Software Engineering Institute (SEI) Podcast Series

Dynamic network defense (or moving target defense) is based on a simple premise: a moving target is harder to attack than a stationary target. In recent years the government has invested substantially into moving target and adaptive cyber defense. This rapidly growing field has seen recent developments of many new technologies—defenses that range from shuffling of client-to-server assignments to protect against distributed denial-of-service (DDoS) attacks, to packet header rewriting, to rebooting servers. As researchers develop new technologies, they need a centralized reference platform where new technologies can be vetted to see where they complement each other and where they do not, as well as a standard against which future technologies can be evaluated. In this podcast, Andrew Mellinger, a senior software developer in the SEI's Emerging Technology Center discusses work to develop a platform to organize dynamic defenses. Listen on Apple Podcasts.

Cyber intelligence is the acquisition of information to identify, track, or predict the cyber capabilities and actions of malicious actors to offer courses of action to decision makers charged with protecting organizations. In this podcast, Jared Ettinger of the SEI's Emerging Technology Center (ETC) talks about the ETC's latest work in cyber intelligence as well as the Cyber Intelligence Research Consortium, which brings together organizations from a variety of sectors to exchange cyber intelligence ideas, participate in hands-on training activities, and learn about emerging cyber intelligence technologies from experts in the field. Listen on Apple Podcasts.

In this podcast, Peter Feiler describes a textual requirement specification language for the Architecture Analysis & Design Language (AADL) called ReqSpec. ReqSpec is based on the draft Requirements Definition and Analysis Language Annex, which defines a meta-model for requirement specification as annotations to AADL models. A set of plug-ins to the Open Source AADL Tool Environment (OSATE) toolset supports the ReqSpec language. Users can follow an architecture-led requirement specification process that uses AADL models to represent the system in its operational context as well as the architecture of the system of interest. ReqSpec can also be used to represent existing stakeholder and system requirement documents. Requirement documents represented in the Requirements Interchange Format can be imported into OSATE to migrate such documents into an architecture-centric virtual integration process. Finally, ReqSpec is an element of an architecture-led, incremental approach to system assurance. In this approach, requirements specifications are complemented with verification plans. When executed, these plans produce evidence that a system implementation satisfies the requirements. Listen on Apple Podcasts.

Whether you are a CISO, CISO equivalent, or have another title with organizational cybersecurity responsibilities, the role you play in your organization to protect and sustain the key information and technical assets needed to achieve the mission is critical in today's landscape of data breaches, nation-state hackers, and increased threats to the business. In this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO in today's fast-paced cybersecurity field. Listen on Apple Podcasts.

To ensure software will function as intended and is free of vulnerabilities (aka software assurance), software engineers must consider security early in the lifecycle, when the system is being designed and architected. Recent research on vulnerabilities supports this claim: Nearly half the weaknesses identified in the Common Weakness Enumeration (CWE) repository have been identified as design weaknesses. These weaknesses are introduced early in the lifecycle and cannot be patched away in later phases. They result from poor (or incomplete) security requirements, system designs, and architecture choices for which security has not been given appropriate priority. Effective use of metrics and methods that apply systematic consideration for security risk can highlight gaps earlier in the lifecycle before the impact is felt and when the cost of addressing these gaps is less. In this podcast, Dr. Carol Woody explores the connection between measurement, methods for software assurance, and security. Listen on Apple Podcasts.

By the close of 2016, annual global IP traffic will pass the zettabyte ([ZB]; 1000 exabytes [EB]) threshold and will reach 2.3 ZBs per year by 2020, according to Cisco's Visual Networking Index. While capturing and evaluating network traffic enables defenders of large-scale organizational networks to generate security alerts and identify intrusions, operators of networks with even comparatively modest size struggle with building a full, comprehensive view of network activity. To make wise security decisions, operators need to understand the mission activity on their network and the threats to that activity (referred to as network situational awareness). In this podcast, Timothy Shimeall discusses approaches for analyzing network security using and going beyond network flow data to gain situational awareness to improve security. Listen on Apple Podcasts.

In this podcast, Girish Seshagiri discusses a two-year community college software assurance program that he developed and facilitated with SEI Fellow Nancy Mead at Illinois Community College. The two-year degree program in secure software development, which is based on the SEI's software assurance curriculum, is the result of a collaboration between Central Illinois Center of Excellence for Secure Software and Illinois Central College. The program, which also incorporates an apprenticeship model, was developed in response to industry needs. Listen on Apple Podcasts.

Internet-connected devices—from cars, insulin pumps, and baby monitors to thermostats and coffee makers—are growing in number and complexity. Most of these Internet of Things (IoT) devices weren't built with connectivity and security in mind, leaving them vulnerable to attacks. In this podcast, CERT researcher Art Manion discusses work that his team is doing with the Department of Homeland Security to examine and secure IoT devices. Listen on Apple Podcasts.

The position of SEI Fellow is awarded to people who have made an outstanding contribution to the work of the SEI and from whom the SEI leadership may expect valuable advice for continued success in the institute's mission. Nancy Mead, a principal researcher in the SEI's CERT Division, was named an SEI Fellow in 2013. This podcast is the first in a series highlighting interviews with SEI Fellows. Listen on Apple Podcasts.

Safety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761 mandate several analyses, such as Functional Hazard Assessment and Failure Mode and Effect Analysis. One popular type of safety analysis is Fault Tree Analysis (FTA), which provides a graphical representation of all contributors to a failure (e.g., error events and propagations). In this podcast, Julien Delange discusses the concepts of the FTA and introduce a new tool to design and analyze fault trees. Listen on Apple Podcasts.