Software Engineering Institute Announces New CFO
September 11, 2018—The Software Engineering Institute today announced the hiring of a new chief financial officer.
Heidi S. Magnelia is responsible for financial, business, facilities, and central administrative services. She has more than 30 years of experience as a financial professional, with previous experience in government-funded research, consulting, and commercial organizations.
“We’re glad to welcome Heidi to the SEI,” said Paul Nielsen, SEI director and CEO. “Her experience as a financial manager at government-funded research organizations means she has a deep understanding of our mission to provide technology solutions to support national defense.”
Magnelia replaces Peter Menniti, who retired in January.
Prior to joining the SEI, she served in a number of fiscal roles at MITRE Corp. in McLean, Va., including Intel finance business partner, audit and compliance manager, and corporate accounting manager. Magnelia also served as a senior financial manager with Booz Allen Hamilton and group controller with SAIC. She has additional prior experience in Department of Defense-sponsored FFRDCs as controller, assistant treasurer, and director of business services at the Center for Naval Analyses in Arlington, Va.
“As a Pittsburgh native, I’m glad to be able to return home and to make my contribution to both Carnegie Mellon University, a global leader in technology research and education, and the Software Engineering Institute, which makes critical contributions to national security through its research in software engineering and cybersecurity,” said Magnelia.
Magnelia is a certified public accountant. She earned her bachelor’s degree in business administration at Indiana University of Pennsylvania.
15th Annual Workshop for Educators Plumbs DevOps and Technical Debt
August 27, 2018—Software engineering educators gathered recently at the SEI’s Pittsburgh headquarters for the 15th Software Engineering Workshop for Educators. The SEI hosts this annual event to foster an ongoing exchange of ideas among educators whose curricula include software engineering. The SEI’s Grace Lewis and Robert Nord led the workshop, which was attended by 27 educators representing institutions located in Canada, Colombia, Jamaica, Mexico, Slovenia, the United Kingdom, and the United States.
The first day of the workshop, Hasan Yasar delivered the course DevOps in Practice. Day two began with the course Managing Technical Debt of Software, which was taught by Nord. The balance of the workshop comprised group sessions facilitated by SEI staff. These sessions offered participants an opportunity to exchange experiences, ideas, and artifacts they’ve used to successfully introduce software engineering topics into college curricula.
“The third day of the workshop is always the most interesting for me,” said Lewis. “The artifacts that educators come up with to teach software engineering concepts are amazing. They leave the workshop with many clever ideas that they incorporate into their own courses.”
Shawn Bohner, professor and director of software engineering at Rose-Hulman Institute concurred. “This is a great conduit for collaboration among software engineering educators and technologists,” he said.
The courses, too, were well received by workshop participants. “[The] DevOps practical demos were useful and rich with hands-on information,” said Rami Bahsoon, senior lecturer in software engineering at the University of Birmingham, United Kingdom. “They provided clarification on how the methodology can be applied in practice.”
“The whole idea of technical debt as a way to explore maintainability and extensibility is very rich,” noted Steve Chenoweth, associate professor of computer science and software engineering, Rose-Hulman Institute of Technology in Terre Haute, Indiana. “The course gave us ways to consider these quality attributes and techniques to manage them.”
As in past years, the workshop encompassed multiple topics such as software architecture, project management, scrum sprint simulation, forensics, web services design, blockchain, and software configuration management.
By conducting these annual workshops, the SEI is helping educators in the field of software engineering improve their pedagogy and, consequently, improve the understanding of software engineering concepts among the hundreds of students they instruct. This understanding will help future software engineering professionals as they enter a technological environment of ever-increasing scale and complexity.
To learn more about this year’s Software Engineering Workshop for Educators, visit https://resources.sei.cmu.edu/news-events/events/software-engineering-workshop/.
SEI CERT Division Releases Downloadable Source Code Analysis Tool
PITTSBURGH, Aug. 15, 2018—The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University today announced the release of its Source Code Analysis Laboratory (SCALe) application. This is the first release of the SCALe application to the public via open-source.
SCALe can be used for auditing software in any source code language. This version of SCALe provides categories of alerts for tools based on two code flaw taxonomies—CERT Secure Coding Standards and MITRE’s Common Weakness Enumeration (CWE). The CERT Secure Coding Standards support detailed guidance for secure development in C, C++, Java, and Perl.
The SCALe application can be used to identify source code flaws that may lead to vulnerabilities. By using output from multiple flaw-finding static analysis tools, SCALe can be used to efficiently analyze more code defects than any single static analysis tool would find.
“Using multiple static analysis tools can greatly increase the types of flaws found,” said Lori Flynn, senior software security researcher at the SEI. “The alerts must be examined by an expert who determines whether each alert represents an actual code defect. Typically there are too many alerts, and not all can be manually examined. The SCALe system is designed to make this process easier. We are researching ways to automate the process of accurate alert classification and sophisticated methods of alert prioritization, and this version of SCALe includes features added over the last three years intended to assist with that.”
