))
Each webinar features an SEI researcher discussing their research on software and cybersecurity problems of considerable complexity. The webinar series is a way for the SEI to accomplish its core purpose of improving the state-of-the-art in software engineering and cybersecurity and transitioning this work to the community. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI Webinar Seri ...
…
continue reading
1
Software Engineering Institute (SEI) Podcast Series
Members of Technical Staff at the Software Engineering Institute
51
408
The SEI Podcast Series presents conversations in software engineering, cybersecurity, and future technologies.
…
continue reading
Discussions with SEI researchers about cyber-related topics of interest
…
continue reading
In these short videos, experts from the Software Engineering Institute (SEI) deliver informative snapshots of our latest research on the changing world of all things cyber. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.
…
continue reading
An organization’s cyber risk management practices must be rooted in organizational goals to be truly effective. In this webcast, Matt Butkovic, Greg Crabbe and Beth-Anne Bygum explore how best to align business and resilience objectives.By Matt Butkovic, Greg Crabbe and Beth-Anne Bygum
…
continue reading
1
Updating Risk Assessment in the CERT Secure Coding Standard
35:53
35:53
Play later
Play later
Lists
Like
Liked
35:53
Bringing a codebase into compliance with the SEI CERT Coding Standards, requires a cost of time and effort, namely in the form of a static analysis tool. But those who are familiar with static analysis tools know that the alerts are not always reliable and produce false positives that must be detected and disregarded. This year, we plan on making s…
…
continue reading
1
Delivering Next Generation Cyber Capabilities to the DoD Warfighter
27:16
27:16
Play later
Play later
Lists
Like
Liked
27:16
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Gregory Touhill, director of the SEI CERT Division, sits down with Matthew Butkovic, technical director of Cyber Risk and Resilience at CERT, to discuss ways in which CERT researchers and technologists are working to deliver rapid capability to warfighters in …
…
continue reading
1
Cyber Maturity Model Certification (CMMC): Protecting the Nation’s Defense Industrial Base
28:02
28:02
Play later
Play later
Lists
Like
Liked
28:02
The Defense Industrial Base (DIB) is a core element of the national security ecosystem. This point of intersection between private industry and the Department of Defense is a perpetual target for the Nation’s adversaries. In this Intersect, Matthew Butkovic and John Haller explore the development, and implementation, of the Cyber Maturity Model Cer…
…
continue reading
1
Threat Hunting: What Should Keep All of Us Up at Night
57:09
57:09
Play later
Play later
Lists
Like
Liked
57:09
When it comes to recognizing threats, cybersecurity professionals may become distracted by big promises or ignore some obvious inspections. New claims made by the latest and greatest new apps draw attention away from network situational awareness best practices—like a dog distracted when it spots a squirrel. We also may deviate from making routine …
…
continue reading
1
Getting the Most Out of Your Insider Risk Data with IIDES
39:14
39:14
Play later
Play later
Lists
Like
Liked
39:14
Insider incidents cause around 35 percent of data breaches, creating financial and security risks for organizations. In this podcast from the Carnegie Mellon University Software Engineering Institute, Austin Whisnant and Dan Costa discuss the Insider Incident Data Expression Standard (IIDES), a new schema for collecting and sharing data about insid…
…
continue reading
1
Can a Cybersecurity Parametric Cost Model be Developed?
56:25
56:25
Play later
Play later
Lists
Like
Liked
56:25
Can a cybersecurity parametric cost estimation model be developed? Every Department of Defense (DoD) program needs to account for, credibly estimate, budget/plan for, and assess the performance of its cybersecurity activities. Creating a cybersecurity parametric model would allow DoD programs to reliably estimate the effort and cost of cybersecurit…
…
continue reading
1
Grace Lewis Outlines Vision for IEEE Computer Society Presidency
18:14
18:14
Play later
Play later
Lists
Like
Liked
18:14
Grace Lewis, a principal researcher at the Carnegie Mellon University Software Engineering Institute (SEI) and lead of the SEI’s Tactical and AI-Enabled Systems Initiative, was elected the 2026 president of the IEEE Computer Society (CS), the largest community of computer scientists and engineers, with more than 370,000 members around the world. In…
…
continue reading
1
Elements of Effective Communications for Cybersecurity Teams
34:00
34:00
Play later
Play later
Lists
Like
Liked
34:00
Communications, both in times of crisis and during normal operations, are essential to the overall success and sustainability of an incident response or security operations team. How you plan for and manage these communications and how they are received and actioned by your audience will influence your trustworthiness, reputation, and ultimately yo…
…
continue reading
1
Improving Machine Learning Test and Evaluation with MLTE
29:06
29:06
Play later
Play later
Lists
Like
Liked
29:06
Machine learning (ML) models commonly experience issues when integrated into production systems. In this podcast, researchers from the Carnegie Mellon University Software Engineering Institute and the U.S. Army AI Integration Center (AI2C) discuss Machine Learning Test and Evaluation (MLTE), a new tool that provides a process and infrastructure for…
