
October 2011 Technical Note
Mary Ann LaphamSuzanne Garcia-MillerLorraine Adams
This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context.
Download -
An Acquisition Perspective on Product Evaluation
October 2011 Technical Note
Grady CampbellHarry L. LevinsonRichard Librizzi
This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation.
Download -
CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1
October 2011 Technical Note
Kevin G. PartridgeLisa R. Young
In this report, the authors explain how CERT-RMM process areas, industry standards, and codes of practice are used by organizations in an operational setting.
Download -
Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
October 2011 Technical Note
Michael HanleyJoji Montelibano
In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.
Download -
CERT® Resilience Management Model Capability Appraisal Method (CAM) Version 1.1
October 2011 Technical Report
Resilient Enterprise Management Team
In this report, the authors demonstrate that the SCAMPI method can be adapted and applied to CERT-RMM V1.1 as the reference model for a process appraisal.
Download -
Smart Grid Maturity Model: Matrix, Version 1.2
September 2011 White Paper
This document shows a matrix related to Smart Grid Maturity Model levels.
Download -
Proceedings of the Fourth International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2010)
September 2011 Special Report
Grace LewisDennis B. SmithKostas Kontogiannis
This report summarizes the proceedings from the 2010 MESOA workshop and includes the accepted papers that were the basis for the presentations given during the workshop.
Download -
Software Assurance Curriculum Project Volume IV: Community College Education
September 2011 Technical Report
Nancy R. MeadElizabeth K. Hawthorne (Union County College)Mark A. Ardis (Stevens Institute of Technology)
In this report, the authors focus on community college courses for software assurance.
Download -
Understanding and Leveraging a Supplier’s CMMI Efforts: A Guidebook for Acquirers (Revised for V1.3)
September 2011 Technical Report
Lawrence T. OsieckiMike PhillipsJohn Scibilia
This guidebook helps acquisition organizations formulate questions for their suppliers related to CMMI. It also helps organizations interpret responses to identify and evaluate risks for a given supplier.
Download -
Smart Grid Maturity Model, Version 1.2: Model Definition
September 2011 Technical Report
SGMM Team
The Smart Grid Maturity Model (SGMM) is business tool that provides a framework for electric power utilities to help modernize their operations and practices for delivering electricity.
Download -
Keeping Your Family Safe in a Highly Connected World
August 2011 White Paper
Marie BakerJonathan Frederick
In this paper, the authors describe the risks of being victims of theft, including becoming involved unknowingly in illegal activities over a networked device.
Download -
Which CMMI Model Is for You?
August 2011 White Paper
Mike PhillipsSandra Shrum
A short white paper that provides guidance on selecting the best CMMI model for process improvement.
Download -
Architecting Service-Oriented Systems
August 2011 Technical Note
Philip BiancoGrace LewisPaulo Merson
This report presents guidelines for architecting service-oriented systems and the effect of architectural principles on system quality attributes.
Download -
Standards-Based Automated Remediation: A Remediation Manager Reference Implementation
July 2011 Special Report
Sagar ChakiRita C. CreelJeff Davenport
In this report, the authors describe work to develop standards for vulnerability and compliance remediation on DoD networked systems.
Download -
A Decision Framework for Selecting Licensing Rights for Noncommercial Computer Software in the DoD Environment
July 2011 Technical Report
Charlene Gross
This report describes standard noncommercial software licensing alternatives as defined by U.S. Government and DoD regulations. It suggests an approach for identifying agency needs for license rights and the license type for various systems.
Download -
Measures for Managing Operational Resilience
July 2011 Technical Report
Julia H. AllenPamela D. Curtis
In this report, the Resilient Enterprise Management (REM) team suggests a set of top ten strategic measures for managing operational resilience.
Download -
An Online Learning Approach to Information Systems Security Education
June 2011 White Paper
Norman Bier (Carnegie Mellon University)Marsha Lovett (Carnegie Mellon University)Robert C. Seacord
In this paper, the authors describe the development of a secure coding module that shows how to capture content, ensure learning, and scale to meet demand.
Download -
Monitoring Cloud Computing by Layer, Part 2
June 2011 White Paper
Jonathan Spring
In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.
Download -
A Preliminary Model of Insider Theft of Intellectual Property
June 2011 Technical Note
Andrew P. MooreDawn CappelliThomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)
In this report, the authors describe general observations about and a preliminary system dynamics model of insider crime based on our empirical data.
Download -
Software Assurance for System of Systems
May 2011 White Paper
John B. GoodenoughLinda M. Northrop
In this paper, the authors discuss confidence in system and SoS behavior and how theories can be used to make the assurance process more effective.
Download -
Architecture Evaluation without an Architecture: Experience with the Smart Grid
April 2011 White Paper
Rick KazmanLen BassJames Ivers
This paper describes an analysis of some of the challenges facing one portion of the Electrical Smart Grid in the United States - residential Demand Response (DR) systems.
Download -
Correlating Domain Registrations and DNS First Activity in General and for Malware
April 2011 White Paper
Leigh B. MetcalfJonathan SpringEd Stoner
In this paper, the authors describe a pattern in the amount of time it takes for that domain to be actively resolved on the Internet.
Download -
Architectures for the Cloud: Best Practices for Navy Adoption of Cloud Computing
April 2011 White Paper
Grace Lewis
The goal of SEI research is to create best practices for architecture and design of systems that take advantage of the cloud, leading to greater system quality from both a consumer and provider perspective.
Download -
Monitoring Cloud Computing by Layer, Part 1
April 2011 White Paper
Jonathan Spring
In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.
Download -
Principles of Survivability and Information Assurance
April 2011 White Paper
In this paper, the authors describe a Security Information and Event Management signature for detecting possible malicious insider activity.
