By Douglas C. Schmidt
We use the SEI Blog to inform you about the latest work at the SEI, so this week I'm summarizing some video presentations recently posted to the SEI website from the SEI Technologies Forum. This virtual event held in late 2011 brought together participants from more than 50 countries to engage with SEI researchers on a sample of our latest work, including cloud computing, insider threat, Agile development, software architecture, security, measurement, process improvement, and acquisition dynamics. This post includes a description of all the video presentations from the first event, along with links where you can view the full presentations on the SEI website.
Paul Nielsen, director of the SEI, gave the opening remarks, which summarized the presentations in the SEI Technologies Forum, focusing on the SEI’s leadership role in software, security, and resiliency technologies and methods that help address the complexities of software-reliant systems. You can watch the opening presentation here.
My presentation described the SEI’s strategic plan to advance the practice of software engineering for the DoD, federal agencies, industry, and academia through research and technology transition. I motivated and summarized the following four major areas of software engineering and cyber security work at the SEI:
- Innovating software for competitive advantage. This area focuses on producing innovations that revolutionize development of assured software-reliant systems to maintain the U.S. competitive edge in software technologies vital to national security.
- Securing the cyber infrastructure. This area focuses on enabling informed trust and confidence in using information and communication technology to ensure a securely connected world to protect and sustain vital U.S. cyber assets and services in the face of full-spectrum attacks from sophisticated adversaries.
- Advancing disciplined methods for engineering software. This area focuses on improving the availability, affordability, and sustainability of software-reliant systems through data-driven models, measurement, and management methods to reduce the cost, acquisition time, and risk of our major defense acquisition programs.
- Accelerating assured software delivery and sustainment for the mission. This area focuses on ensuring predictable mission performance in the acquisition, operation, and sustainment of software-reliant systems to expedite delivery of technical capabilities to win the current fight.
You can watch a video of my presentation here. The remainder of this blog posting summarizes the forum presentations, which are grouped under the four major research areas outlined above.
Innovating Software for Competitive Advantage
The presentation on Architectural Implications of Cloud Computing by Grace Lewis defined cloud computing, explored different types of cloud computing environments, and described the drivers and barriers for cloud computing adoption. It also focused on examples of key cloud architecture and design decisions, such as data location and synchronization, user authentication models, and multi-tenancy support. This topic is important since cloud computing is being adopted by commercial, government, and Department of Defense (DoD) organizations, driven by a need to reduce the operational cost of their information technology resources.
From an engineering perspective, cloud computing is a distributed computing paradigm that focuses on providing a wide range of users with distributed access to virtualized hardware and/or software infrastructure over the internet. From a business perspective, it is the availability of computing resources that are scalable and billed on a usage basis (as opposed to acquired resources) that lead to potential cost savings in IT infrastructure. From a software architecture perspective, having resources in the cloud means that some elements of the software system will be outside the organization, and the control over these elements depends on technical aspects such as the provided resource interface, and on business aspects such as the service-level agreement (SLA) with the resource provider. Systems must therefore be designed and architected to account for lack of full control over important quality attributes. You can watch a video of Grace’s presentation here.
Ipek Ozkaya made a presentation on Agile Development and Architecture: Understanding Scale and Risk. This presentation examined tactics that can help identify and mitigate key risks of large-scale, complex software development when there is a need to use Agile development and architecture-centric practices in concert. This topic is important because Agile software development and software architecture practices have received increasing attention from both industry and government over the past decade. The complementary nature of Agile development and software architecture practices is also increasingly better recognized and appreciated. Applying Agile development with a concurrent focus on architecture, however, is still experimental and experiential rather than a proven practice based on sound engineering techniques. This presentation described how SEI researchers are helping organizations using Agile techniques deal with increased system software size and increased complexity in orchestrating larger engineering and development teams, to ensure that the systems they develop will be viable in the market for decades. You can watch a video of Ipek’s presentation here.
Securing the Cyber Infrastructure
A presentation by Randy Trzeciak on The Insider Threat: Lessons Learned from Actual Insider Attacks described the technical and behavioral aspects of insider threats, focusing on the types of insiders who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to organization in preventing incidents or detecting them earlier. It also conveys the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. This presentation stemmed from a decade of work by the Insider Threat Center at CERT, which has been researching insider threats since 2001 and has built an extensive library and comprehensive database containing more than 700 actual cases of insider cybercrimes. This presentation describes findings from our analysis of three primary types of insider cybercrimes: IT sabotage, theft of information, and fraud. You can watch a video of Randy’s presentation here.
