Software Engineering and Information Assurance

Measurable means to achieve quality, security, and affordability

Software-intensive systems should perform as intended and be free from vulnerabilities. They should also be affordable, a term that implies cost control and timely deployment of needed software capabilities. System designers struggle to make software secure and affordable amid technology gaps for resilient software architecture, automated software analysis, development process agility, and cost control.

We focus on forming solutions to building correct, secure, and affordable systems. We develop measurable means to reduce risk for new systems or legacy system sustainment efforts by building in data and information security and wringing out software defects. We seek root causes in software acquisition of affordability issues that result in wasted effort and delays. In response to those issues, we create and prototype tooling that can shorten development time and increase software quality.

Featured Work

DevOps: Build Faster and Better Applications

CERT researchers help your organization understand and establish robust DevOps capabilities to develop, test, and deploy software faster, with high quality, and with less risk.

Learn More

Managing Technical Debt with Data-Driven Analysis

Most software projects carry technical debt. We develop tools and techniques that identify it and provide a complete view of the debt that you need to manage.

Learn More

Converting a Navy Weapon System from a 32- to a 64-Bit Architecture

The SEI provided an independent assessment of the risks of migrating a weapons control system deployed by the U.S. Navy from one architecture to another.

Learn More

Automating Vulnerability Discovery in Critical Applications

CERT researchers develop automated tools that discover and mitigate software vulnerabilities and transfer them to researchers, procurement specialists, and software vendors.

Learn More

Supporting the U.S. Army's Joint Multi-Role Technology Demonstrator Effort

We build and analyze virtual software systems to find problems early in development, before a system is built. Early discovery reduces cost and certification time.

Learn More

Design Pattern Recovery from Malware Binaries

The DoD and industry face many malware problems. CERT researchers automate malware analysis capabilities, including those focused on malware family evolution and similarity.

Learn More

Automated Code Repair

Finding security flaws in source code is daunting; fixing them is an even greater challenge. Our researchers are creating automated tools that can repair bugs automatically or by prompting developers for more information to make effective repairs.

Learn More

QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation

Costs for large new systems are hard to estimate. We developed a method to quantify uncertainty and increase confidence in a program's cost estimate.

Learn More

View More Work

Featured Publications

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

November 15, 2016 • Book

Carol Woody, PhD Nancy R. Mead

Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody present the latest practical knowledge and case studies.

Download

Definition and Measurement of Complexity in the Context of Safety Assurance

October 27, 2016 • Technical Report

Charles B. Weinstock William Nichols Sarah Sheard

This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.

Download

A Requirement Specification Language for AADL

June 22, 2016 • Technical Report

Peter H. Feiler Julien Delange Lutz Wrage

This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.

Download

On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle

April 13, 2016 • White Paper

Dan J. Klinedinst Christopher King

This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.

Download

Evaluating and Mitigating the Impact of Complexity in Software Models

December 03, 2015 • Technical Report

Julien Delange Jim McHale John J. Hudak

This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.

Download

From Our Experts

10 Types of Application Security Testing Tools: When and How to Use Them

July 09, 2018 • Blog Post

Thomas Scanlon

Bugs and weaknesses in software are common: 84 percent of software breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing (AST) tools. With a growing number of application...

read

Deep Learning, Cyber Intelligence, Managing Privacy and Security, and Network Traffic Analysis: The Latest Work from the SEI

July 02, 2018 • Blog Post

Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in deep learning, cyber intelligence, interruption costs, digital footprints on social...

read

Infrastructure as Code: Moving Beyond DevOps and Agile

June 11, 2018 • Blog Post

John Klein

Citing the need to provide a technical advantage to the warfighter, the Department of Defense (DoD) has recently made the adoption of cloud computing technologies a priority. Infrastructure as code (IaC), the process and technology of managing and provisioning computers...

read

Analysis: System Architecture Virtual Integration Nets Significant Savings

May 07, 2018 • Blog Post

Peter Feiler

The size of aerospace software, as measured in source lines of code (SLOC), has grown rapidly. Airbus and Boeing data show that SLOC have doubled every four years. The current generation of aircraft software exceeds 25 million SLOC (MSLOC). These...

read

Static Analysis Alert Test Suites as a Source of Training Data for Alert Classifiers

April 30, 2018 • Blog Post

Lori Flynn

Numerous tools exists to help detect flaws in code. Some of these are called flaw-finding static analysis (FFSA) tools because they identify flaws by analyzing code without running it. Typical output of an FFSA tool includes a list of alerts...

read

View More Publications

History of Innovation at the SEI in Software Engineering and Information Assurance

The SEI has performed innovative research in software and information assurance for almost 30 years that has benefited government, industry, and academia. Learn more about a few of the highlights.

2014

Attacking Software Vulnerabilities

In 2014, the SEI CERT Division introduced the Tapioca tool to check Android apps for vulnerabilities. In the first year of use, Tapioca was used to check more than 1 million Android apps.

Read the Story

2003

Standardizing More Secure Software

Since forming its Secure Coding Initiative in 2003, the SEI CERT Division has analyzed and cataloged thousands of software vulnerabilities and discovered that many share the same coding errors.

Read the Story

2002

Tailoring Risk Management Practice

Since the 1990s, SEI risk research has shaped standards for software risk management, enabling program managers in software-intensive programs to identify what could go wrong and mitigate those risks.

Read the Story

1989

Building the Master of Software Engineering Curriculum

During the early years of curriculum development in software engineering, the SEI held a workshop for leading software engineering educators to design a recommended curriculum for a software engineering degree.

Read the Story