Download -
Employing SOA to Achieve Information Dominance
April 2011 White Paper
Grace Lewis
SEI research will enable the Navy to to develop service-oriented systems that address information dominance priority requirements.
Download -
Managing Technical Debt in Software-Reliant Systems
April 2011 White Paper
Nanette Brown
This whitepaper argues that there is an opportunity to study and improve the “technical debt” metaphor concept and offers software engineers a foundation for managing such trade-offs based on models of their economic impacts.
Download -
Appraisal Requirements for CMMI Version 1.3 (ARC, V1.3)
April 2011 Technical Report
SCAMPI Upgrade Team
The Appraisal Requirements for CMMI, Version 1.3 (ARC, V1.3), defines the requirements for appraisal methods intended for use with Capability Maturity Model Integration (CMMI) and with the People CMM.
Download -
Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0
April 2011 Technical Report
John HallerSamuel A. MerrellMatthew J. Butkovic
In this 2011 report, an update to its 2010 counterpart, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.
Download -
Trusted Computing in Embedded Systems Workshop
March 2011 Special Report
Archie D. AndrewsJonathan M. McCune
In this report, the authors describe the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University.
Download -
Issues and Opportunities for Improving the Quality and Use of Data in the Department of Defense
March 2011 Special Report
Mark KasunicDavid ZubrowErin Harper
This report contains the recommendations of an SEI-lead, joint-sponsored workshop by the OSD (AT&L) and DDR&, around the topics of data quality, data analysis, and data use.
Download -
IEEE Computer Society/Software Engineering Institute Software Process Achievement (SPA) Award 2009
March 2011 Technical Report
Satyendra KumarRamakrishnan M.
This report describes the work of the 2009 recipient of the IEEE Computer Society Software Process Achievement Award, jointly established by the SEI and IEEE to recognize outstanding achievements in software process improvement.
Download -
CMMI for Acquisition (CMMI-ACQ) Primer, Version 1.3
March 2011 Technical Report
Mike Phillips
Acquisition practices for the project level that help you get started with CMMI for Acquisition practices without using the whole model.
Download -
Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
March 2011 Technical Report
Nancy R. MeadJulia H. AllenMark A. Ardis (Stevens Institute of Technology)
In this report, the authors provide sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.
Download -
Delivering Software-Reliant Products Faster: Take Action to Help Your Organization Gain Speed Without Sacrificing Quality
February 2011 White Paper
Learn how to deliver software-reliant products faster and explore ways to use software architecture more effectively.
Download -
Delivering Software-Reliant Products Faster: Help Your Organization Gain Speed Without Sacrificing Quality
February 2011 White Paper
Learn how to look into the initial steps suggested for delivering software-reliant products faster.
Download -
A Framework for Evaluating Common Operating Environments: Piloting, Lessons Learned, and Opportunities
February 2011 Special Report
Cecilia AlbertSteve Rosemergy
This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions.
Download -
Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems
February 2011 Technical Note
Dan Shoemaker (University of Detroit Mercy)Nancy R. MeadJeff Ingalsbe (University of Detroit Mercy)
In this report, the authors examine how the Master of Software Assurance Reference Curriculum can be used for a Master of Science in Information Systems.
Download -
An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases
February 2011 Technical Note
Michael HanleyTyler DeanWill Schroeder
In this report, the authors provide an overview of techniques used by malicious insiders to steal intellectual property.
Download -
Results of SEI Independent Research and Development Projects (FY 2010)
February 2011 Technical Report
William AndersonDavid FisherDavid P. Gluch
This report describes results of independent research and development (IRAD) projects undertaken in fiscal year 2010.
Download -
Network Monitoring for Web-Based Threats
February 2011 Technical Report
Matthew Heckathorn
In this report, Matthew Heckathorn models the approach an attacker would take and provides detection or prevention methods to counter that approach.
Download -
Function Extraction (FX) Research for Computation of Software Behavior: 2010 Development and Application of Semantic Reduction Theorems for Behavior Analysis
February 2011 Technical Report
Richard C. Linger (Oak Ridge National Laboratory)Tim DalyMark Pleszkoch
In this report, the authors present research to compute the behavior of software with mathematical precision and how this research has been implemented.
Download -
FloCon 2011 Proceedings
January 2011 White Paper
These papers were presented at FloCon 2011, where participants discussed dark space, web servers, spam, and the susceptibility of DNS servers to cache poisoning.
Download -
Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data
January 2011 Technical Note
Michael Hanley
In this 2011 report, Michael Hanley demonstrates how a method for modeling insider crimes can create candidate technical controls and indicators.
Download -
Trust and Trusted Computing Platforms
January 2011 Technical Note
David FisherJonathan M. McCuneArchie D. Andrews
This technical note examines the Trusted Platform Module, which arose from work related to the Independent Research and Development project "Trusted Computing in Extreme Adversarial Environments: Using Trusted Hardware as a Foundation for Cyber Security."
Download -
Enabling Agility Through Architecture
December 2010 White Paper
Nanette BrownRobert NordIpek Ozkaya
Enabling Agility Through Architecture: A Crosstalk article by Nanette Brown, Rod Nord, and Ipek Ozkaya.
Download -
Guide for SCAMPI Appraisals: Accelerated Improvement Method (AIM)
December 2010 Special Report
Gene MilukJim McHaleTimothy A. Chick
This document provides guidance to lead appraisers and appraisal teams unfamiliar with TSP+ when conducting Standard CMMI Appraisal Method for Process Improvement (SCAMPI) appraisals within organizations that use the TSP+ as a foundational operational practice.
Download -
Implementation Guidance for the Accelerated Improvement Method (AIM)
December 2010 Special Report
Jim McHaleTimothy A. ChickGene Miluk
This 2010 report describes the (AIM which helps an organization to implement high-performance, high-quality CMMI practices much more quickly than industry norms.
