SEI Shorts

Watch Bob Schiela discuss "Why aren’t DoD Programs using static analysis as commercial firms do?"

Eliezer Kanal explains deep learning, a subfield of artificial intelligence, and how the SEI is conducting research to learn how it might be used to advance cybersecurity.

Watch SEI Researchers Andrew Kotov and John Klein respond to "Should a software architect be concerned with risk analysis?"

Watch SEI Researcher Ipek Ozkaya respond to "Do all systems have technical debt?"

Watch Bob Schiela and Jeff Boleng discuss "How can automated code repair help DoD with legacy code vulnerability analysis?

Watch SEI Researchers Andrew Kotov and John Klein respond to "How do you integrate software architecture into Agile/DevOps environments?"

Here at the Software Engineering Institute, we have created a new tool prototype that helps explore a system’s design tradespace. The tradespace is the possible combinations of system software, hardware, and configuration options. Our prototype – which combines previous work here at the SEI with software developed at Penn State University – enables system designers to evaluate design options in the tradespace rapidly and automatically. You can find more on guided design tradespace exploration in these SEI resources: SEI Cyber Minutes video • Safety-Critical Design by Shopping https://www.youtube.com/watch?v=M8hcV... Poster • Guided Architecture Trade Space Exploration for Safety-Critical Software Systems -- https://resources.sei.cmu.edu/library... Blog • AADL: Four Real-World Perspectives -- https://insights.sei.cmu.edu/sei_blog... real-world-perspectives.htmlhttps://insights.sei.cmu.edu/sei_blog... moving-cloud-computing-to-the-edge.html

Pat Place discusses the forces that influence how often your organization is able to perform system updates.

Manually fixing coding errors is time- and money-consuming. As a result, teams charged to make the fixes can eliminate few vulnerabilities; and fixing errors often breaks the working code, adding unwanted delay in testing. The SEI has developed a tool to detect and automatically repair integer overflow and reads of stale sensitive data, two pervasive software flaws. You can find more on SEI’s technique for automated code repair in “Inference of Memory Bounds: Preventing the Next Heartbleed” at https://insights.sei.cmu.edu/sei_blog....

For more information, write to info@sei.cmu.edu.

Watch Hasan Yasar discuss how to "Build Secure Applications with DevSecOps." DevSecOps is a model on integrating the software development and operational process that considers security activities throughout DevOps pipeline with practicing collaboration and communication between software development teams , IT operations staff along with acquirers, suppliers, security teams, and other stakeholders in the lifecycle of a software system.

Rob Cunningham discusses the promise of Quantum Computing and highlights some of the remaining scientific and engineering challenges.

Watch SuZ Miller discuss four things for government acquisition agents to include or watch for as they prepare a request for proposal that will attract bidders who work using Agile and lean principles.

Malfaces from the Software Engineering Institute is a two-tool process that visualizes similarities between malware input files. The first tool uses binary code comparison techniques and a transform function to determine which input files match. Then, using statistical analysis, the second tool draws Chernoff faces for each file and delivers an estimate of how many unique programs are in the input files set. Together, these tools reduce file analysis to a differential analysis task—saving time and money in reverse engineering after a cyber incident. You can find more on the Malfaces concept in “This Malware Looks Familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures” at http://eudl.eu/doi/10.4108/eai.22-3-2017.152417

Alex Corn describes how SQL injection can occur and how you can prevent attackers from exploiting these potentially serious vulnerabilities.

SQL injection vulnerabilities are common, and attackers can use them to carry out harmful attacks. This SEI Cyber Minute explains how these attacks can be prevented by using database abstraction libraries or prepared statements.