A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
also developed course descriptions and o<strong>the</strong>r resources. In 2011, <strong>the</strong> master’s curriculum was recognized<br />
by <strong>the</strong> IEEE and <strong>the</strong> Association for Computing Machinery as <strong>the</strong> model curriculum for a<br />
master’s degree program in s<strong>of</strong>tware assurance.<br />
The Consequence: Improved S<strong>of</strong>tware Development and Acquisition<br />
Practices<br />
<strong>SEI</strong> tools, techniques, methods, and analysis are raising <strong>the</strong> level <strong>of</strong> awareness <strong>of</strong> s<strong>of</strong>tware developers,<br />
acquirers, and system managers [Allen 2008]. Security and privacy can now be clearly defined<br />
in s<strong>of</strong>tware requirements, helping to ensure <strong>the</strong>se qualities are incorporated from <strong>the</strong> start.<br />
The use <strong>of</strong> <strong>SEI</strong> frameworks helps organizations to increase <strong>the</strong>ir confidence that operational mission<br />
and critical work processes can be successfully executed in <strong>the</strong> presence <strong>of</strong> stress and possible<br />
failure, and helps <strong>the</strong>m to identify areas where <strong>the</strong>y can apply policy, practices, and technology<br />
options to improve assurance. The risks inherent in supply chains can be assessed, reduced,<br />
and mitigated. Risk-based measurement techniques increase organizations’ understanding <strong>of</strong> <strong>the</strong>ir<br />
s<strong>of</strong>tware assurance situation and enable <strong>the</strong>m to make effective improvements. The cybersecurity<br />
risk management strategy enables emergency alert originators to mitigate risks so that alerts are<br />
sent with proper authorization, accurately, and on time, every time.<br />
The ultimate consequence is improved national security, with increased assurance that s<strong>of</strong>tware<br />
will operate as expected for essential government services and <strong>the</strong> nation’s critical infrastructure<br />
and with reduced risk and impact <strong>of</strong> successful cyber attacks.<br />
The <strong>SEI</strong> Contribution<br />
In seeking ways to prevent vulnerabilities ra<strong>the</strong>r than simply react to <strong>the</strong>m, <strong>the</strong> <strong>SEI</strong> leveraged <strong>the</strong><br />
s<strong>of</strong>tware community’s identification <strong>of</strong> gap areas in s<strong>of</strong>tware assurance research and <strong>the</strong><br />
knowledge gained in its CERT Coordination Center’s reactive work on security breaches and s<strong>of</strong>tware<br />
vulnerabilities. Some projects are unique approaches to s<strong>of</strong>tware assurance; o<strong>the</strong>rs adapt<br />
technology and techniques from o<strong>the</strong>r s<strong>of</strong>tware-related areas. Along with <strong>the</strong> <strong>SEI</strong> research in this<br />
area, <strong>the</strong> s<strong>of</strong>tware industry has recognized that security must be incorporated into product and systems<br />
development: for example, Micros<strong>of</strong>t’s Security Development Lifecycle and Cigital’s Build<br />
Security in Maturity Model. Likewise, <strong>the</strong> national Institute <strong>of</strong> Standards and Technology (NIST)<br />
and <strong>the</strong> Object Management Group (OMG) are developing standards and guidelines for addressing<br />
security in s<strong>of</strong>tware development.<br />
The <strong>SEI</strong> works with DHS, DoD agencies and organizations, and defense contractors to raise<br />
awareness <strong>of</strong> s<strong>of</strong>tware assurance opportunities and requirements and to help <strong>the</strong>m take action to<br />
build security into products early in <strong>the</strong> s<strong>of</strong>tware development lifecycle. The <strong>SEI</strong> addresses <strong>the</strong> nation’s<br />
need for increased s<strong>of</strong>tware assurance expertise by <strong>of</strong>fering training in <strong>SEI</strong> techniques and a<br />
curriculum 49 to prepare future s<strong>of</strong>tware assurance experts. The institute reaches out to <strong>the</strong> community<br />
<strong>of</strong> s<strong>of</strong>tware developers and acquirers by managing and contributing content to DHS websites—Build<br />
Security In (BSI) and <strong>the</strong> S<strong>of</strong>tware Assurance (SwA) Community Resources and Information<br />
Clearinghouse (CRIC). <strong>SEI</strong> experts also work with <strong>the</strong> s<strong>of</strong>tware assurance community<br />
through DHS S<strong>of</strong>tware Assurance Working Groups.<br />
49 See http://www.cert.org/mswa<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 194<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.