Download -
Software Supply Chain Risk Management: From Products to Systems of Systems
December 2010 Technical Note
Robert J. EllisonChristopher J. AlbertsRita C. Creel
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
Download -
A Taxonomy of Operational Cyber Security Risks
December 2010 Technical Note
James J. CebulaLisa R. Young
In this report, the authors present a taxonomy of operational cyber security risks and its harmonization with other risk and security activities.
Download -
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
December 2010 Technical Report
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.
Download -
Adaptive Flow Control for Enabling Quality of Service in Tactical Ad Hoc Wireless Networks
December 2010 Technical Report
Jeffrey HansenScott HissamB. Craig Meyers
The network infrastructure for users such as emergency responders or warfighters is wireless, ad hoc, mobile, and lacking in sufficient bandwidth. This report documents the results from 18 experiments to investigate Adaptive Quality of Service, an approach to enable applications to fulfill their missions despite tactical network infrastructure limitations.
Download -
Combining Architecture-Centric Engineering with the Team Software Process
December 2010 Technical Report
Robert NordJim McHaleFelix Bachmann
ACE methods and the TSP provides an iterative approach for delivering high quality systems on time and within budget. The combined approach helps organizations that must set an architecture/developer team in motion using mature, disciplined engineering practices that produce quality software quickly.
Download -
Beyond Technology Readiness Levels for Software: U.S. Army Workshop Report
December 2010 Technical Report
Stephen Blanchette, Jr.Cecilia AlbertSuzanne Garcia-Miller
This report synthesizes presentations, discussions, and outcomes from the "Beyond Technology Readiness Levels for Software" workshop from August 2010.
Download -
The CERT Approach to Cybersecurity Workforce Development
December 2010 Technical Report
Josh HammersteinChristopher May
This report describes a model commonly used for developing and maintaining a competent cybersecurity workforce, explains some operational limitations associated with that model, and presents a new approach to cybersecurity workforce development.
Download -
Executive Overview: Best Practices for Adoption of Cloud Computing
November 2010 White Paper
Grace Lewis
This paper describes the SEI approach to cloud computing research for the DoD.
Download -
Executive Overview: Employing SOA to Achieve Information Dominance
November 2010 White Paper
Grace Lewis
The current ability to implement systems in the DoD based on SOA technologies falls short of the DoD's goals. To close the gaps in these areas, research is needed in SOA security, semantic SOA, context-aware applications, and real-time SOA.
Download -
French language translation of CMMI for Development, V1.3
November 2010 White Paper
This is The French language translation of CMMI for Development, V1.3.
Download -
Dutch language translation of CMMI for Development V1.3
November 2010 White Paper
This document is the Dutch language translation of CMMI-DEV V1.3.
Download -
Spanish Language Translation of CMMI for Development, v1.3
November 2010 White Paper
Spanish language translation of CMMI for Development, v1.3
Download -
Traditional Chinese Language Translation of CMMI for Development V1.3
November 2010 White Paper
CMMI-DEV V1.3 Traditional Chinese Translation
Download -
A Workshop on Analysis and Evaluation of Enterprise Architectures
November 2010 Technical Note
John KleinMichael J. Gagliardi
This report summarizes a workshop on the analysis and evaluation of enterprise architectures that was held at the SEI in April of 2010.
Download -
Performance Analysis of WS-Security Mechanisms in SOAP-Based Web Services
November 2010 Technical Report
Marc NovakouskiSoumya SimantaGunnar Peterson
This paper presents the results of a series of experiments targeted at analyzing the performance impact of adding WS-Security, a common security standard used in IdM frameworks, to SOAP-based web services.
Download -
CMMI for Acquisition, Version 1.3
November 2010 Technical Report
CMMI Product Team
The CMMI-ACQ model provides guidance for applying CMMI best practices in an acquiring organization. Best practices in the model focus on activities for initiating and managing the acquisition of products and services to meet the needs of customers and end users.
Download -
CMMI for Development, Version 1.3
November 2010 Technical Report
CMMI Product Team
This 2010 report details CMMI for Development (CMMI-DEV) V.1.3, which provides a comprehensive integrated set of guidelines for developing products and services.
Download -
CMMI for Services, Version 1.3
November 2010 Technical Report
CMMI Product Team
This 2010 report details CMMI for Services (CMMI-SVC) V.1.3, which provides a comprehensive integrated set of guidelines for providing superior services.
Download -
Strategic Planning with Critical Success Factors and Future Scenarios: An Integrated Strategic Planning Framework
November 2010 Technical Report
Linda Parker Gates
This report explores the value of enhancing typical strategic planning techniques with the CSF method and scenario planning.
Download -
Designing for Incentives: Better Information Sharing for Better Software Engineering
October 2010 White Paper
This paper outlines a research agenda in bridging to the economic theory of mechanism design, which seeks to align incentives in multi-agent systems with private information and conflicting goals.
Download -
Cloud Computing Basics Explained
September 2010 White Paper
Grace Lewis
This paper seeks to help organizations understand cloud computing essentials, including drivers for and barriers to adoption, in support of making decisions about adopting the approach.
Download -
Primer on SOA Terms
September 2010 White Paper
Grace Lewis
This white paper presents basic terminology related to Service- Oriented Architecture (SOA). The goal of the paper is to establish a baseline of terms for service-oriented systems.
Download -
T-Check in System-of-Systems Technologies: Cloud Computing
September 2010 Technical Note
Harrison D. StrowdGrace Lewis
The purpose of this report is to examine a set of claims about cloud computing adoption.
