By Douglas C. Schmidt
In launching the SEI blog two years ago, one of our top priorities was to advance the scope and impact of SEI research and development projects, while increasing the visibility of the work by SEI technologists who staff these projects. After 114 posts, and 72,608 visits from readers of our blog, this post reflects on some highlights from the last two years and gives our readers a preview of posts to come.
First, the numbers.
Since the blog was launched in early 2011 the top 10 posts, in terms of visits to the site, are
- Improving Security in the Latest C Programming Language Standard
- What is Agile?
- Strategic Planning with Critical Success Factors and Future Scenarios
- Fuzzy Hashing Techniques in Applied Malware Analysis
- The CERT Perl Secure Coding Standard
- The Importance of Safety- and Security-related Requirements, First of a Three-Part Series
- Writing Effective YARA Signatures to Identify Malware
- Improving Testing Outcomes Through Software Architecture
- Cloud Computing for the Battlefield
- The Growing Importance of Sustaining Software for the DoD
One observation about these top posts is the wide range of topics covered by the blogs, including secure coding, malware analysis, organizational planning, agile software methods, quality assurance, cloud computing at the tactical edge, and software sustainment across the lifecycle. These topic areas reflect the diversity scope, and impact of the work being done at the SEI.
Numbers aren’t the only metric.
One goal of the blog when we launched was to provide immediate and accessible insights into the broad spectrum of work we do at the SEI via a two-way “read-write” medium that allows our audience to interact with SEI technologists, rapidly and effectively. Several posts that sparked dialogue between researchers and readers have highlighted the success of this model, including Robert Nord’s post on Rapid Lifecycle Development in an Agile Context and David Svoboda’s post on the CERT Perl Secure Coding Standard, which drew substantial feedback from coders.
Another goal of the blog was to give our audience immediate and accessible insights into our work. One success story in this arena stemmed from a post on fuzzy hashing in applied malware analysis by CERT malware researcher David French. Within a day of its publication, the post was referenced in the blog, Technology Review, which is maintained by the Massachusetts Institute of Technology. A few days after that, a writer for the Tech Republic blog interviewed David French about his research into fuzzy hashing. While the SEI remains committed to publishing our work in traditional venues, such as peer-refereed journals and conferences, it’s also clear that social media dissemination vehicles like blogs can have tremendous impact in a short time period.
Securing the Cyber Infrastructure
Many of our posts have focused on securing the cyber infrastructure. The CERT Secure Coding Initiative is conducting research to reduce the number of software vulnerabilities to a level that can be mitigated in DoD operational environments. This work focuses on static and dynamic analysis tools, secure coding patterns, and scalable conformance testing techniques that help prevent coding errors or discover and eliminate security flaws during implementation and testing.
The post that brought in the most visitors during the past two years, Improving Security in the C Programming Language Standard by David Keaton, explored two of the changes—bounds-checking interfaces and analyzability—from the December 2011 revision of the C programming language standard, which is known informally as C11 (each revision of the standard cancels and replaces the previous one, so there is only one C standard at a time).
Other popular posts in this area highlighted work by SEI researchers who are developing tools to analyze obfuscated malware code to enable analysts to more quickly derive the insights required to protect and respond to intrusions of DoD and other government systems. Their approach, as described in a post by Sagar Chaki, uses semantic code analysis to de-obfuscate binary malware to a simple intermediate representation and then convert the intermediate representation back to readable binary that can be inspected by existing malware tools.
A Growing Importance in Software Sustainment
The high costs of software sustainment (which account for 60 to 90 percent of the total software lifecycle effort) are receiving increased attention as the DoD wrestles with the ramifications of sequestration. Over the last two years, we’ve dedicated a substantial portion of this blog space to the importance of highlighting our efforts to help the DoD sustain software more effectively.
