By Andrew P. Moore
CERT Insider Threat Team
Insider threat is the threat to organization’s critical assets posed by trusted
individuals - including employees, contractors, and business partners -
authorized to use the organization’s information technology systems.
Insider threat programs within an organization help to manage the risks
due to these threats through specific prevention, detection, and
response practices and technologies. The National Industrial Security Program Operating Manual (NISPOM),
which provides baseline standards for the protection of classified
information, is considering proposed changes that would require
contractors that engage with federal agencies, which process or access
classified information, to establish insider threat programs. The
proposed changes to the NISPOM were preceded by Executive
Order 13587, Structural Reforms to Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding of Classified
Information. Signed by President Obama in September 2011,
Executive Order 13587 requires federal agencies that operate or access
classified computer networks to implement insider threat detection and
By Will Hayes
Senior Member of the Technical Staff
Software Solutions Division
More and more, suppliers of software-reliant Department of Defense (DoD) systems are moving away from traditional waterfall development practices in favor of agile methods. As described in previous posts on this blog, agile methods are effective for shortening delivery cycles and managing costs. If the benefits of agile are to be realized effectively for the DoD, however, personnel responsible for overseeing software acquisitions must be fluent in metrics used to monitor these programs. This blog post highlights the results of an effort by researchers at the Carnegie Mellon University Software Engineering Institute to create a reference for personnel who oversee software development acquisition for major systems built by developers applying agile methods. This post also presents seven categories for tracking agile metrics.
By Mike Konrad Principal Researcher
SEI Software Solutions Division
As recent news attests, the rise of sociotechnical ecosystems (STE)—which, we define as a software system that engages a large and geographically-distributed community in a shared pursuit—allows us to work in a mind space and a data space that extends beyond anything that we could have imagined 20 or 30 years ago. STEs present opportunities for tackling problems that could not have even been approached previously because the needed experts and data are spread across multiple locations and distance. Since STEs can be complex and have many diverse stakeholders, a key challenge faced by those responsible for establishing and sustaining them is eliciting requirements to inform their development efforts. Yet stakeholders often have requirements that they are not aware of, so they do not specify them. Uncovering these unstated requirements can be hard and is not well-supported by traditional approaches to requirements elicitation. This blog post describes initial results of an effort by researchers at the Carnegie Mellon University Software Engineering Institute—in addition to myself, the team included Nancy Mead, Robert Stoddard, and Mary Beth Chrissis—aimed at developing an approach for determining the unstated needs of stakeholders typical of large, diverse programs and especially STEs.
By Neil Ernst
Member of the Technical Staff
Software Solutions Division
This post is co-authored by Stephany Bellomo
Continuous delivery practices, popularized in Jez Humble’s 2010 bookContinuous Delivery, enable rapid and reliable software system deployment by emphasizing the need for automated testing and building, as well as closer cooperation between developers and delivery teams. As part of the Carnegie Mellon University Software Engineering Institute's (SEI) focus on Agile software development, we have been researching ways to incorporate quality attributes into the short iterations common to Agile development. We know from existing SEI work on Attribute-Driven Design, Quality Attribute Workshops, and the Architecture Tradeoff Analysis Method that a focus on quality attributes prevents costly rework. Such a long-term perspective, however, can be hard to maintain in a high-tempo, Agile delivery model, which is why the SEI continues to recommend an architecture-centric engineering approach, regardless of the software methodology chosen. As part of our work in value-driven incremental delivery, we conducted exploratory interviews with teams in these high-tempo environments to characterize how they managed architectural quality attribute requirements (QARs). These requirements—such as performance, security, and availability—have a profound impact on system architecture and design, yet are often hard to divide, or slice, into the iteration-sized user stories common to iterative and incremental development. This difficulty typically exists because some attributes, such as performance, touch multiple parts of the system. This blog post summarizes the results of our research on slicing (refining) performance in two production software systems. We also examined the ratcheting (periodic increase of a specific response measure) of scenario components to allocate QAR work.
By Douglas C. Schmidt
As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in assuring software reliability, future architectures, Agile software teams, insider threat, and HTML5. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.