Software Engineering Institute (SEI) Podcast Series

One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.In this podcast, Matt Butkovic, the Technical Manager of CERT's Cybersecurity Assurance Team, and John Haller, a member of Matt's team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from "external entities that provide, sustain, or operate Information and Communications Technology (ICT) to support your organization." This is sometimes referred to as third party or external dependency risk. Listen on Apple Podcasts.

In Department of Defense programs, a system of systems (SoS) is integrated to accomplish a number of missions that involve cooperation among individual systems. Understanding the activities conducted within each system and how they interoperate to accomplish the missions of the SoS is of vital importance. A mission thread is a sequence of end-to-end activities and events, given as a series of steps, that accomplish the execution of one or more capabilities that the SoS supports. However, listing the steps and describing them do not reveal all the important concerns associated with cooperation among the systems to accomplish the mission; understanding the architectural and engineering considerations associated with each mission thread is also essential. In this podcast, Michael Gagliardi introduces the Mission Thread Workshop (MTW), a facilitated, stakeholder-centric workshop whose purpose is to elicit and refine end-to-end quality attribute, capability, and engineering considerations for SoS mission threads. Listen on Apple Podcasts.

In this episode, the 11th in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the 11th principle: the best architectures, requirements, and designs emerge from self-organizing teams. Listen on Apple Podcasts.

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop, and identifying improvements for future offerings. The Measuring What Matters Workshop introduces the Goal-Question-Indicator-Metric (GQIM) approach that enables users to derive meaningful metrics for managing cybersecurity risks from strategic and business objectives. This approach helps ensure that organizational leaders have better information to make decisions, take action, and change behaviors. Katie Stewart, Michelle Valdez, Lisa Young, and Julia Allen, the developers and facilitators of this workshop, are all members of CERT's Cyber Resilience Management team. Further details about this workshop can be found in our workshop report. Listen on Apple Podcasts.

In this episode, the tenth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the tenth principle: Simplicity—the art of maximizing the amount of work not done—is essential. Listen on Apple Podcasts.

Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumeration of development errors after they have occurred and do not relate directly to operational security vulnerabilities, except when the cause is quality related. In this podcast, Carol Woody and Bill Nichols discuss how a combination of software development and quality techniques can improve software security. Listen on Apple Podcasts.

In this episode, the ninth in a series by Suzanne Miller and Mary Ann Lapham exploring the application of Agile principles in the Department of Defense, the two researchers discuss the application of the ninth principle: continuous attention to technical excellence and good design enhances Agile. Listen on Apple Podcasts.

The goal of any cybersecurity investment is to reduce the potential impact from cyber risk. Initial investments should be in capability development—the implementation of controls to protect and sustain operations that depend on technology. As capability increases, additional capability investments produce diminishing returns—the curve flattens. At that point, investment in cyber insurance becomes an efficient means to further reduce risk.In this podcast, Jim Cebula, the Technical Manager of CERT's Cybersecurity Risk Management Team, and David White, Chief Knowledge Officer with Axio Global, discuss cyber insurance, its potential role in reducing operational and cybersecurity risk, and how organizations are using it today. We also discuss ongoing CERT research on this topic. Listen on Apple Podcasts.

In 2013, the AADL Standards meeting was held at SEI headquarters in Pittsburgh, Pa. The SEI Podcast Series team was there, and we interviewed several members of the AADL Standards Committee. This podcast is the fourth in a series based on these interviews. Listen on Apple Podcasts.

Soldiers in battle or emergency workers responding to a disaster often find themselves in environments with limited computing resources, rapidly-changing mission requirements, high levels of stress, and limited connectivity, which are often referred to as "tactical edge environments." These types of scenarios make it hard to use mobile software applications that would be of value to soldiers or emergency personnel, including speech and image recognition, natural language processing, and situational awareness, because these computation-intensive tasks take a heavy toll on a mobile device's battery power and computing resources. Researchers in the Advanced Mobile Systems Initiative at the SEI focus on cyber foraging, which uses discoverable, forward-deployed servers to extend the capabilities of mobile devices by offloading battery-draining computations to these more powerful resources, or for staging data particular to a mission. In this podcast, Grace Lewis discusses five approaches that her team developed and tested for using tactical cloudlets as a strategy for providing infrastructure to support computation offload and data staging at the tactical edge. Listen on Apple Podcasts.