Download -
Emerging Technologies for Software-Reliant Systems of Systems
September 2010 Technical Note
Grace Lewis
The purpose of this report is to present an informal survey of technologies that are, or are likely to become, important for software-reliant systems of systems in response to current computing trends.
Download -
Integrated Measurement and Analysis Framework for Software Security
September 2010 Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).
Download -
Security Requirements Reusability and the SQUARE Methodology
September 2010 Technical Note
Travis ChristianNancy R. Mead
In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.
Download -
Measuring Operational Resilience Using the CERT® Resilience Management Model
September 2010 Technical Note
Julia H. AllenNoopur Davis
In this 2010 report, the authors begin a dialogue and establish a foundation for measuring and analyzing operational resilience.
Download -
Program Executive Officer Aviation, Major Milestone Reviews: Lessons Learned Report
September 2010 Technical Report
Scott ReedKathryn Ambrose Sereno
This report documents ideas and recommendations for improving the overall acquisition process and presents the actions taken by project managers in several programs to develop, staff, and obtain approval for their systems.
Download -
Smart Grid Maturity Model, Version 1.1: Model Definition
September 2010 Technical Report
SGMM Team
The Smart Grid Maturity Model (SGMM) is business tool that provides a framework for electric power utilities to help modernize their operations and practices for delivering electricity.
Download -
Success in Acquisition: Using Archetypes to Beat the Odds
September 2010 Technical Report
William E. NovakLinda Levine
This report describes key elements in systems thinking, provides an introduction to general systems archetypes, and applies these concepts to the software acquisition domain.
Download -
Building Assured Systems Framework
September 2010 Technical Report
Nancy R. MeadJulia H. Allen
This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.
Download -
Using TSP Data to Evaluate Your Project Performance
September 2010 Technical Report
Shigeru SasaoWilliam NicholsJames McCurley
A set of measures was determined that allow analyses This report discusses the application of a set of measures to a data set of 41 TSP projects from an organization to identify their strengths and weaknesses.
Download -
Suggestions for Documenting SOA-Based Systems
September 2010 Technical Report
Stephany Bellomo
This report provides suggestions for documenting service-oriented architecture-based systems based on the Views & Beyond (V&B) software documentation approach.
Download -
Exploring Acquisition Strategies for Adopting a Software Product Line
August 2010 White Paper
John K. BergeyLawrence G. Jones
Some basics of software product line practice, the challenges that make product line acquisition unique, and three basic acquisition strategies are all part of this white paper.
Download -
YAF: Yet Another Flowmeter
August 2010 White Paper
Chris InacioBrian Trammell
In this paper, the authors describe issues encountered in designing and implementing YAF.
Download -
A Continuous Time List Capture Model for Internet Threats
August 2010 White Paper
Rhiannon Weaver
In this paper, Rhiannon Weaver describes a population study of malware files under the CTLC framework and presents a simulation study as well as future work.
Download -
Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
August 2010 Technical Report
Nancy R. MeadJulia H. AllenMark A. Ardis (Stevens Institute of Technology)
In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track.
Download -
Risk Management Framework
August 2010 Technical Report
Christopher J. AlbertsAudrey J. Dorofee
In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.
Download -
Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines
August 2010 Technical Report
Nancy R. MeadThomas B. Hilburn (Embry-Riddle Aeronautical University)Richard C. Linger (Oak Ridge National Laboratory)
In this report, the authors describe seven courses for an undergraduate curriculum specialization for software assurance.
Download -
A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project
August 2010 Technical Report
Lisa BrownswordCarol WoodyChristopher J. Alberts
In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.
Download -
COVERT: A Framework for Finding Buffer Overflows in C Programs via Software Verification
August 2010 Technical Report
Sagar ChakiArie Gurfinkel
In this report, the authors present COVERT, an automated framework for finding buffer overflows in C programs using software verification tools and techniques.
Download -
Measurement and Analysis Infrastructure Diagnostic, Version 1.0: Method Definition Document
August 2010 Technical Report
Mark Kasunic
This 2010 report is a guidebook for conducting a Measurement and Analysis Infrastructure Diagnostic (MAID) evaluation.
Download -
Security Requirements Engineering
July 2010 White Paper
Nancy R. Mead
In this paper, Nancy Mead how a systematic approach to security requirements engineering helps to avoid problems.
Download -
Adapting the SQUARE Process for Privacy Requirements Engineering
July 2010 Technical Note
Ashwini Bijwe (Carnegie Mellon University)Nancy R. Mead
In this 2010 report, the authors explore how the SQUARE process can be adapted for privacy requirements engineering in software development.
Download -
Team Software Process (TSP) Body of Knowledge (BOK)
July 2010 Technical Report
Watts S. HumphreyTimothy A. ChickWilliam Nichols
The TSP BOK helps practitioners and employers assess and improve their skills, and shows academic institutions how to incorporate TSP into their engineering courses.
Download -
Programmatic and Constructive Interdependence: Emerging Insights and Predictive Indicators of Development Resource Demand
July 2010 Technical Report
Robert M. FloweMark KasunicMary M. Brown
This 2010 report describes a series of ongoing research efforts that investigate the role of interdependence in the acquisition of major defense acquisition programs.
Download -
Rayon: A Unified Framework for Data Visualization
June 2010 White Paper
Phil Groce
In this paper, Phil Groce describes the Rayon visualization toolkit, developed to augment network analytic information and improve analytic operations.
Download -
Finding Malicious Activity in Bulk DNS Data
June 2010 White Paper
Ed Stoner
In this paper, Ed Stoner describes techniques for detecting certain types of malicious traffic.
Download -
Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability
June 2010 Special Report
John HallerSamuel A. MerrellMatthew J. Butkovic
In this report, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.
