Software Engineering Institute (SEI) Podcast Series

In this SEI Podcast, Dr. Leigh Metcalf and Dr. Jonathan Spring, both researchers with the Carnegie Mellon University Software Engineering Institute’s CERT Division, discuss the application of scientific methods to cybersecurity. As described in their recently published book, Using Science in Cybersecurity, Metcalf and Spring describe a common-sense approach and practical tools for applying scientific rigor to the field of cybersecurity.

Zero trust adoption is a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed. In this SEI Podcast, Geoff Sanders, a senior network defense analyst in the CERT Division at Carnegie Mellon University's Software Engineering Institute, discusses zero trust adoption and its benefits, applications, and available resources.

In this SEI Podcast, Dr. Eric Heim, a senior machine learning research scientist at Carnegie Mellon University's Software Engineering Institute (SEI), discusses the quantification of uncertainty in machine-learning (ML) systems. ML systems can make wrong predictions and give inaccurate estimates for the uncertainty of their predictions. It can be difficult to predict when their predictions will be wrong. Heim also discusses new techniques to quantify uncertainty, identify causes of uncertainty, and efficiently update ML models to reduce uncertainty in their predictions. The work of Heim and colleagues at the SEI Emerging Technology Center closes the gap between the scientific and mathematical advances from the ML research community and the practitioners who use the systems in real-life contexts, such as software engineers, software developers, data scientists, and system developers.  

In this SEI Podcast, Aaron Greenhouse, a senior architecture researcher with Carnegie Mellon University’s Software Engineering Institute, talks with principal researcher Suzanne Miller about use of the Bell–LaPadula mathematical security model in concert with the Architecture Analysis and Design Language (AADL) to model and validate confidentiality. Greenhouse and Miller also discuss 11 analysis rules that must be enforced over an AADL instance to ensure the consistency of a security model. Mapping Bell–LaPadula to AADL allows the expression of key concepts within the AADL model so that they can be analyzed automatically. 

Nataliya (Natasha) Shevchenko and Mary Popeck, both senior researchers in the CERT Division at Carnegie Mellon University’s Software Engineering Institute, discuss the use of model-based systems engineering (MBSE), which, in contrast to document-centric engineering, puts models at the center of system design. MBSE is used to support the requirements, design, analysis, verification, and validation associated with the development of complex systems.

In this SEI Podcast, Grace Lewis hosts a panel discussion with Ipek Ozkaya, Nathan West, and Jay Palat about diversity in software engineering. The panelists, all researchers with the Carnegie Mellon University Software Engineering Institute, share their perspectives about their own experiences in the software engineering field, the value of diversity to enhance problem solving from multiple perspectives, and strategies for supporting and encouraging underrepresented groups to become involved in the field.

Author Daniel H. Pink recently examined the factors that lead to job satisfaction among knowledge workers and summarized them in three components: autonomy, skill mastery, and purpose. In this SEI Podcast, Hasan Yasar, technical director of Continuous Deployment of Capability at Carnegie Mellon University’s Software Engineering Institute, relates these components to DevSecOps and summarizes a recent survey affirming that DevSecOps practices do indeed make developers and other stakeholders in their organizations happier.

In this SEI Podcast, digital transformation lead Dr. Rachel Dzombak and research scientist Carol Smith, both with the SEI’s Emerging Technology Center at Carnegie Mellon University, discuss how AI Engineering can support organizations to implement AI systems. The conversation covers the steps that organizations need to take (as well as the hard conversations that need to occur) before they are AI ready.

In this SEI Podcast, the latest in the My Story in Computing series, Marisa Midler, a cybersecurity engineer in the SEI’s CERT Division, discusses her career path. After growing up on a farm in Pennsylvania, Midler graduated from college with a degree in communications and English writing and then traveled to Seattle and worked a variety of jobs, including as a bouncer at a Seattle night club. Midler returned to Pittsburgh to obtain a second bachelor’s degree in information science followed by a master’s degree in information security policy and management from Carnegie Mellon University. Throughout it all Midler has been guided by her mantra: never settle.

