SEI Shorts Members of Technical Staff at the Software Engineering Institute

In this SEI Cyber Minute, Alex Corn discusses how to protect systems using Secure Shell (SSH). SSH supports keys, which provide efficiency and security benefits.

In this SEI Cyber Minute, Bobbie Stempfley explains how in our increasingly complex world, the SEI is redefining approaches to security to address the transformative technologies being adopted throughout government and industry.

In this SEI Cyber Minute, Suzanne Miller explains a pitfall that can occur when trying to use Agile and Lean methods when developing and implementing complex, embedded systems. In such projects, development traditionally proceeds in a model shaped like a “V,” where the completion of requirements definition, architecture, and design occurs along the left branch of the “V” and leads to implementation at the bottom point. Then, the right branch of the “V” represents verification and validation activities. The difficulty is that these projects usually reap the benefits of the iterative, incremental aspects of Agile development only during implementation, after requirements, architecture, and design work are deemed to be finished. At that point, it becomes difficult to apply the lessons learned during implementation and to make necessary changes to the work that occurred before implementation began. Suzanne Miller explains the dynamics of this pitfall, and she describes a more agile and responsive mindset that teams can use to make sure they reap the benefits of Agile and lean approaches throughout development. In addition, she shares reference material that can help interested parties learn more.

September 2019 has been designated “National Insider Threat Awareness Month.” A number of federal agencies—including the FBI, Office of the Under Secretary of Defense for Intelligence, and Department of Homeland Security—have chosen September to spotlight the risks that insiders pose to national security.

Since 2001, the SEI’s CERT Division has been helping government, industry, and academic entities identify and mitigate insider threats. The CERT Division’s research spans multiple domains, from the technical, including an exploration of tool sets for insider threat programs, to the behavioral and organizational, including a study on positive incentives for reducing insider threat in the workplace.

Static analysis (SA) alerts about software code flaws require costly manual effort to validate (e.g., determine True or False) and repair.  As a result, organizations often severely limit the types of alerts they manually examine to the types of code flaws they most worry about. That approach results in a tradeoff where many True flaws may never get fixed. To make alert handling more efficient, the SEI developed and tested novel software that enables the rapid deployment of a method to classify alerts automatically and accurately. We are implementing our solution in a new version of the SEI’s SCALe – the Source Code Analysis Lab – application.

In this SEI Cyber Minute, Ebonie McNeil explains how the Source Code Analysis Integrated Framework Environment or (SCAIFE) prototype is intended to be used by developers and analysts who manually audit alerts.

SCAIFE provides automatic alert classification using machine learning which gives a level of confidence that the alert is true or false.

The SCAIFE prototype also enables organizations to apply formulas that prioritize static analysis alerts by using factors they care about.