The Smart Grid Maturity Model: A Vision for the Future of Smart Grid presentation by David White offered insight into the past year’s use of the Smart Grid Maturity Model (SGMM), which is a management tool for the utility industry to plan a reliable, secure energy supply that is vital to our economy, our security, and our well-being. The smart grid represents a new framework for improved management of electricity generation, transmission, and distribution. With the support of the U.S. Department of Energy, the SEI is the steward of the SGMM. This presentation described the release of the SGMM V1.2 Product Suite and showed how utilities are working with the model. As more utilities around the globe participate and the SGMM experience base grows, the SGMM has become an increasingly valuable resource for helping inform the industry’s smart grid transformation. You can watch a video of David’s presentation here.
Julia Allen’s presentation was on Measuring Operational Resilience. This presentation suggested the strategic measures for an organization’s an operational resilience management (ORM) program, which defines an organization’s strategic resilience objectives (such as ensuring continuity of critical services in the presence of a disruptive event) and resilience activities (such as the development and testing of service continuity plans). Traditional operational security metrics such as number of machines patched, vulnerability scan results, number of incidents, and number of staff trained are easy to collect and can be useful. If an organization’s objectives are to inform decisions, affect behavior, and determine control effectiveness in support of business objectives, however, they must consider a set of more strategic resilience measures. These ten strategic measures derive from lower-level measures at the CERT Resilience Management Model (RMM) process area level, including average incident cost by root cause type and number of breaches of confidentially and privacy of customer information assets resulting from violations of provider access control policies. You can see a video of Julia’s presentation here.
Advancing Disciplined Methods for Engineering Software
CMMI-SVC: The Strategic Landscape for Service, by Eileen Forrester, described the current state of CMMI for Services (CMMI-SVC). It also explored the larger strategic choices available to organizations in markets where superior service can improve work and business results. CMMI-SVC is important because the global economy is increasingly based on services, rather than manufacturing or trading of tangible goods. Even the development of goods and systems increasingly takes on the character of services. Innovative CMMI-SVC approaches that are already working in the United States, Latin America, Asia, and Europe can be tailored to meet the needs of other organizations and markets. You can watch a video of Eileen’s presentation here.
James McHale gave A Brief Survey of the Team Software Process (TSP). This presentation briefly described training and introduction of TSP practices, including the Personal Software Process (PSP), the results and benefit potentials inherent in the methods, and the common use of TSP methods in combination with other popular practices, including Agile (Scrum, TDD, XP), architecture, secure coding, RUP, Six Sigma, and CMMI. TSP has been identified as one of the most effective practices for software developers by Capers Jones in his 2010 book Software Engineering Best Practices. You can see a video of James’s presentation here.
Accelerating Assured Software Delivery and Sustainment for the Mission
The presentation on Software Acquisition Program Dynamics by William (“Bill”) Novak described analysis the SEI is doing on data collected from more than 100 independent technical assessments of software-reliant acquisition programs. This analysis has produced insights into the most common ways that acquisition programs encounter difficulties. Programs regularly experience recurring cost, schedule, and quality failures, and progress and outcomes often appear to be unpredictable and unmanageable. Moreover, many acquisition leaders and staffers neither recognize these recurring issues nor realize that known solutions exist for many of these problems. This presentation explains how the SEI is working to mitigate the effects of misaligned acquisition program organizational incentives and adverse software-reliant acquisition structural dynamics by improving program staff decision-making. To do this, SEI researchers are modeling and analyzing both the adverse acquisition dynamics that we have encountered in actual programs, as well as candidate solutions to resolve those dynamics. You can watch a video of Bill’s presentation here.
Next Event February 28
A second virtual event, Architecting Software the SEI Way, is planned for February 28. This event focuses on moving toward using architecture practices more effectively to build better systems more efficiently and productively by understanding the fundamentals
of software architecture, improving practice through architecture evaluation guidelines, and bridging technical and business goals by applying architecture methods to analyze, and evaluate enterprise software architectures. We look forward to “seeing” you there. If you have any questions or thoughts on any of the presentations please feel free to leave your comments below.