Continuous Integration in DevOps

DevOps No Comments »

By C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate

This blog post is the third in a series on DevOps, a software development approach that breaks down barriers between development and operations staff to ensure more effective, efficient software delivery.

Constantine Aaron CoisWhen Agile software development models were first envisioned, a core tenet was to iterate more quickly on software changes and determine the correct path via exploration—essentially, striving to “fail fast” and iterate to correctness as a fundamental project goal. The reason for this process was a belief that developers lacked the necessary information to correctly define long-term project requirements at the onset of a project, due to an inadequate understanding of the customer and an inability to anticipate a customer’s evolving needs. Recent research supports this reasoning by continuing to highlight disconnects between planning, design, and implementation in the software development lifecycle. This blog post highlights continuous integration to avoid disconnects and mitigate risk in software development projects.

Read more...

Development with Docker

DevOps , Weekly DevOps No Comments »

By Joe Yankel
Member of the Technical Staff
CERT Cyber Security Solutions Directorate

This post is the latest installment in a weekly series aimed at helping organizations adopt DevOps.

Joseph YankelIn our last post, DevOps and Docker, I introduced Docker as a tool to develop and deploy software applications in a controlled, isolated, flexible, and highly portable infrastructure. In this post, I am going to show you how easy it is to get started with Docker. I will dive in and demonstrate how to use Docker containers in a common software development environment by launching a database container (MongoDB), a web service container (a Python Bottle app), and configuring them to communicate forming a functional multi-container application. If you haven’t learned the basics of Docker yet, you should go ahead and try out their official tutorial here before continuing.

Read more...

Software Assurance, Social Networking Tools, Insider Threat, and Risk Analysis—The Latest Research from the SEI

Insider Threat , Insider Threat Patterns , Software Assurance No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in software assurance, social networking tools, insider threat, and the Security Engineering Risk Analysis Framework (SERA). This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

Read more...

DevOps and Docker

DevOps , Weekly DevOps No Comments »

By Joe Yankel
Member of the Technical Staff
CERT Cyber Security Solutions Directorate

This post is the latest installment in a weekly series aimed at helping organizations adopt DevOps.

Joseph YankelDocker is quite the buzz in the DevOps community these days, and for good reason. Docker containers provide the tools to develop and deploy software applications in a controlled, isolated, flexible, highly portable infrastructure.  Docker  offers substantial benefits to scalability, resource efficiency, and resiliency, as we’ll demonstrate in this posting and upcoming postings in the DevOps blog

Read more...

Is Your Organization Ready for Agile?

Agile , Readiness & Fit Analysis No Comments »

By Suzanne Miller
Principal Researcher
Software Solutions Division

This blog post is the sixth in a series on Agile adoption in regulated settings, such as the Department of Defense, Internal Revenue Service, and Food and Drug Administration.

Suzanne Miller "Across the government, we’ve decreased the time it takes across our high-impact investments to deliver functionality by 20 days over the past year alone. That is a big indicator that agencies across the board are adopting agile or agile-like practices," Lisa Schlosser, acting federal chief information officer, said in a November 2014 interview with Federal News Radio. Schlosser based her remarks on data collected by the Office of Management and Budget (OMB) over the last year. In 2010, the OMB issued guidance calling on federal agencies to employ “shorter delivery time frames, an approach consistent with Agile” when developing or acquiring IT. As evidenced by the OMB data, Agile practices can help federal agencies and other organizations design and acquire software more effectively, but they need to understand the risks involved when contemplating the use of Agile. This ongoing series on Readiness & Fit Analysis (RFA) focuses on helping federal agencies and other organizations in regulated settings understand the risks involved when contemplating or embarking on a new approach to developing or acquiring software. Specifically, this blog post, the sixth in a series, explores issues related to system attributes organizations should consider when adopting Agile.

Read more...

Supply Chain and External Dependencies Risk Management

Cyber Risk and Resilience Management , Risk Management , Supply Chain Assurance , Supply Chain Risk Management No Comments »

By John Haller
Senior Member of the Technical Staff
CERT Division

John Haller Attacks and disruptions to complex supply chains for information and communications technology (ICT) and services are increasingly gaining attention. Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting DoD TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem. This risk management problem goes by different names, for example, Supply Chain Risk Management (SCRM) or Risk Management for Third Party Relationships. The common challenge, however, is having confidence in the security practices and processes of entities on which an organization relies, when the relationship with those entities may be, at best, an arms-length agreement. This blog post highlights supply chain risks faced by the Department of Defense (DoD), federal civilian agencies, and industry; argues that these problems are more alike than different across these sectors; and introduces practices to help organizations better manage these risks.  

Read more...

The 2014 Year in Review: Top 10 Blog Posts

Agile , Android , Big Data , DevOps , Malware , Secure Coding No Comments »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In 2014, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in big datasecure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In 2014 (through December 21), the SEI blog logged 129,000 visits, nearly double the entire 2013 yearly total of 66,757 visits. As we look back on the last 12 months, this blog posting highlights our 10 most popular blog posts (based on the number of visits). As we did with our mid-year review, we will include links to additional related resources that readers might find of interest. We also grouped posts by research area to make it easier for readers to learn about related areas of work. 

Read more...

DevOps and Your Organization: Where to Begin

DevOps , Weekly DevOps No Comments »

C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate
This post is the latest in a weekly series to help organizations implement DevOps.

C. Aaron CoisOn the surface, DevOps sounds great. Automation, collaboration, efficiency—all things you want for your team and organization. But where do you begin? DevOps promises high return on investment in exchange for a significant shift in culture, process, and technology. Substantially changing any one of those things in an established organization can feel like a superhuman feat. So, how can you start your organization on the path to DevOps without compromising your existing business goals and trajectories?

Read more...