Entries for month: April 2012

Towards Common Operating Platform Environments

Architecture , Common Operating Platform Environments (COPEs) No Comments »

Part 1: Doing More for Less
By Douglas C. Schmidt,
Principal Researcher

Douglas C. SchmidtMission-critical operations in the Department of Defense (DoD) increasingly depend on complex software-reliant systems-of-systems (abbreviated as “systems” below). These systems are characterized by a rapidly growing number of connected platforms, sensors, decision nodes, and people. While facing constrained budget, expanded threat, and engineering workforce challenges, the DoD is trying to obtain greater efficiency and productivity in defense spending needed to acquire and sustain these systems. This blog posting—the first in a three-part series—motivates the need for DoD common operating platform environments that can help collapse today’s stove-piped solutions to decrease costs, spur innovation, and increase acquisition and operational performance.

Read more...

Developing Controls to Prevent Theft of Intellectual Property

Insider Threat , CERT 2 Comments »

By Randy Trzeciak,
Senior Member of the Technical Staff
The CERT Program

Randy TrzeciakAccording to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, CERT Insider Threat researchers have collected incidents related to malicious activity by insiders obtained from a number of sources, including media reports, the courts, the United States Secret Service, victim organizations, and interviews with convicted felons. From these cases, four patterns of insider threat behavior have been identified: (1) information technology (IT) sabotage, (2) fraud, (3) national security/espionage, and (4) theft of intellectual property (IP). From those patterns, our researchers developed controls that combine technological tools with behavioral indicators to identify employees at risk for committing cyber crimes. These tools and indicators provide those who monitor networks a better warning of potential anomalous behavior. This blog posting—the first in a series highlighting controls developed by the CERT Insider Threat Center—explores controls developed to prevent, identify, or detect IP theft.

Read more...

Thread Role Analysis

Concurrency Analysis No Comments »

By Dean Sutherland
Senior Member of the Technical Staff
The CERT Program

Dean SutherlandMany modern software systems employ shared-memory multi- threading and are built using software components, such as libraries and frameworks. Software developers must carefully control the interactions between multiple threads as they execute within those components. To manage this complexity, developers use information hiding to treat components as “black boxes” with known interfaces that explicitly specify all necessary preconditions and postconditions of the design contract, while using an appropriate level of abstraction to hide unnecessary detail. Many software component interfaces, however, lack explicit specification of thread-related preconditions. Without these specifications, developers must assume what the missing preconditions might be, but such assumptions are often incorrect. Failure to comply with the actual thread-related preconditions can yield subtle and pernicious errors (such as state corruption, deadlock, and security vulnerabilities) that are intermittent and hard to diagnose. This blog post, the first in a series, describes our ongoing research towards solving this problem for a variety of languages, including Java and C11.

Read more...

Rapid Lifecycle Development in an Agile Context

Acquisition , Agile , Architecture 13 Comments »

By Robert Nord,
Senior Member of the Technical Staff
Research, Technology, & System Solutions

Robert NordNew acquisition guidelines from the Department of Defense (DoD) aimed at reducing system lifecycle time and effort is encouraging the adoption of Agile methods. There is a general lack, however, of practical guidance on how to employ Agile methods effectively for DoD acquisition programs. This blog posting describes our research on providing software and systems architects with a decision making framework for reducing integration risk with Agile methods, thereby reducing the time and resources needed for related work.

Read more...

Improving Software Team Performance with TSP

Team Software Process (TSP) 1 Comment »

By Bill Nichols,
Senior Member of the Technical Staff
Software Engineering Process Management

Bill Nichols In his book Drive, Daniel Pink writes that knowledge workers want autonomy, purpose, and mastery in their work. A big problem with any change in processes is getting the people who do the work to change how they work. Too often, people are told what to do instead of being given the information, autonomy, and authority to analyze and adopt the new methods for themselves.  This posting—the first in a two-part series—describes a case study that shows how Team Software Process (TSP) principles allowed developers at a large bank to address challenges, improve their productivity, and thrive in an agile environment.

Read more...