The robustness and security of artificial intelligence, and specifically machine learning (ML), is of vital importance. Yet, ML systems are vulnerable to adversarial attacks. These can range from an attacker attempting to make the ML system learn the wrong thing (data poisoning), do the wrong thing (evasion attacks), or reveal the wrong thing (model inversion). Although there are several efforts to provide detailed taxonomies of the kinds of attacks that can be launched against a machine learning system, none are organized around operational concerns. In this podcast, Jonathan Spring, Nathan VanHoudnos, and Allen Householder, all researchers at the Carnegie Mellon University Software Engineering Institute, discuss the management of vulnerabilities in ML systems as well as the Adversarial ML Threat Matrix, which aims to close this gap between academic taxonomies and operational concerns.

In this SEI Podcast, Rachel Dzombak and Jay Palat discuss growth in the field of artificial intelligence (AI) and how organizations can hire and train staff to take advantage of the opportunities afforded by AI and machine learning—and the critical need for an AI engineering discipline to grow the AI workforce.

DevSecOps is a set of principles and practices that provide faster delivery of secure software capabilities by improving the collaboration and communication between software development teams, IT operations, and security staff within an organization, as well as with acquirers, suppliers, and other stakeholders in the life of a software system. In this SEI podcast, Hasan Yasar, technical director of the Continuous Deployment of Capability group in the Software Solutions Division of the SEI, discusses the transition from DevOps to DevSecOps.

In this SEI Podcast, the latest in the “My Story in Computing” series, which explores the unique paths people take into the field of computing, David Zubrow discusses his path from a PhD in applied history and social sciences and an administrative position at Carnegie Mellon University to a career as a manager and technical leader at the SEI.

In this SEI Podcast, Keith Korzec discusses the Mission-Based Prioritization method for prioritizing Agile backlogs. This method overcomes the shortcomings of prioritization based on “weighted shortest job first” and utilizes objective, mission-focused criteria while allowing ongoing re-prioritization to be conducted with minimal overhead.

Those who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast, part of the My Story in Computing series, learn how Carol Smith, who trained as a photojournalist, discusses how a love of telling people’s stories led to a career in human-computer interaction working in artificial intelligence with the SEI’s Emerging Technology Center.

Digital engineering is an integrated digital approach that uses authoritative sources of systems data and models as a continuum across disciplines to support lifecycle activities from concept through disposal. With digital engineering, models are developed for everything, not just for software, but for all components of a system of systems, hardware and software. The models and associated data are stored in a singular repository of knowledge and are the single source that is used by all contractors and everyone working on the project. In this SEI Podcast, David Shepard, a researcher with the Carnegie Mellon University Software Engineering Institute, discusses digital engineering and its relationship with DevSecOps.

Brett Tucker, a technical manager for cyber risk in the SEI CERT Division, discusses the Operationally Critical Threat, Asset, and Vulnerability Evaluation for the Enterprise (OCTAVE FORTE) Model, which helps organizations evaluate security risks and use principles of enterprise risk management to bridge the gap between executives and practitioners. In this SEI Podcast, Tucker outlines OCTAVE FORTE's 10-step framework to guide organizations in managing risk.

If organizations take more steps to address security-related activities now, they will be less likely to encounter security incidents in the future. When it comes to application containers, security is achieved through adopting a series of best practices and guidelines. In this SEI Podcast, Tom Scanlon and Richard Laughlin, researchers with the SEI's CERT Division, discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.

In this SEI Podcast, Marisa Midler and Tim Shimeall, network defense analysts within the SEI's CERT Division, discuss the growing problem of ransomware including the rise of ransomware as a service threats. Ransom payments from Quarter 3 of 2019 were on average $42,000, and in Quarter 1 of 2020, that average increased $70,000 to $112,000. The volume of attacks also increased by 25 percent in Quarter 4 of 2019 and by another 25 percent in Quarter 1 of 2020. The sophistication of the attacks has increased alongside their severity. Midler and Shimeall discuss steps and strategies that organizations can adopt to minimize their exposure to the risks and threats associated with ransomware.

Software vulnerability coordination at the CERT Coordination Center (CERT/CC) has traditionally relied on a hub-and-spoke model, with reports submitted to analysts at the CERT/CC analysts who would then work with contact affected vendors. To scale communications and increase the level of collaboration between vulnerability reporters, coordinators, and software vendors, the CERT/CC team has created a web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). In this SEI Podcast, Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI’s CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.