Is Your Organization Ready for Agile?

Agile , Readiness & Fit Analysis No Comments »

By Suzanne Miller
Principal Researcher
Software Solutions Division

This blog post is the sixth in a series on Agile adoption in regulated settings, such as the Department of Defense, Internal Revenue Service, and Food and Drug Administration.

Suzanne Miller "Across the government, we’ve decreased the time it takes across our high-impact investments to deliver functionality by 20 days over the past year alone. That is a big indicator that agencies across the board are adopting agile or agile-like practices," Lisa Schlosser, acting federal chief information officer, said in a November 2014 interview with Federal News Radio. Schlosser based her remarks on data collected by the Office of Management and Budget (OMB) over the last year. In 2010, the OMB issued guidance calling on federal agencies to employ “shorter delivery time frames, an approach consistent with Agile” when developing or acquiring IT. As evidenced by the OMB data, Agile practices can help federal agencies and other organizations design and acquire software more effectively, but they need to understand the risks involved when contemplating the use of Agile. This ongoing series on Readiness & Fit Analysis (RFA) focuses on helping federal agencies and other organizations in regulated settings understand the risks involved when contemplating or embarking on a new approach to developing or acquiring software. Specifically, this blog post, the sixth in a series, explores issues related to system attributes organizations should consider when adopting Agile.

Read more...

Supply Chain and External Dependencies Risk Management

Cyber Risk and Resilience Management , Risk Management , Supply Chain Assurance , Supply Chain Risk Management No Comments »

By John Haller
Senior Member of the Technical Staff
CERT Division

John Haller Attacks and disruptions to complex supply chains for information and communications technology (ICT) and services are increasingly gaining attention. Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting DoD TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem. This risk management problem goes by different names, for example, Supply Chain Risk Management (SCRM) or Risk Management for Third Party Relationships. The common challenge, however, is having confidence in the security practices and processes of entities on which an organization relies, when the relationship with those entities may be, at best, an arms-length agreement. This blog post highlights supply chain risks faced by the Department of Defense (DoD), federal civilian agencies, and industry; argues that these problems are more alike than different across these sectors; and introduces practices to help organizations better manage these risks.  

Read more...

The 2014 Year in Review: Top 10 Blog Posts

Agile , Android , Big Data , DevOps , Malware , Secure Coding No Comments »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In 2014, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in big datasecure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In 2014 (through December 21), the SEI blog logged 129,000 visits, nearly double the entire 2013 yearly total of 66,757 visits. As we look back on the last 12 months, this blog posting highlights our 10 most popular blog posts (based on the number of visits). As we did with our mid-year review, we will include links to additional related resources that readers might find of interest. We also grouped posts by research area to make it easier for readers to learn about related areas of work. 

Read more...

DevOps and Your Organization: Where to Begin

DevOps , Weekly DevOps No Comments »

C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate
This post is the latest in a weekly series to help organizations implement DevOps.

C. Aaron CoisOn the surface, DevOps sounds great. Automation, collaboration, efficiency—all things you want for your team and organization. But where do you begin? DevOps promises high return on investment in exchange for a significant shift in culture, process, and technology. Substantially changing any one of those things in an established organization can feel like a superhuman feat. So, how can you start your organization on the path to DevOps without compromising your existing business goals and trajectories?

Read more...

Managing Model Complexity

Architecture , Model-Based Engineering No Comments »

By Julien Delange
Member of the Technical Staff
Software Solutions Division

Julien Delange Over the years, software architects and developers have designed many methods and metrics to evaluate software complexity and its impact on quality attributes, such as maintainability, quality, and performance. Existing studies and experiences have shown that highly complex systems are harder to understand, maintain, and upgrade. Managing software complexity is therefore useful, especially for software that must be maintained for many years. To generate the complexity metrics, tools extract applicable data—such as source lines of code, cohesion, coupling, and more—from binary or source code to analyze the software and report its complexity and quality. Several tools support these techniques and help stakeholders manage the evolution of system development, provide quality improvements, prevent lack of cohesion, and perform other tasks. To date, such approaches have been successfully used in many projects, but as system development moves toward model-based engineering, these methods, metrics, and tools might not be sufficient to manage model complexity. This blog post details the state of the art for reporting model complexity and introduces research underway at the SEI in this area.

Read more...