Download -
Team Software Process (TSP) Coach Mentoring Program Guidebook, Version 1.1
June 2010 Special Report
Timothy A. ChickRobert CannonJim McHale
This guidebook is designed to explain the steps for becoming an SEI-Certified Team Software Process (TSP) Coach or SEI-Certified TSP Mentor Coach, with emphasis on guiding individuals through the mentoring process.
Download -
Survivability Analysis Framework
June 2010 Technical Note
Robert J. EllisonCarol Woody
In this report, the authors describe the Survivability Analysis Framework, which is used to evaluate critical operational capabilities.
Download -
Software Product Lines: Report of the 2010 U.S. Army Software Product Line Workshop
June 2010 Technical Report
John K. BergeyGary ChastekSholom G. Cohen
This report synthesizes presentations and discussions from a 2010 workshop to discuss product line practices and operational accomplishments.
Download -
Performance Effects of Measurement and Analysis: Perspectives from CMMI High Maturity Organizations and Appraisers
June 2010 Technical Report
James McCurleyDennis Goldenson
This report describes results from two recent surveys conducted by the Software Engineering Institute (SEI) to collect information about the measurement and analysis activities of software systems development organizations.
Download -
Resource Allocation in Distributed Mixed-Criticality Cyber-Physical Systems
May 2010 White Paper
Karthik Lakshmanan
This paper explains a formal overload-resilience metric called ductility.
Download -
The Illusion of Certainty - Paper
May 2010 White Paper
Grady Campbell
In this 2010 paper, Grady Campbell - delivered at the 7th Acquisition Research Symposium - argues that a new approach to acquisition is needed that recognizes that hiding uncertainty is detrimental to success.
Download -
Edge Enabled Systems
May 2010 White Paper
Zacharie Hall (Aberdeen Proving Ground)Rick KazmanDaniel Plakosh
This paper describes the characteristics of edge systems and the edge organizations in which these systems operate, and make initial recommendations about how such systems and organizations can be created to serve the needs of users at the edge.
Download -
Managing Variation in Services in a Software Product Line Context
May 2010 Technical Note
Sholom G. CohenRobert W. Krut, Jr.
This report highlights the mutual benefits of combining systematic reuse approaches from product line development with flexible approaches for implementing business processes in a service oriented architecture.
Download -
Evaluating and Mitigating Software Supply Chain Security Risks
May 2010 Technical Note
Robert J. EllisonJohn B. GoodenoughCharles B. Weinstock
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
Download -
Relating Business Goals to Architecturally Significant Requirements for Software Systems
May 2010 Technical Note
Paul C. ClementsLen Bass
The purpose of this report is to facilitate better elicitation of high-pedigree quality attribute requirements. Toward this end, we want to be able to elicit business goals reliably and understand how those business goals influence quality attribute requirements and architectures.
Download -
Case Study: Model-Based Analysis of the Mission Data System Reference Architecture
May 2010 Technical Report
Peter H. FeilerDavid P. GluchKurt Woodham (L-3 Communications-Titan Group)
This report describes how AADL support an instantiation of a reference architecture, address architectural themes, and provide a foundation for the analysis of performance elements and system assurance concerns.
Download -
Identifying Anomalous Port-Specific Network Behavior
May 2010 Technical Report
Rhiannon Weaver
In this report, Rhiannon Weaver describes a method for identifying network behavior that may be a sign of coming internet-wide attacks.
Download -
CERT Resilience Management Model, Version 1.0
May 2010 Technical Report
Richard A. CaralliJulia H. AllenPamela D. Curtis
In this report, the authors present CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.
Download -
Java Concurrency Guidelines
May 2010 Technical Report
Fred LongDhruv MohindraRobert C. Seacord
In this report, the authors describe the CERT Oracle Secure Coding Standard for Java, which provides guidelines for secure coding in Java.
Download -
Specifications for Managed Strings, Second Edition
May 2010 Technical Report
Hal BurchFred LongRaunak Rungta
In this report, the authors describe a managed string library for the C programming language.
Download -
Considerations for Using Agile in DoD Acquisition
April 2010 Technical Note
Mary Ann LaphamRay C. WilliamsCharles (Bud) Hammons
This 2010 report explores the questions: Can Agile be used in the DoD environment? If so, how?
Download -
As-If Infinitely Ranged Integer Model, Second Edition
April 2010 Technical Note
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.
Download -
Data Rights for Proprietary Software Used in DoD Programs
April 2010 Technical Note
Julie B. CohenBonnie Troup (The Aerospace Corporation)Henry Ouyang (The Aerospace Corporation)
This report examines how data rights issues were addressed in the TSAT program. It also reviews concerns posed by the use of commercial software in the TSAT program's Space Segment, and data rights concerns for software incorporated in the GPS program.
Download -
Characterizing Technical Software Performance Within System of Systems Acquisitions: A Step-Wise Methodology
April 2010 Technical Report
Bryce L. MeyerJames Wessel
This report focuses on both qualitative and quantitative ways of determining the current state of SWP (software performance) in terms of both test coverage and confidence for SOA-based SoS environments.
Download -
Measuring Software Security
March 2010 White Paper
Julia H. Allen
This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of software security.
Download -
Cyber Assurance
March 2010 White Paper
Christopher J. AlbertsRobert J. EllisonCarol Woody
This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of cyber assurance.
Download -
Evaluating Software's Impact on System and System and System of Systems Reliability
March 2010 White Paper
In this paper, the authors discuss how system engineers are uncertain about how to determine the impact of software on overall system.
Download -
A Research Agenda for Service-Oriented Architecture (SOA): Maintenance and Evolution of Service-Oriented Systems
March 2010 Technical Note
Grace LewisDennis B. SmithKostas Kontogiannis
This 2010 report describes the agenda of an SEI-led group that was formed to explore the business, engineering, and operations aspects of service-oriented architecture.
