Supply Chain and External Dependencies Risk Management

Cyber Risk and Resilience Management , Risk Management , Supply Chain Assurance , Supply Chain Risk Management No Comments »

By John Haller
Senior Member of the Technical Staff
CERT Division

John Haller Attacks and disruptions to complex supply chains for information and communications technology (ICT) and services are increasingly gaining attention. Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting DoD TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem. This risk management problem goes by different names, for example, Supply Chain Risk Management (SCRM) or Risk Management for Third Party Relationships. The common challenge, however, is having confidence in the security practices and processes of entities on which an organization relies, when the relationship with those entities may be, at best, an arms-length agreement. This blog post highlights supply chain risks faced by the Department of Defense (DoD), federal civilian agencies, and industry; argues that these problems are more alike than different across these sectors; and introduces practices to help organizations better manage these risks.  

Read more...

The 2014 Year in Review: Top 10 Blog Posts

Agile , Android , Big Data , DevOps , Malware , Secure Coding No Comments »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In 2014, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in big datasecure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In 2014 (through December 21), the SEI blog logged 129,000 visits, nearly double the entire 2013 yearly total of 66,757 visits. As we look back on the last 12 months, this blog posting highlights our 10 most popular blog posts (based on the number of visits). As we did with our mid-year review, we will include links to additional related resources that readers might find of interest. We also grouped posts by research area to make it easier for readers to learn about related areas of work. 

Read more...

DevOps and Your Organization: Where to Begin

DevOps , DevOps Tips No Comments »

C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate

This post is the latest in a series to help organizations implement DevOps.

C. Aaron CoisOn the surface, DevOps sounds great. Automation, collaboration, efficiency—all things you want for your team and organization. But where do you begin? DevOps promises high return on investment in exchange for a significant shift in culture, process, and technology. Substantially changing any one of those things in an established organization can feel like a superhuman feat. So, how can you start your organization on the path to DevOps without compromising your existing business goals and trajectories?

Read more...

Managing Model Complexity

Architecture , Model-Based Engineering No Comments »

By Julien Delange
Member of the Technical Staff
Software Solutions Division

Julien Delange Over the years, software architects and developers have designed many methods and metrics to evaluate software complexity and its impact on quality attributes, such as maintainability, quality, and performance. Existing studies and experiences have shown that highly complex systems are harder to understand, maintain, and upgrade. Managing software complexity is therefore useful, especially for software that must be maintained for many years. To generate the complexity metrics, tools extract applicable data—such as source lines of code, cohesion, coupling, and more—from binary or source code to analyze the software and report its complexity and quality. Several tools support these techniques and help stakeholders manage the evolution of system development, provide quality improvements, prevent lack of cohesion, and perform other tasks. To date, such approaches have been successfully used in many projects, but as system development moves toward model-based engineering, these methods, metrics, and tools might not be sufficient to manage model complexity. This blog post details the state of the art for reporting model complexity and introduces research underway at the SEI in this area.

Read more...

DevOps Technologies: Vagrant

DevOps , DevOps Tips No Comments »

By Tim Palko
Senior Member of the Technical Staff
CERT Cyber Security Solutions Directorate

This post is the latest in a series to help organizations implement DevOps.

Tim PalkoEnvironment parity is the ideal state where the various environments in which code is executed behave equivalently. The lack of environment parity is one of the more frustrating and tenacious aspects of software development. Deployments and development both fall victim to this pitfall too often, reducing stability, predictability, and productivity. When parity is not achieved, environments behave differently, which makes troubleshooting hard and can make collaboration seem impossible. This lack of parity is a burden for too many developers and operational staff.  Looking back on almost every problem I have seen in new production deployments, I find it hard to think of one issue that wasn't due in some part to lack of parity. For developers, this pain is felt when integrating and testing code.

Read more...