The SEI Podcast Series will highlight the work of SEI researchers with different backgrounds, expertise, and interests. Some episodes will summarize the goals and results of advanced research projects at the cutting edge of science and technology. Other episodes will highlight the work of SEI technologists with customer-facing roles on applied, transition- and acquisition-oriented topics.
DNS Blocking to Disrupt Malware
For some time now, the cyber world has been under attack by a diffused set of enemies who improvise their own tools in many different varieties and hide them where they can do much damage. In this podcast, CERT researcher Vijay Sarvepalli explores Domain Name System or DNS Blocking, the idea of disrupting communications from malicious code such as ransomware that is used to lock up your digital assets, or data-exfiltration software that is used to steal your digital data. DNS blocking ensures a wide impact while avoiding the complexity of having to install or instrument every device in your enterprise. The key takeaway is to target a break in the chain of malware to minimize its effectiveness and the malicious code developer’s intended success.
Best Practices: Network Border Protection
When it comes to network traffic, it’s important to establish a filtering process that identifies and blocks potential cyberattacks, such as worms spreading ransomware and intruders exploiting vulnerabilities, while permitting the flow of legitimate traffic. In this podcast, the latest in a series on best practices for network security, Rachel Kartch explores best practices for network border protection at the Internet router and firewall. It is important to note that these recommendations are geared toward large organizations and government agencies and would not likely be appropriate for a home network or very small business network.
Verifying Software Assurance with IBM’s Watson
Since its debut on Jeopardy in 2011, IBM’s Watson has generated a lot of interest in potential applications across many industries. As detailed in this podcast, Mark Sherman recently led a research team investigating whether the Department of Defense could use Watson to improve software assurance and help acquisition professionals assemble and review relevant evidence from documents. Specifically, Sherman and his team examined whether typical developers could build an IBM Watson application to support an assurance review.
The CERT Software Assurance Framework
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the SEI indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent Department of Defense directives are beginning to shift programs’ priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure. In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems.
Scaling Agile Methods
All major defense contractors in the market can tell you about their approaches to implementing the values and principles found in the Agile Manifesto. Published frameworks and methodologies are rapidly maturing, and a wave of associated terminology is part of the modern lexicon. We are seeing consultants feuding on Internet forums as well, each claiming to have the “true” answer for what Agile is and how to make it work in your organization. The challenge now is to scale Agile to work in complex settings with larger teams, larger systems, longer timelines, diverse operating environments, and multiple engineering disciplines. In this podcast, Will Hayes and Eileen Wrubel present five perspectives on scaling Agile from leading thinkers in the field, including Scott Ambler, Steve Messenger, Craig Larman, Jeff Sutherland, and Dean Leffingwell.