Entries for month: January 2012

The Latest Research from the SEI

Automated remediation , Architecture , Service-Oriented Architecture , Insider Threat , Resilience Management Model (RMM) 1 Comment »

By Douglas C. Schmidt
Visiting Scientist

As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in insider threat, interoperability, service-oriented architecture, operational resilience, and automated remediation. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.


Developing an Architecture-Focused Measurement Framework for Managing Technical Debt

Agile , Technical Debt , Architecture 1 Comment »

By Ipek Ozkaya
Senior Member of the Technical Staff
Research, Technology, and System Solutions

Managing technical debt, which refers to the rework and degraded quality resulting from overly hasty delivery of software capabilities to users, is an increasingly critical aspect of producing cost-effective, timely, and high-quality software products. A delicate balance is needed between the desire to release new software capabilities rapidly to satisfy users and the desire to practice sound software engineering that reduces rework. A previous post described the practice of strategically managing technical debt related to software architecture, which involves deliberately postponing implementation of some architectural design choices to accelerate delivery of the system today and then rearchitecting at a later time. This blog post extends our prior post by discussing how an architecture-focused analysis approach helps manage technical debt by enabling software engineers to decide the best time to rearchitect—in other words, to pay down the technical debt.


The Need to Specify Requirements for Off-Nominal Behavior

Acquisition , Safety-Related Requirements , Security-Related Requirements No Comments »

By Donald Firesmith
Senior Member of the Technical Staff
Acquisition Support Program

Don FiresmithIn our work with acquisition programs, we’ve often observed a major problem: requirements specifications that are incomplete, with many functional requirements missing. Whereas requirements specifications typically specify normal system behavior, they are often woefully incomplete when it comes to off-nominal behavior, which deals with abnormal events and situations the system must detect and how the system must react when it detects that these events have occurred or situations exist. Thus, although requirements typically specify how the system must behave under normal conditions, they often do not adequately specify how the system must behave if it cannot or should not behave as normally expected. This blog post examines requirements engineering for off-nominal behavior.


Modeling Malware with Suffix Trees

CERT , Malware No Comments »

By Will Casey
Senior Researcher

Will CaseyThrough our work in cyber security, we have amassed millions of pieces of malicious software in a large malware database called the CERT Artifact Catalog. Analyzing this code manually for potential similarities and to identify malware provenance is a painstaking process. This blog post follows up our earlier post to explore how to create effective and efficient tools that analysis can use to identify malware.