SEI Shorts

In this SEI Cyber Minute, Alex Corn discusses how to protect systems using Secure Shell (SSH). SSH supports keys, which provide efficiency and security benefits.

In this SEI Cyber Minute, Bobbie Stempfley explains how in our increasingly complex world, the SEI is redefining approaches to security to address the transformative technologies being adopted throughout government and industry.

In this SEI Cyber Minute, Suzanne Miller explains a pitfall that can occur when trying to use Agile and Lean methods when developing and implementing complex, embedded systems. In such projects, development traditionally proceeds in a model shaped like a “V,” where the completion of requirements definition, architecture, and design occurs along the left branch of the “V” and leads to implementation at the bottom point. Then, the right branch of the “V” represents verification and validation activities. The difficulty is that these projects usually reap the benefits of the iterative, incremental aspects of Agile development only during implementation, after requirements, architecture, and design work are deemed to be finished. At that point, it becomes difficult to apply the lessons learned during implementation and to make necessary changes to the work that occurred before implementation began. Suzanne Miller explains the dynamics of this pitfall, and she describes a more agile and responsive mindset that teams can use to make sure they reap the benefits of Agile and lean approaches throughout development. In addition, she shares reference material that can help interested parties learn more.

September 2019 has been designated “National Insider Threat Awareness Month.” A number of federal agencies—including the FBI, Office of the Under Secretary of Defense for Intelligence, and Department of Homeland Security—have chosen September to spotlight the risks that insiders pose to national security.

Since 2001, the SEI’s CERT Division has been helping government, industry, and academic entities identify and mitigate insider threats. The CERT Division’s research spans multiple domains, from the technical, including an exploration of tool sets for insider threat programs, to the behavioral and organizational, including a study on positive incentives for reducing insider threat in the workplace.

Static analysis (SA) alerts about software code flaws require costly manual effort to validate (e.g., determine True or False) and repair.  As a result, organizations often severely limit the types of alerts they manually examine to the types of code flaws they most worry about. That approach results in a tradeoff where many True flaws may never get fixed. To make alert handling more efficient, the SEI developed and tested novel software that enables the rapid deployment of a method to classify alerts automatically and accurately. We are implementing our solution in a new version of the SEI’s SCALe – the Source Code Analysis Lab – application.

In this SEI Cyber Minute, Ebonie McNeil explains how the Source Code Analysis Integrated Framework Environment or (SCAIFE) prototype is intended to be used by developers and analysts who manually audit alerts.

SCAIFE provides automatic alert classification using machine learning which gives a level of confidence that the alert is true or false.

The SCAIFE prototype also enables organizations to apply formulas that prioritize static analysis alerts by using factors they care about.

Threat-modeling methods provide an approach for identifying possible threats to a system and mitigating them. In this SEI Cyber Minute, Chris Alberts discusses the Security Engineering Risk Analysis (SERA) Method and the threats and risks that organizations can use it to model and plan for. In addition, Chris discusses the threat-modeling methods the SEI recently integrated into the SERA Method.

Chuck Weinstock introduces confidence maps and explains how they work to determine how much confidence someone can have in a claim.

Confidence maps collect arguments or doubts about a claim, to which one can then apply a process of elimination to establish how much confidence someone can have that the claim is true. This SEI Cyber Minute gives an example that provides a practical explanation of the information that confidence maps take into consideration and how they work. It also provides a few examples of how the SEI has used them in the past to support certain projects.

Elli Kanal describes the work that the SEI does to train computers to learn about stored content and find pertinent information without the help of an analyst.

The Software Engineering Institute (SEI) works on projects that help computers (1) learn about the content that they store and (2) find pertinent information based on what they learn. One particular SEI project involves teaching computers to find clues in specification documents that can lead to the discovery of vulnerabilities without the help of analysts. This SEI Cyber Minute provides a quick overview of these kinds of projects and gives you information about how you can contact the SEI to collaborate on them.

At the SEI, we built an implementation of tactical cloudlets that we call KD-Cloudlet. Soldiers, emergency workers, field researchers, medics – really anyone who needs to be a cyber forager for computing resources -- can now use KD-Cloudlet to support mobile applications that:

•contain computation-intensive code

•collect large amounts of data in the field, or

•use large amounts of data in the cloud

KD-Cloudlet is freely available on GitHub: https://github.com/SEI-AMS/pycloud/

The SEI has conducted research on the issues associated with sustaining legacy systems and migrating them, such as trying to sustain a system when there is a lack of documentation and minimal Infrastructure as Code. This SEI Cyber Minute describes a prototype that the SEI has developed in light of this research and how it functions to generate code that can be used by Infrastructure as Code tools to help organizations sustain and migrate their systems.

Suzanne Miller discusses why the use of Agile methods can vary so much from one contractor to another.

Because the Agile methodology is based on a set of principles, contractors sometimes apply Agile methods differently depending on the scope and nature of the work they’re doing. This SEI Cyber Minute explains why these variations occur when practicing Agile methods, and it discusses current work that aims to help organizations establish which variations of Agile are most useful and appropriate in government settings.

Mary Catherine Ward explains the unique work that the SEI does for the Department of Defense as a federally funded research and development center (FFRDC). Federally funded research and development centers (FFRDCs) perform research to meet the specialized needs of the U.S. government.

The SEI is an FFRDC sponsored by the Department of Defense and housed at Carnegie Mellon University. This SEI Cyber Minute explains the work that FFRDCs do for the government and how the SEI is unique in its support of the Department of Defense.

Self-driving cars, drones, or missiles that use computer systems to interact with the physical world are examples of cyber-physical systems. As these systems become more complex and unpredictable, establishing confidence that they work correctly becomes challenging. To address these challenges, the Software Solutions Division of the SEI conducted research to develop programs that focus on enforcing that cyber-physical systems perform only safe actions. This SEI Cyber Minute explains how these programs work to prevent cyber-physical systems from violating their safety conditions, and how use of these programs can reduce development time and cost.

Eileen Wrubel discusses getting your agile program started.

Agile relies on small batches of work and fast learning cycles, instead of specifying extensive big-batch requirements up front. Programs need to extend this thinking beyond the software they are building, to the development and acquisition processes themselves.

Alex Corn discusses how cross-origin resource sharing (CORS) works to resolve network problems caused by same-origin policy, and how it should be configured.

Same-origin policy is a feature of modern web browsers that restricts scripts hosted on one website from making calls to another website. While useful from a security perspective, this policy can restrict certain legitimate use cases in which there is no security threat. The best solution to allow those legitimate cases to function properly is to employ cross-origin resource sharing (CORS). This Cyber Minute discusses how CORS works and how it should be configured to avoid risk.

Watch Mark Sherman in this SEI Cyber Minute as he discusses "Influence Attacks on Machine Learning".

Shane Ficorilli explains some of the requirements for successfully implementing DevOps in your organization, including how to establish a complete deployment pipeline.

Watch SEI Researcher Andrew Kotov respond to "What does a software architect do?"

Watch Bob Schiela and Jeff Boleng discuss "Where dynamic and static code analysis merge".