Resilience, Model-Driven Engineering, Software Quality, and Android App Analysis – The Latest Research from the SEI

Android , Resilience Management Model (RMM) , Secure Coding No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. SchmidtAs part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in governing operational resilience, model-driven engineering, software quality, Android app analysis, software architecture, and emerging technologies. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.


DevOps in Government: Where To Start?

DevOps , DevOps Tips No Comments »

By Hasan Yasar
Technical Manager
Cyber Engineering Solutions Group

This post is the latest installment in a series aimed at helping organizations adopt DevOps.

Hasan YasarThe federal government continues to search for better ways to leverage the latest technology trends and increase efficiency of developing and acquiring new products or obtaining services under constrained budgets. DevOps is gaining more traction in many federal organizations, such as U.S. Citizenship and Immigration Services (USCIS), the Environmental Protection Agency (EPA), and the General Services Administration (GSA). These and other government agencies face challenges, however, when implementing DevOps with Agile methods and employing DevOps practices in every phase of the project lifecycle, including acquisition, development, testing, and deployment. A common mistake when implementing DevOps is trying to buy a finished product or an automated toolset, rather than considering its methods and the critical elements required for successful adoption within the organization. As described in previous posts on this blog, DevOps is an extension of Agile methods that requires all the knowledge and skills necessary to take a project from inception through sustainment and also contain project stakeholders within a dedicated team.


Model Driven Engineering: Automatic Code Generation and Beyond

Acquisition , Architecture , Architecture Analysis & Design Language (AADL) , Model-Based Engineering 2 Comments »

By John Klein,
Senior Member of the Technical Staff
Software Solutions Division

John KleinAcquisition executives in domains ranging from modernizing legacy business systems to developing real-time communications systems often face the following challenge:

Vendors claim that model-driven engineering (MDE) tools enable developers to generate software code automatically and achieve extremely high developer productivity.

Are these claims true? The simple answer might be, “Yes, the state of the practice can achieve productivity rates of thousands of function points and millions of lines of code per person-month using MDE tools for automatic code generation.” The complicated reality is that MDE consists of more than code generation tools; it is a software engineering approach that can impact the entire lifecycle from requirements gathering through sustainment. While one can make broad generalizations about these methods and tools, it is more useful to consider them in the context of a particular system acquisition. Aligning MDE methods and tool capabilities with the system acquisition strategy can improve system quality, reduce time to field, and reduce sustainment cost. On the other hand, when MDE methods and tools do not align with the acquisition strategy, using them can result in increased risk and cost in development and sustainment. This blog post highlights the application of MDE tools for automatic code generation (in the context of the full system lifecycle, from concept development through sustainment) and also provides a template that acquirers can use to collect information from MDE tool vendors.


Designing Security Into Software-Reliant Systems

No Comments »

By Christopher Alberts
Principal Engineer
CERT Division

Chris AlbertsSoftware is a growing component of systems used by Department of Defense (DoD), government, and industry organizations. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Despite this rise in security risk exposure, most organizations follow a familiar pattern when managing those risks. They typically delay taking aggressive action to mitigate security risks until after a software-reliant system has been deployed (i.e., during the operation and maintenance of the system). This blog post highlights the Security Engineering Risk Analysis (SERA) Framework, a new approach developed by researchers in the CERT Division at the Carnegie Mellon University Software Engineering Institute to help organizations reduce operational security risks by proactively designing security controls into software-reliant systems (i.e., building security in up front, rather than retrofitting it as an afterthought). 


DevOps Case Study: Netflix and the Chaos Monkey

DevOps , DevOps Tips No Comments »

By C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate

This post is the latest installment in a series aimed at helping organizations adopt DevOps.

C. Aaron CoisDevOps can be succinctly defined as a mindset of molding your process and organizational structures to promote

  • business value
  • software quality attributes most important to your organization
  • continuous improvement

As I have discussed in previous posts on DevOps at Amazon and software quality in DevOps, while DevOps is often approached through practices such as Agile development, automation, and continuous delivery, the spirit of DevOps can be applied in many ways. In this blog post, I am going to look at another seminal case study of DevOps thinking applied in a somewhat out-of-the-box way: Netflix.