By Douglas C. Schmidt
As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in insider threat, interoperability, service-oriented architecture, operational resilience, and automated remediation. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.
Spotlight On: Malicious Insiders and Organized Crime Activity
By Christopher King
The focus of this report is on current or former employees, contractors, or business partners who were affiliated with, or are considered to be part of, organized crime. This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why.
Interoperability in the e-Government Context
By Marc Novakouski & Grace Lewis
Achieving interoperability in an e-government context is hard. Although the benefits of enabling e-government systems to interoperate are significant, repeated failures to build working systems provide evidence that the tasks necessary to gain those benefits are poorly understood. Many governments have addressed interoperability as primarily a technical issue. To address the entirety of the interoperability challenge, however, development teams must also consider nontechnical factors that influence their efforts to meet interoperability goals. This report describes a proposed model for understanding interoperability in the e-government context.
Best Practices for Artifact Versioning in Service-Oriented Systems
By Marc Novakouski, Grace Lewis, Bill Anderson, & Jeff Davenport
This report describes some challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices. Versioning decisions affect a wide range of processes that fall under the broad heading of change management. With the advent of service-oriented architecture (SOA) as a software-development paradigm, software versioning has become even more entwined with the software life cycle. The report describes typical items that a versioning policy for a service-oriented system should contain.
Using Defined Processes as a Context for Resilience Measures
By Julia H. Allen, Pamela D. Curtis, & Linda Parker Gates
This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience. While the CERT-Resilience Management Model (CERT-RMM) defines the commonly used or best practices for operational resilience—what an organization should do—organization-specific processes must be defined at the implementation level to describe how to perform those practices. Organizations can then identify and define measures within the context of their specific processes and procedures and use the measures to evaluate process performance and operational resilience and identify opportunities for improvement. This technical note provides examples and templates for defining processes and procedures, as well as for defining related assets and measures.
Standards-Based Automated Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
By Sagar Chaki, Rita Creel, Jeff Davenport, Mike Kinney, Benjamin McCormick, & Mary Popeck
This report describes the Software Engineering Institute’s (SEI’s) 2011 work for the National Security Agency (NSA) to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. The SEI developed a remediation manager reference implementation that demonstrates how evolving standards can communicate and process information on vulnerabilities, compliance issues, remediation policy, and remediation actions. In 2011 the SEI added a standards-based remediation policy management capability, enabling users to examine, tailor, and apply standard DoD policy to meet local needs.
For the latest SEI technical reports and papers, please visit