Download -
Extending Team Software Process (TSP) to Systems Engineering: A NAVAIR Experience Report
March 2010 Technical Report
Anita CarletonJames W. OverJeff Schwalb
This 2010 report communicates status, progress, lessons learned, and results on a joint collaboration between the SEI and NAVAIR.
Download -
Testing in Service-Oriented Environments
March 2010 Technical Report
Edwin J. MorrisWilliam AndersonSriram Balasubramaniam
This report makes 65 recommendations for improving testing in service-oriented environments. It covers testing functionality and testing for interoperability, security, performance, and reliability qualities.
Download -
Reports from the Field on System of Systems Interoperability Challenges and Promising Approaches
March 2010 Technical Report
Carol A. Sledge
In this report, Carol Sledge identifies challenges and successful approaches to achieving system of systems (SoS) interoperability.
Download -
Adapting the SQUARE Method for Security Requirements Engineering to Acquisition
February 2010 White Paper
Nancy R. Mead
In this paper, Nancy Mead adapts the SQUARE process for security requirements engineering to different acquisition situations.
Download -
0-knowledge fuzzing
February 2010 White Paper
Vincenzo Iozzo (Zynamics)
In this paper, Vincenzo Iozzo describes how to effectively fuzz with no knowledge of the user-input and the binary.
Download -
MITRE, CWE, and CERT Secure Coding Standards
February 2010 White Paper
Robert C. SeacordRobert A. Martin
In this paper, the authors summarize the Common Weakness Enumeration (CWE) and CERT Secure Coding Standards and the relationship between the two.
Download -
A Probabilistic Population Study of the Conficker-C Botnet
February 2010 White Paper
Rhiannon Weaver
In this paper, Rhiannon Weaver estimates the number of active machines per hour infected with the Conficker-C worm using a probability model.
Download -
Instrumented Fuzz Testing Using AIR Integers (Whitepaper)
February 2010 White Paper
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this paper, the authors present the as-if infinitely ranged (AIR) integer model, which provides a mechanism for eliminating integral exceptional conditions.
Download -
Spotlight On: Insider Threat from Trusted Business Partners
February 2010 White Paper
Robert Weiland (Carnegie Mellon University)Andrew P. MooreDawn Cappelli
In this report, the authors focus on cases in which the insider was employed by a trusted business partner of the victim organization.
Download -
Proceedings of the 3rd International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2009)
February 2010 Special Report
Grace LewisDennis B. SmithNed Chapin
This report contains selected papers from the 3rd International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2009).
Download -
Profiling Systems Using the Defining Characteristics of Systems of Systems (SoS)
February 2010 Technical Note
Donald Firesmith
This technical note identifies and describes the characteristics that have been used in various definitions of the term system of systems.
Download -
Acquisition Archetype: Shooting the Messenger
January 2010 White Paper
Linda LevineWilliam E. Novak
When problems are detected in programs, everyone needs to listen and work together towards a solution. Shooting the messenger only delays the process, and hurts program morale.
Download -
Industry Standard Notation for Architecture-Centric Model-Based Engineering
January 2010 White Paper
Peter H. Feiler
In this paper, Peter Feiler describes the AADL, an industry standard for modeling and analyzing the architecture of software-reliant systems.
Download -
Approaches to Process Performance Modeling: A Summary from the SEI Series of Workshops on CMMI High Maturity Measurement and Analysis
January 2010 Technical Report
Robert W. StoddardDennis Goldenson
This report summarizes the results from the second and third high maturity measurement and analysis workshops.
Download -
Evaluating the Software Design of a Complex System of Systems
January 2010 Technical Report
Stephen Blanchette, Jr.Steven Crosson (U.S. Army)Barry Boehm (University of California, Los Angeles)
The report examines the application of the life-cycle architecture milestone to the software and computing elements of the former Future Combat Systems program.
Download -
Secure Coding Governance and Guidance
December 2009 White Paper
In this paper, the authors propose the use of secure coding standards in the development of software for surface combatants and submarines.
Download -
Secure Coding Plan
December 2009 White Paper
This plan is a government-provided customizable document that is part of the acquisition's government reference library.
Download -
Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report
December 2009 Technical Note
William Craig (AMRDEC SED)Matt FisherSuzanne Garcia-Miller
Criteria and standards to certify an organization as a COE are presented in this Carnegie Mellon Software Engineering Institute preliminary report.
Download -
A Structured Approach for Reviewing Architecture Documentation
December 2009 Technical Note
Robert NordPaul C. ClementsDavid Emery
This technical note proposes a structured approach for reviewing architecture documentation that is centered on the documentation's stakeholders and engages them in a guided manner so as to ensure that the documentation will be ultimately useful to them.
Download -
Measurement and Analysis Infrastructure Diagnostic (MAID) Evaluation Criteria, Version 1.0
December 2009 Technical Report
Software Engineering Measurement and Analysis (SEMA) Group
This 2009 report presents the criteria used during a MAID evaluation that serve as a checklist to rate the quality of an organization's measurement and analysis practices and the quality of the measurement information that results from the implementation of those practices.
Download -
Results of SEI Independent Research and Development Projects (FY 2009)
December 2009 Technical Report
Len BassLutz WragePaul C. Clements
In this report, the authors describe the SEI independent research and development (IRAD) projects conducted during fiscal year 2009.
Download -
An Everyday Example of Architecture Documentation: Subway Maps
November 2009 White Paper
Paul C. Clements
This white paper explores the idea that subway maps provide a good, common example of architecture documentation and that they might be instructive about good software architecture documentation.
Download -
System of Systems Software Assurance
November 2009 White Paper
John B. Goodenough
This white paper describes SEI investigation into ways to provide justified confidence that a system of systems will behave as needed in its actual and evolving usage environments.
