The DoD’s Cybersecurity Maturity Model Certification and Process Maturity

According to the Verizon Data Breach Report, Log4j-related exploits have occurred less frequently over the past year. However, this Common Vulnerabilities and Exposures (CVE) flaw was originally documented in 2021. The threat still exists despite increased awareness. Over the past few years, the Software Engineering Institute (SEI) has developed guidance and practices to help organizations reduce threats to U.S. supply chains. In this webcast, Brett Tucker and Matthew Butkovic, answer your enterprise risk management questions to help your organization achieve operational resilience in the cyber supply chain.

What attendees will learn:

• Enterprise risk governance and how to assess organization’s risk appetite and policy as it relates to and integrates cyber risks into a global risk portfolio
• Regulatory directives on third-party risk
• The agenda and topics to be covered in the upcoming CERT Cyber Supply Chain Risk Management Symposium in February

We stand at a pivotal moment in software engineering, with artificial intelligence (AI) playing a crucial role in driving approaches poised to enhance software acquisition, analysis, verification, and automation. While generative AI tools initially sparked excitement for their potential to reduce errors, scale changes effortlessly, and drive innovation, concerns have emerged. These concerns encompass security risks, unforeseen failures, and issues of trust. Empirical research on generative AI development assistants reveals that productivity and quality gains depend not only on the sophistication of tools but also on task flow redesign and expert judgment.

In this webcast, Software Engineering Institute (SEI) researchers will explore the future of software engineering and acquisition using generative AI technologies. They’ll examine current applications, envision future possibilities, identify research gaps, and discuss the critical skill sets that software engineers and stakeholders need to effectively and responsibly harness generative AI’s potential. Fostering a deeper understanding of AI’s role in software engineering and acquisition accentuates its potential and mitigates its risks.

What Attendees Will Learn

• how to identify suitable use cases when starting out with generative AI technology

• the practical applications of generative AI in software engineering and acquisition

• how developers and decision makers can harness generative AI technology

Compliance standards, privileged access management, software bills of materials (SBOMs), maturity models, cloud services, vulnerability management, etc. The list of potential solutions to supply chain risk management (SCRM) challenges seems unending as much as it is daunting to address. In this webcast, Brett Tucker explores some of these solutions. More importantly, he renews an emphasis on using robust enterprise risk management to achieve operational resilience in the cyber supply chain.

What attendees will learn

• A means of decomposing strategic objectives and critical services into high-value assets that point to prioritization of limited risk response resources
• Enterprise risk governance, appetite, and policy as they relate to and integrate cyber risks into a global risk portfolio
• The application and impacts of Cybersecurity Maturity Model Certification (CMMC) and other regulatory directives on third-party risk
• A kick-off announcement about the SEI CERT Supply Chain Risk Management Symposium to be held in February 2024

Generative AI (GenAI) has been around for decades, but the latest leap in progress, fueled by high-capability large language models (LLMs), image and video generators, and AI pair programmers, has captivated audiences across a variety of disciplines. What can GenAI do well? What are the risks and opportunities of using GenAI?

SEI experts Doug Schmidt, Rachel Dzombak, Jasmine Ratchford, Matt Walsh, John Robert and Shing-hon Lau conducted a live question-and-answer session driven by the audience.

Here’s what attendees will learn:

• The risks and rewards of generative AI
• The future of LLMs
• SEI research in this area

AI system trustworthiness is dependent on end users’ confidence in the system’s ability to augment their needs. This confidence is gained through evidence of the system’s capabilities. Trustworthy systems are designed with an understanding of the context of use and careful attention to end-user needs. In this webcast, SEI researchers discuss how to evaluate trustworthiness of AI systems given their dynamic nature and the challenges of managing ongoing responsibility for maintaining trustworthiness.

What attendees will learn:

• Basic understanding of what makes AI systems trustworthy
• How to evaluate system outputs and confidence
• How to evaluate trustworthiness to end users (and affected people/communities)

A Software Bill of Materials (SBOM) is a comprehensive list of software components involved in the development of a software product. While recently gaining attention in the context of security, SBOMs have limited value unless properly integrated into effective cyber risk management processes and practices. The SEI SBOM Framework compiles a set of leading practices for building an SBOM and using it to support risk reduction.

The SEI SBOM Framework provides a roadmap for managing vulnerabilities and risks in third-party software, including commercial-off-the-shelf (COTS) software, government-off-the-shelf (GOTS) software, and open-source software (OSS). A set of use cases informed the identification of SBOM practices, including building an SBOM and using it to manage risks to software intensive systems. These foundational practices were augmented using key security management concepts, such as the need to address requirements, planning and preparation, infrastructure, and organizational support. In this webcast, Charles Wallen, Carol Woody, and Michael Bandor discuss how organizations can connect SBOMs to acquisition and development to support improved system and software assurance.

Insider threats pose an enduring, ever-evolving risk to an organization’s critical assets that require enterprise-wide participation to manage effectively. Many organizations struggle to make critical tasks in insider risk management “stick,” relying on several crutches to drive temporary organizational change, only to see those changes come undone and have incidents slip through the cracks. In this webcast, we’ll discuss those crutches and identify themes of best practices observed over two decade of researching insider threat and building insider risk management programs that organizations can use to institutionalize key components of effective insider risk management.

What attendees will learn:

• How to identify drivers of change to an organization’s insider risk posture

• How to differentiate between one-time and routine activities in the planning and implementation of an insider risk management program

• How to measure the maturity of those routine activities

In this webcast, Fred Schenker, Jerome Hugues, and Linda Parker Gates discuss the benefits of using a model-based approach to improve the design of a CPS’ embedded computing resources. This is accomplished by (1) building virtual architectural models of the CPS’ embedded computing resources early in the system development lifecycle and (2) using these models to predict computing system constraints and component integration issues. They will discuss the cultural resistance to adopting the model-based approach, and how established justification methods, e.g., Return on Investment, are being used to stifle the adoption. Finally, some alternatives to ROI will be proposed that would be more effective justification mechanisms.

The Rust programming language makes some strong claims about the security of Rust code. In this webcast, David Svoboda and Joe Sible will evaluate the Rust programming language from a cybersecurity perspective. They will examine Rust's security model, both in what it promises and its limitations. They will also examine how secure Rust code has been seen in practice and conclude with discussing the overall maturity and stability of the Rust ecosystem.

What attendees will learn:

• The Rust Security Model
• Limitations of the Rust Security Model
• Rust code in the current vulnerability ecosystem
• Rust code stability and maturity

Historically, a lot of discussion in software security focused on the project level, emphasizing code scanning, penetration testing, reactive approaches for incident response, and so on. Today, the discussion has shifted to the program level to align with business objectives. In the ideal outcome of such a shift, software teams would act in alignment with business goals, organizational risk, and solution architecture and would understand that security practices are integral to business success. However, the shift from project- to program-level thinking brings lots of challenges. In this webcast, Hasan Yasar and Joe Yankel discuss the top 5 challenges and barriers to implementing DevSecOps practices and describe some solutions for overcoming them.

What attendees will learn:

• The DevSecOps ecosystem and how it aligns with business objectives
• The DevSecOps challenges and barriers
• How to overcome the top 5 challenges
• Practical solutions for your business needs
• How your system architecture drives your DevSecOps ecosystem