By Douglas C. Schmidt
As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in acquisition, socio-adaptive systems, application virtualization, insider threat, software assurance, and the Personal Software Process (PSP). This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.
Isolating Patterns of Failure in Department of Defense Acquisition
By Lisa Brownsword, Cecilia Albert, David J. Carney, Patrick R. Place, Charles Bud Hammons, and John J. Hudak
This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals. The investigation was motivated by the observation that a significant contributing factor in troubled or failing acquisitions was the misalignment between the software architecture and the acquisition strategy. An examination of a number of acquisition programs led to the discovery of seven repeatable patterns of failure to: (1) document business goals, (2) resolve conflicts between goals, (3) adapt to changing needs, (4) accommodate turbulence in the acquisition environment, (5) give due consideration to software needs, (6) use appropriate acquisition strategies, and (7) understand and use software quality attributes to create the architecture.
In addition to a detailed description of these patterns, the authors define the artifacts and the relationships that would have to hold between these artifacts to combat the failure patterns. Finally, they offer some suggestions on a method, woven from existing methods, for developing the artifacts with sufficient content that one can reason about the strength of the necessary relationships.
Socio-Adaptive Systems Challenge Problems Workshop Report
By Scott Hissam, Gabriel Moreno, and Mark H. Klein
Socio-adaptive systems are systems in which human and computational elements interact as peers. The behavior of the system arises from the properties of both types of elements and the nature of their collective reaction to changes in their environment, the mission they support, and the availability of resources they use. The Software Engineering Institute (SEI) held the Socio-Adaptive Systems Challenge Problem Workshop in Pittsburgh, PA, on April 12-13, 2012. The workshop’s goal was to identify the challenges associated with resource allocation for warfighters operating at the tactical edge, where networks are often unreliable, and bandwidth limited and inconsistent. This report presents a summary of the workshop findings.
Application Virtualizaton as a Strategy for Cyber Foraging in Resource-Constrained Environments
By Grace Lewis and Dominik Messinger
Modern mobile devices create new opportunities to interact with their surrounding environment, but their computational power and battery capacity is limited. Code offloading to external servers located in clouds or data centers can help overcome these limitations. However, in hostile environments, it is not possible to guarantee reliable networks, and thus stable cloud accessibility is not available. Cyber foraging is a technique for offloading resource-intensive tasks from mobile devices to resource-rich surrogate machines in close wireless proximity. One type of such surrogate machines is a cloudlet—a generic server that runs one or more virtual machines (VMs) located in single-hop distance to the mobile device. Cloudlet-based cyber foraging can compensate for missing cloud access in the context of hostile environments. One strategy for cloudlet provisioning is VM synthesis. Unfortunately, it is time consuming and battery draining due to large file transfers. This technical note explores application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning. A corresponding implementation is presented and evaluated. A quantitative analysis describes performance results in terms of time and energy consumption; a qualitative analysis compares implementation characteristics to VM synthesis. The evaluation shows that application virtualization is a valid strategy for cyber foraging in hostile environments.
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations
Matthew L. Collins, Derrick Spooner, Dawn Cappelli, Andrew P. Moore, and Randall F. Trzeciak
This is the sixth entry in the Spotlight On series published by the CERT® Insider Threat Center. Each entry focuses on a specific area of threat to organizations from their current or former employees, contractors, or business partners and presents analysis based on hundreds of actual insider threat cases cataloged in the CERT insider threat database. This entry in the series focuses on insiders who stole intellectual property (IP), such as source code, scientific formulas, engineering drawings, strategic plans, or proposals, from their organizations to benefit a foreign entity. This technical note defines IP and insider theft of IP, explains the criteria used to select cases for this examination, gives a snapshot of the insiders involved in these cases, and summarizes some of the cases themselves. Finally, it provides recommendations for mitigating the risk of similar incidents of insider threat.
Software Assurance Competency Model
By Thomas B. Hilburn (Embry-Riddle Aeronautical University), Mark A. Ardis (Stevens Institute of Technology), Glenn Johnson ((ISC)2), Andrew J. Kornecki (Embry-Riddle Aeronautical University), and Nancy R. Mead
This Software Assurance (SwA) Competency Model was developed to create a foundation for assessing and advancing the capability of software assurance professionals. To help organizations and individuals determine SwA competency across a range of knowledge areas and units, this model provides a span of competency levels 1 through 5, as well as a decomposition into individual competencies based on knowledge and skills. This model also provides a framework for an organization to adapt the model's features to the organization’s particular domain, culture, or structure.
PSP-VDC: An Adaptation of the PSP that Incorporates Verified Design by Contract
By Silvana Moreno (Universidad de la República), Álvaro Tasistro (Universidad ORT Uruguay), Diego Vallespir (Universidad de la República), and William Nichols
The Personal Software Process (PSP) promotes the use of careful procedures during all stages of development with the aim of increasing an individual’s productivity and producing high quality final products. Formal methods use the same methodological strategy as the PSP: emphasizing care in development procedures as opposed to relying on testing and debugging. They also establish the radical requirement of proving mathematically that the programs produced satisfy their specifications. Design by Contract (DbC) is a technique for designing components of a software system by establishing their conditions of use and behavioral requirements in a formal language. When appropriate techniques and tools are incorporated to prove that the components satisfy the established requirements, the method is called Verified Design by Contract (VDbC).
This paper describes a proposal for integrating VDbC into PSP to reduce the number of defects present at the unit testing phase, while preserving or improving productivity. The resulting adaptation of the PSP, called PSPVDC, incorporates new phases, modifies others, and adds new scripts and checklists to the infrastructure. Specifically, the phases of Formal Specification, Formal Specification Review, Formal Specification Compile, Test Case Construct, Pseudo Code, Pseudo Code Review, and Proof are added.
For the latest SEI technical reports and papers, please visit