Download -
Proceedings of the Workshop on Software Engineering Foundations for End-User Programming (SEEUP 2009)
November 2009 Special Report
Len BassGrace LewisBrad Myers
This report presents the papers that were given at SEEUP 2009, held at the 31st ICSE in Vancouver, British Columbia on May 23, 2009.
Download -
The Watts New Collection: Columns by the SEI’s Watts Humphrey
November 2009 Special Report
Watts S. Humphrey
news@sei columns written by the SEI's Watts Humphrey between June 1998 and August 2008
Download -
Evaluating Artifact Quality from an Appraisal Perspective
November 2009 Technical Note
Emanuel R. BakerMatt FisherCharlene Gross
This report explores the lack of agreement among SCAMPI Lead Appraisers about what “artifact quality” means in the SCAMPI process context.
Download -
Evaluating Process Quality from an Appraisal Perspective
November 2009 Technical Note
Emanuel R. BakerMatt Fisher
This report explores the lack of agreement among SCAMPI Lead Appraisers about what “process quality” means in the SCAMPI process context.
Download -
A Method for Assessing Technical Progress and Quality Throughout the System Life Cycle
November 2009 Technical Note
Robert FergusonSummer C. FowlerRita C. Creel
This 2009 paper provides a framework for evaluating a system from several perspectives for a comprehensive picture of progress and quality.
Download -
Integrating CMMI and TSP/PSP: Using TSP Data to Create Process Performance Models
November 2009 Technical Note
Shurei Tamura
This report describes the fundamental concepts of process performance models (PPMs) and describes how they can be created using data generated by projects following the TSP.
Download -
System Architecture Virtual Integration: An Industrial Case Study
November 2009 Technical Report
Peter H. FeilerJörgen Hansson (University of Skovde)Dionisio de Niz
This report introduces key concepts of the SAVI paradigm and discusses the series of development scenarios used in a POC demonstration to illustrate the feasibility of improving the quality of software-intensive aircraft systems.
Download -
The Software Quality Profile
October 2009 White Paper
Watts S. Humphrey
The software community has been slow to use data to measure software quality. This paper discusses the reasons for this problem and describes a way to use process measurements to assess product quality.
Download -
Acquisition Archetypes: Happy Path Testing
October 2009 White Paper
Linda LevineWilliam E. Novak
When time and budget are tight, it's tempting to follow the "happy path" in testing. But be careful: it may be a path that brings your program great unhappiness.
Download -
Acquisition Archetypes: Brooks' Law
October 2009 White Paper
Linda LevineWilliam E. Novak
This April 2009 whitepaper focuses on the problems of underspending, which can result in funds being shifted from one acquisition program to another.
Download -
The Economics of CMMI
October 2009 White Paper
This paper provides practical guidance for CMMI adopters in the effective use of CMMI, based upon established NDIA principles.
Download -
Insights on Program Success
October 2009 Special Report
Software Engineering InstituteSystems and Software Consortium, Inc.
This 2009 report examines the reasons why some programs fail and studies the factors that lead to program success.
Download -
A Bibliography of the Personal Software Process (PSP) and the Team Software Process (TSP)
October 2009 Special Report
Rachel CallisonMarlene MacDonald
This 2009 special report provides a bibliography of books, articles, and other literature concerning the PSP and TSP methodologies.
Download -
Towards an Assurance Case Practice for Medical Devices
October 2009 Technical Note
Charles B. WeinstockJohn B. Goodenough
In this report, the authors explore how to enable manufacturers and federal regulators gain confidence in software-dominated medical devices.
Download -
Data Model as an Architectural View
October 2009 Technical Note
Paulo Merson
This 2009 report describes the data model as an architectural style in an effort to help architects apply this style to create data model architectural views.
Download -
Secure Design Patterns
October 2009 Technical Report
Chad DoughertyKirk SayreRobert C. Seacord
In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.
Download -
CMMI and Medical Device Engineering
September 2009 White Paper
David W. Walker
This paper summarizes the comparison performed between the CMMI and the regulations and standards that drive software intensive medical device product development.
Download -
Lessons Learned from a Large, Multi-Segment, Software-Intensive System
September 2009 Technical Note
John T. ForemanMary Ann Lapham
This 2009 report contains a series of observations and their associated lessons learned from a large, multi-segment, software-intensive system.
Download -
Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework
August 2009 White Paper
Art ManionKazuya Togashi (JPCERT/CC)Joseph B. Kadane (Department of Statistics, Carnegie Mellon University)
In this paper, the authors describe the Vulnerability Response Decision Assistance (VRDA) framework, a decision support and expert system.
Download -
Team Software Process (TSP) Coach Mentoring Program Guidebook
August 2009 Special Report
Timothy A. ChickRobert CannonJim McHale
This guidebook is designed to explain the steps for becoming an SEI-Certified Team Software Process (TSP) Coach or SEI-Certified TSP Mentor Coach, with emphasis on guiding individuals through the mentoring process. This guidebook defines the structure and format of the mentor and provisional coach relationship, and explains the process steps and evaluation criteria for becoming an SEI-Certified TSP Coach or Mentor Coach.
Download -
The Personal Software Process (PSP) Body of Knowledge, Version 2.0
August 2009 Special Report
Marsha Pomeroy-HuffRobert CannonTimothy A. Chick
The Personal Software Process (PSP) body of knowledge (BOK) provides guidance to software professionals who are interested in using proven-effective, disciplined methods to improve their personal software development process.
Download -
Formulation of a Production Strategy for a Software Product Line
August 2009 Technical Note
Gary ChastekPatrick DonohoeJohn McGregor
This 2009 report describes a technique for formulating the production strategy of a production system.
