Software Engineering Institute (SEI) Podcast Series

In today's global business environment, risk management must be aligned to business strategy. As companies continue to shift their business models, strategies change and risk management becomes even more important. A company must find the right balance between risk resiliency and risk agility. The chief risk officer (CRO) role is an important catalyst to make that happen, so a company's long term strategic objectives may be realized. The CRO Certificate Program is developed and delivered by Carnegie Mellon University's Heinz College of Information Systems and Public Policy, and the CERT Division of the Software Engineering Institute (SEI). In this podcast, Summer Fowler and Ari Lightman discuss the evolving role of the chief risk officer and a Chief Risk Officer Program. Listen on Apple Podcasts.

The Defense Advanced Research Projects Agency (DARPA) and other agencies are expressing significant interest in blockchain technology because it promises inherent transparency, resiliency, forgery-resistance, and nonrepudiation, which can be used to protect sensitive infrastructure. At the same time, numerous high-profile incidents of blockchain coding errors that cause major damage to organizations have raised serious concerns about blockchain adoption. In this podcast, Eliezer Kanal and Michael Coblenz discuss the creation of Obsidian, a novel programming language specifically tailored to secure blockchain software development that significantly reduces the risk of such coding errors. Listen on Apple Podcasts.

DevOps breaks down software development silos to encourage free communication and constant collaboration. Agile, an iterative approach to development, emphasizes frequent deliveries of software. In this podcast, Eileen Wrubel, technical lead for the SEI's Agile-in-Government program, and Hasan Yasar, technical manager of the Secure Lifecycle Solutions Group in the SEI's CERT Division, discuss how Agile and DevOps can be deployed together to meet organizational needs. Listen on Apple Podcasts.

This series of podcasts presents excerpts from a recent SEI virtual event, Is Software Spoiling Us? Jeff Boleng, acting chief technical officer, moderated the discussion, which featured a panel of SEI researchers: Grace Lewis, Eliezer Kanal, Joseph Yankel, and Satya Venneti. In this segment, the panel discusses technical innovations that can be applied to the Department of Defense including improved situational awareness, human-machine interactions, artificial intelligence, machine learning, data, and continuous integration and deployments. The panel also discusses barriers to implementing these technologies. Listen on Apple Podcasts.

This series of podcasts presents excerpts from a recent SEI virtual event, Is Software Spoiling Us. Jeff Boleng, acting chief technical officer, moderated the discussion, which featured a panel of SEI researchers: Grace Lewis, Eliezer Kanal, Joseph Yankel, and Satya Venneti. In this podcast, the panel discusses awesome innovations in daily life that are made possible because of software. Listen on Apple Podcasts.

DevOps, which breaks down software development silos to encourage free communication and constant collaboration, reinforces many Agile methodologies. Equally important, the Risk Management Framework, provides a clearly defined framework that helps program managers incorporate security and risk management activities into the software and systems development life cycle. In this podcast, Eileen Wrubel, technical lead for the SEI's Agile-in-Government program leads a roundtable discussion into how Agile, DevOps, and the Risk Management Framework can work together. The panelists include Tim Chick, Will Hayes, and Hasan Yasar. Listen on Apple Podcasts.

Insider threat continues to be a problem with approximately 50 percent of organizations experiencing at least one malicious insider incident per year, according to the 2017 U.S. State of Cybercrime Survey. Although the attack methods vary depending on the industry, the primary types of attacks identified by researchers at the CERT Insider Threat Center—theft of intellectual property, sabotage, fraud, and espionage—continue to hold true. In our work with public and private industry, we continue to see that insider threats are influenced by a combination of technical, behavioral, and organizational issues. In this podcast Randy Trzeciak, technical manager of the CERT National Insider Threat Center, discusses the fifth edition of the Common Sense Guide to Mitigating Insider Threats, which highlights policies, procedures, and technologies to mitigate insider threats in all areas of an organization. Listen on Apple Podcasts.

Pharos was created by the SEI CERT Division to automate the reverse engineering of binaries, with a focus on malicious code analysis. Pharos, which was recently released on Github, builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. In this podcast, the SEI CERT Division's Jeff Gennari discusses updates to the Pharos framework including new tools, improvements, and bug fixes. Listen on Apple Podcasts.

In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor and constrain employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In this podcast, Andrew Moore and Dan Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that considers the impact of organizational behavior on insider motivations. In particular, positive incentives can complement traditional practices for insider threat defense in a way that can improve employee worklife as well as more effectively reduce insider risk. Listen on Apple Podcasts.

Dr. Andrew Moore, who is the Dean of the School of Computer Science at CMU, predicted that 2016 would be a watershed year for machine emotional intelligence. Evidence of this can be seen in the Department of Defense, which increasingly relies on biometric data, such as iris scans, gait recognition, and heart-rate monitoring to protect against both cyber and physical attacks. Current state-of-the-art approaches do not make it possible to gather biometric data in real-world settings, such as border and airport security checkpoints, where people are in motion. In this podcast, Satya Venneti presents exploratory research undertaken by the SEI's Emerging Technology Center to design algorithms to extract heart rate from video capture of non-stationary subjects in real-time. Listen on Apple Podcasts.