The SCALe application simplifies the process of auditing alerts. It takes as input the source code for a program, plus output from static analysis tools (flaw-finding tools and code metrics tools) that were run on the code. With this input, it provides a browser-based interface to the alerts and their associated code. It provides simple prioritizations of the alerts and relevant information about the potential vulnerabilities and how to fix the code based on the CERT Secure Coding Standards and CWEs. It makes auditor work more efficient by fusing alerts into a single view that requires only one audit determination.
SCALe provides an easy-to-use graphical user interface for examining alerts, identifying true positives and other determinations, and saving the audit information to a database.
For more information about the SCALe application, see https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=473847. Download the application at https://github.com/cmu-sei/SCALe.
SEI Seeks Responses to ODNI-Sponsored Online Cyber Intelligence Survey
Pittsburgh, Pa., August 9, 2018—The Emerging Technology Center at the Software Engineering Institute (SEI) at Carnegie Mellon University today issued a call for U.S.-owned organizations to participate in a cyber intelligence tradecraft survey. The survey is part of a cyber intelligence study the SEI is conducting on behalf of the Office of the Director of National Intelligence (ODNI).
Cyber intelligence—acquiring and analyzing information about cyber capabilities, intentions, and activities to enhance decision making—is a rapidly changing field.
“As an intellectual discipline, cyber intelligence is still in its relative infancy, which makes it especially important to identify and share best practices,” said Jim Richberg, ODNI’s national intelligence manager for cyber. “The insight we gain from this study will improve our ability to produce and share actionable cyber intelligence in both government and the private sector.”
The study, which the SEI will complete in 2019, will describe how organizations across the federal government, industry, and academia conduct cyber intelligence activities, identifying common challenges and best practices.
The online survey extends the reach of qualitative, in-person interviews the SEI is conducting as part of the study, which began in December 2017.
“Over the course of our interviews with organizations, we’ve noticed several trends and themes, which we’ve used to develop a survey,” said Jared Ettinger of the SEI’s cyber intelligence team. “With the online survey, we have a chance to increase the scale of our research. For example, we’ll be able to understand the use of certain tools and processes across sectors.”
The Cyber Intelligence Tradecraft Survey requires approximately 15 minutes to complete and asks questions based in five key areas:
environmental context (factors that shape an organization’s cyber intelligence effort)
data gathering (how an organization collects information)
functional analysis (the technical “what” and “how” of cyber intelligence)
strategic analysis (the “who” and “why” of cyber intelligence)
decision-maker reporting and feedback (how a cyber intelligence team interacts with leadership)
The SEI will issue a report based on the study in early 2019.
The SEI team is still accepting organizations for in-person interviews and specifically invites organizations from the manufacturing, healthcare, food and agriculture, and water sectors to apply. Interview participants receive a private comparative analysis of their own cyber intelligence efforts as well as access to overall study results prior to public release.
To complete the survey, visit https://www.surveymonkey.com/r/SEI_CITP. For more information about the study, see https://www.sei.cmu.edu/about/organization/etc/citp.cfm. Organizations wishing to participate in an in-person interview should contact the SEI at firstname.lastname@example.org.
CERT Division Announces Data Science in Cybersecurity Symposium
Pittsburgh, Pa., July 27, 2018—The Software Engineering Institute CERT Division today announced the 2nd annual CERT Data Science in Cybersecurity Symposium, a free one-day symposium to be held in Arlington, Va., on August 29. Registration is now open.
Modern computer networks generate incredible amounts of data, but making sense of this data is simultaneously a critically important task and a near-impossible exercise requiring advanced software and highly trained personnel.
Data science focuses on creating techniques that uncover hidden patterns in enormous data sets and developing tools that enable this discovery in any dataset and in any environment. Over the past few years, significant advances were made in both techniques and tools, enabling even the most subtle of patterns to be identified using modern computing power.
The 2018 CERT Data Science in Cybersecurity Symposium focuses on metadata and will examine the deep insights to be gleaned from what appears to be highly limited data and the relationship between cybersecurity data and privacy and how to manage that risk.
Speakers at the symposium will include
Lujo Bauer, associate professor, Carnegie Mellon University Institute for Software Research
Ari Gesher, morning keynote speaker, founding director of software engineering at Kairos Aerospace
Bob Rudis, chief security data scientist, Rapid7
Shawn Riley, chief data officer and CISO, Darklight Cybersecurity (invited)
Eliezer Kanal, technical manager, science of cybersecurity, SEI CERT Division
Doug Sicker, department head and professor, Engineering and Public Policy, Carnegie Mellon University
Mark Perlin, CSO and CEO, Cybergenetics
Lisa Gumbs, assistant general counsel for operations (ret.), Defense Intelligence Agency
April Galyardt, machine learning research scientist, SEI CERT Division
The event is free to attend, but space is limited, and registration is required to reserve a seat.
For more information about the CERT Data Science in Cybersecurity Symposium and to register, visit https://data-science-symposium.eventbrite.com.