Download -
Realizing and Refining Architectural Tactics: Availability
August 2009 Technical Report
James Scott (Boeing Company)Rick Kazman
Tactics are fundamental elements of software architecture that an architect employs to meet a system's quality requirements. This report describes an updated set of tactics that enable the architect to build availability into a system.
Download -
German language translation of CMMI for Development, V1.2
July 2009 White Paper
The German language translation of CMMI for Development, V1.2.
Download -
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model
July 2009 White Paper
Andrew P. MooreDawn CappelliThomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)
In this paper, the authors describe general observations about, and a preliminary system dynamics model of, insider crime based on our empirical data.
Download -
Why Don't They Practice What We Preach?
July 2009 White Paper
Watts S. Humphrey
One of the most intractable problems in software is getting engineers to consistently use effective methods. The Software Engineering Institute has worked on this problem for a number of years and has developed effective methods for addressing it.
Download -
Resiliency Management Model: Communications
July 2009 White Paper
In this paper, the authors describe the purpose of Communications: to develop, deploy, and manage communications to support resiliency activities and processes.
Download -
Privacy Risk Assessment Case Studies in Support of SQUARE
July 2009 Special Report
Nancy R. MeadVarokas PanusuwanPrashanth Batlagundu
In this report, the authors describe enhancements to the SQUARE method for addressing privacy requirements.
Download -
A Proactive Means for Incorporating a Software Architecture Evaluation in a DoD System Acquisition
July 2009 Technical Note
John K. Bergey
This technical note provides guidance on how to contractually incorporate architecture evaluations in an acquisition.
Download -
Building Process Improvement Business Cases Using Bayesian Belief Networks and Monte Carlo Simulation
July 2009 Technical Note
Ben Linders
This report describes a collaboration between the SEI and Ericsson Research and Development to build a business case using high maturity measurement approaches that require limited measurement effort.
Download -
As-if Infinitely Ranged Integer Model
July 2009 Technical Note
David KeatonThomas Plum (Plum Hall, Inc.)Robert C. Seacord
In this report, the authors present the as-if infinitely ranged (AIR) integer model, which eliminates integer overflow and integer truncation in C and C++ code.
Download -
People Capability Maturity Model (P-CMM), Version 2.0, Second Edition
July 2009 Technical Report
Bill Curtis (CAST Research Labs)William E. HefleySally A. Miller
This report documents an update to the People CMM, Version 2, which updates informative material within the People CMM and its subpractices and provides new information learned from the continuing global use of the People CMM.
Download -
Revealing Cost Drivers for Systems Integration and Interoperability Through Q Methodology
June 2009 White Paper
William AndersonMaureen Brown (University of North Carolina)
The findings suggest that Q Methodology may prove helpful in isolating many of the non-technical latent cost factors associated with system integration and interoperability.
Download -
Spanish language translation of CMMI for Development, V1.2
June 2009 White Paper
The Spanish language translation of CMMI for Development, V1.2 was performed by Cátedra de Mejora de Procesos de Software en el Espacio, Iberoamericano de la Universidad Politécnica de Madrid and was verified by Javier Torralba.
Download -
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations (2009)
June 2009 White Paper
Derrick SpoonerDawn CappelliAndrew P. Moore
In this report, the authors focus on employees, contractors, and business partners who stole intellectual property to benefit a foreign entity.
Download -
Computational Evaluation of Software Security Attributes
June 2009 White Paper
Gwendolyn H. WaltonThomas A. LongstaffRichard C. Linger (Oak Ridge National Laboratory)
This paper provides an introduction to the CSA approach, provides behavioral requirements for security attributes, and discusses possible application of the CSA approach.
Download -
Measurement for Improvement: Successful Measurement Practices Used in Army Software Acquisition
June 2009 Technical Note
James WesselRobert Ferguson
This report summarizes the findings of a study conducted for the Army to find and describe software measurement practices that are being used successfully.
Download -
A Scenario-Based Technique for Developing SOA Technical Governance
June 2009 Technical Note
Soumya SimantaEdwin J. MorrisGrace Lewis
Organizations can make the available SOA governance frameworks more effective in their organizations using the scenario-based tailoring technique introduced in this technical note.
Download -
Incremental Development in Large-Scale Systems: Finding the Programmatic IEDs
June 2009 Technical Note
Charles (Bud) Hammons
This paper explores how continued use of the acquisition roadmaps opens up the potential for running into program pitfalls (programmatic IEDs) that aren‰t acknowledged on the map at hand.
Download -
Integrating Quality-attribute Reasoning Frameworks in the ArchE Design Assistant
May 2009 White Paper
Andres Diaz-PaceHyunwoo KimLen Bass
Bachmann et al present their work on a design assistant called ArchE that provides third-party researchers with an infrastructure to integrate their own quality-attribute models.
Download -
Incorporating Software Requirements into the System RFP: Survey of RFP Language for Software by Topic, v. 2.0
May 2009 Special Report
Charlene Gross
The 2009 report defines and communicates software engineering and management events necessary to support the successful acquisition of software-intensive systems.
Download -
Evaluating Hazard Mitigations with Dependability Cases
April 2009 White Paper
Matthew R. Barry (Software Intensive Systems, Inc.)John B. Goodenough
In this 2009 paper, the authors present an example to show the value a dependability case adds to a traditional hazard analysis.
Download -
Risk Detection and Mitigation Metrics and Design Check Lists for Real Time and Embedded Systems
April 2009 White Paper
Doug LockeLui R. Sha
A whitepaper by Lui Sha of the University of Illinois and C. Douglass Locke of LC System Services Inc. The paper discusses risk detection and mitigation metrics and design check lists for real time and embedded systems.
Download -