Entries for month: August 2013

Is Your Organization Ready for Agile?

Agile , Readiness & Fit Analysis 5 Comments »

Third Installment in a Series on Agile Adoption
By Suzanne Miller
Senior Member of the Technical Staff
Software Solutions Division

Suzanne Miller In our work with the Department of Defense (DoD) and other government agencies such as the U.S. Department of Veteran Affairs and the  U.S. Department of the Treasury, we often encounter organizations that have been asked by their government program office to adopt agile methods. These are organizations that have traditionally utilized a “waterfall” life cycle model (as epitomized by the engineering “V” charts) and are accustomed to being managed via a series of document-centric technical reviews that focus on the evolution of the artifacts that describe the requirements and design of the system rather than its evolving implementation, as is more common with agile methods. After the program office and contractor are trained, they realize that there is more to an agile approach than frequent, small iterations and daily standup meetings.  As a result, they struggle to adopt agile practices. This post is part of an ongoing series on the Readiness & Fit Analysis (RFA) approach, which helps organizations understand the risks involved when contemplating or embarking on the adoption of new practices, in this case agile methods. This posting continues our exploration of organizational culture, one of the most challenging factors to assess when considering agile adoption readiness.

Read more...

A Strategic Approach to Software Assurance

Software Assurance No Comments »

By Mike McLendon,
Associate Director
Software Solutions Division

Mike McLendonSoftware is the principal, enabling means for delivering system and warfighter performance across a spectrum of Department of Defense (DoD) capabilities. These capabilities span the spectrum of mission-essential business systems to mission-critical command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) systems to complex weapon systems. Many of these systems now operate interdependently in a complex net-centric and cyber environment. The pace of technological change continues to evolve along with the almost total system reliance on software. This blog posting examines the various challenges that the DoD faces in implementing software assurance and suggests strategies for an enterprise-wide approach.

Read more...

Assurance Cases and Confidence

Assurance Cases No Comments »

Charles B. Weinstock
Senior Member of the Technical Staff
Software Solutions Division

Chuck WeinstockFrom the braking system in your automobile to the software that controls the aircraft that you fly in, safety-critical systems are ubiquitous. Showing that such systems meet their safety requirements has become a critical area of work for software and systems engineers. “We live in a world in which our safety depends on software-intensive systems,” editors of IEEE Software wrote in the magazine’s May/June issue. “Organizations everywhere are struggling to find cost-effective methods to deal with the enormous increase in size and complexity of these systems, while simultaneously respecting the need to ensure their safety.” The Carnegie Mellon Software Engineering Institute (SEI) is addressing this issue with a significant research program into assurance cases. Our sponsors are regularly faced with assuring that complex software-based systems meet certain kinds of requirements such as safety, security, and reliability. In this post, the first in a series on assurance cases and confidence, I will introduce the concept of assurance cases and show how they can be used to argue that a safety requirement (or other requirement such as security) has been met.

Read more...

A Multi-Dimensional Approach to Insider Threat

Insider Threat Patterns , Insider Threat No Comments »

By David Mundie
Senior Member of the Technical Staff
CERT Division

David MundieResearchers on the CERT Division’s insider threat team have presented several of the 26 patterns identified by analyzing our insider threat database, which is based on examinations of more than 700 insider threat cases and interviews with the United States Secret Service, victims’ organizations, and convicted felons. Through our analysis, we identified more than 100 categories of weaknesses in systems, processes, people, or technologies that allowed insider threats to occur. One aspect of our research focuses on identifying enterprise architecture patterns that organizations can use to protect their systems from malicious insider threat. Now that we’ve developed 26 patterns, our next priority is to assemble these patterns into a pattern language that organizations can use to bolster their resources and make them more resilient against insider threats. This blog post is the third installment in a series that describes our research to create and validate an insider threat mitigation pattern language to help organizations balance the cost of security controls with the risk of insider compromise.

Read more...