Mike Phillips wrote a series of posts on efficient and effective software sustainment. The first post highlighted specific examples of the importance of software sustainment in the DoD, where software upgrade cycles need to refresh capabilities every 18 to 24 months on weapon systems that have been out of production for many years, but are expected to maintain defense capability for decades. The second post described effective sustainment engineering efforts in the Air Force, using examples from across the service’s Air Logistics Centers (ALCs).
In June 2012, Bill Scherlis also penned a post on software sustainment stemming from a research effort that he led that studied defense software producibility, with the purpose of identifying the principal challenges and developing recommendations regarding both improvement to practice and priorities for research. The post highlighted key findings of the report Critical Code: Software Producibility for Defense, a summary of the results of the three-year research effort conducted under the auspices of the National Research Council (NRC).
I also authored a two-part series on this topic based on my involvement in an Air Force Scientific Advisory Board study on sustaining aging aircraft. The first post in the series, The Growing Importance of Sustaining Software for the DoD, summarized key software sustainment challenges faced by DoD; the subsequent post describes R&D activities conducted by the SEI to address some of these challenges. The second post in the series described key R&D activities conducted by the SEI to address these challenges including work in sustainment R&D, software product lines, Team Software Process, and software architecture.
An Interest in Agile
While agile methods have become popular in commercial software development organizations, the engineering disciplines needed to apply agility to mission-critical, software-reliant systems are not as well defined or practiced. Perhaps it’s no surprise, therefore, that the category visitors to the blog site have clicked most on is “agile,” and one of the most popular posts in that series is Stephany Bellomo’s “What is Agile,” which has drawn the second highest number of visitors to the site.
A strong reader interest in agile also spurred a series of posts that highlighted presentations made during the SEI Agile Research Forum. This forum brought together researchers and practitioners from around the world to discuss when and how to best apply agile methods in mission-critical environments found in government and many industries. I wrote a series of posts recapping presentations made at the Agile Research Forum by
- Anita Carleton, director of the SEI's Software Engineering Process Management Program, and Teresa M. Takai, chief information officer at the Department of Defense, who discussed the SEI's research efforts in Applying Agile at Scale for Mission-Critical Software Systems
- Mary Ann Lapham, a senior member of the technical staff, who discussed the importance of collaboration with end users, as well as among cross-functional teams, to facilitate the adoption of agile approaches into DoD acquisition programs
- Ipek Ozkaya, a senior member of the technical staff, who discussed the use of agile practices in strategic management of architectural technical debt
- Jim Over, manager of the SEI's Team Software Process initiative, who advocated the building of self-managed teams, planning and measuring project process, designing before building, and making quality the top priority, among other principles associated with applying agile methods at scale
- My presentation on applying agile methods to common operating platform environments (COPEs) that have become increasingly important for the DoD.
In December, we published a post on the State of the Practice of Cyber Intelligence from the SEI Innovation Center. The post describes a research initiative aimed at helping organizations bolster their cyber security posture by leveraging best practices in methodologies and technologies that provide a greater understanding of potential risks and threats in the cyber domain. We will continue to work with the SEI Innovation Center to cover their work on data-intensive scalable computing, which includes the following technical areas:
- heterogeneous high-performance cloud computing
- cyber intelligence (tradecraft, capabilities, and prototyping new analysis methodologies)
- adaptive and autonomous systems
- analytics/applied machine learning
- prototype application development
- data architectures
- human-information interaction
In the coming months we will also be continuing our series on the Architecture Analysis & Design Language (AADL) standard, which provides formal modeling concepts for the description and analysis of application systems architecture in terms of distinct components and their interactions. Future posts in this series on AADL will cover tools and real-world applications highlighting experiences from organizations in the medical device and space domains.
On another front, we will continue writing about exploratory research efforts at the SEI, the outcomes of which will determine future directions at the SEI.
Most importantly, we’d like to thank our readers for their feedback and insight over the last two years. We value your insights and would welcome your feedback below on ways we can improve the SEI Blog to better serve our audience.
To download the latest SEI technical reports and notes, please visit