…
continue reading
1
DOD Software Modernization: SEI Impact and Innovation
27:12
27:12
Play later
Play later
Lists
Like
Liked
27:12
As software size, complexity, and interconnectedness has grown, software modernization within the Department of Defense (DoD) has become more important than ever. In this discussion moderated by Matthew Butkovic, technical director of risk and resilience in the SEI CERT Division, SEI director Paul Nielsen outlines the SEI’s work with the DoD on sof…
…
continue reading
1
Operational Resilience Fundamentals: Building Blocks of a Survivable Enterprise
52:07
52:07
Play later
Play later
Lists
Like
Liked
52:07
Surviving disruptive cyber events requires a specific form of planning. One must strike a balance between defending against threats (e.g., managing conditions) and effectively handling the effects of disruption (e.g., managing consequences). Employing a model (such as the CERT Resilience Management Model) provides a catalog of practices and a syste…
…
continue reading
Chief Information Security Officers (CISOs) perpetually navigate a dynamic set of challenges. Applying focus and aligning resources is imperative for success. In this Intersect, Matthew Butkovic and Gregory Touhill, reflect on 2024 and explore the topics that should be front of mind for CISOs in 2025. They provide insights and advice for those cont…
…
continue reading
1
Understanding the Need for Cyber Resilience: A Conversation with Ray Umerley
53:02
53:02
Play later
Play later
Lists
Like
Liked
53:02
No organization can comprehensively avoid disruptive cyber events. All must strive to maintain operational resilience during times of organizational stress. Ransomware incidents create disruption that can be fatal to the unprepared. In this webcast, we explore how to maintain operational resilience during a ransomware incident. Experts with varied …
…
continue reading
As the strategic importance of AI increases, so too does the importance of defending those AI systems. To understand AI defense, it is necessary to understand AI offense—that is, counter AI. In this session, Matthew Butkovic, CISA, CISSP, technical director for risk and resilience, and Nathan VanHoudnos, senior machine learning researcher explore t…
…
continue reading
1
Securing Docker Containers: Techniques, Challenges, and Tools
39:09
39:09
Play later
Play later
Lists
Like
Liked
39:09
Containerization allows developers to run individual software applications in an isolated, controlled, repeatable way. With the increasing prevalence of cloud computing environments, containers are providing more and more of their underlying architecture. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Sasa…
…
continue reading
1
An Introduction to Software Cost Estimation
22:55
22:55
Play later
Play later
Lists
Like
Liked
22:55
Software cost estimation is an important first step when beginning a project. It addresses important questions regarding budget, staffing, scheduling, and determining if the current environment will support the project. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Anandi Hira, a data scientist on the SEI…
…
continue reading
1
Cyber Challenges in Health Care: Managing for Operational Resilience
53:37
53:37
Play later
Play later
Lists
Like
Liked
53:37
Health-care organizations are seemingly besieged by a complex set of cyber threats. The consequences of disruptive cyber events in health care are in many ways uniquely troubling. Health-care organizations often face these challenges with modest resources. In this webcast, Matthew Butkovic and Darrell Keeling will explore approaches to maximize ret…
…
continue reading
1
Independent Verification and Validation for Agile Projects
1:02:23
1:02:23
Play later
Play later
Lists
Like
Liked
1:02:23
Traditionally, independent verification and validation (IV&V) is performed by an independent team throughout a program’s milestones or once the software is formally delivered. This approach allows the IV&V team to provide input at the various milestone gates. As more programs move to an Agile approach, those milestones aren’t as clearly defined sin…
…
continue reading
1
Cybersecurity Metrics: Protecting Data and Understanding Threats
27:00
27:00
Play later
Play later
Lists
Like
Liked
27:00
One of the biggest challenges in collecting cybersecurity metrics is scoping down objectives and determining what kinds of data to gather. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Bill Nichols, who leads the SEI’s Software Engineering Measurements and Analysis Group, discusses the importance of cyber…
…
continue reading
1
3 Key Elements for Designing Secure Systems
36:28
36:28
Play later
Play later
Lists
Like
Liked
36:28
To make secure software by design a reality, engineers must intentionally build security throughout the software development lifecycle. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Timothy A. Chick, technical manager of the Applied Systems Group in the SEI’s CERT Division, discusses building, designing, …
…
continue reading
1
Using Role-Playing Scenarios to Identify Bias in LLMs
45:07
45:07
Play later
Play later
Lists
Like
Liked
45:07
Harmful biases in large language models (LLMs) make AI less trustworthy and secure. Auditing for biases can help identify potential solutions and develop better guardrails to make AI safer. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Katie Robinson and Violet Turri, researchers in the SEI’s AI Division,…
…
continue reading
1
Best Practices and Lessons Learned in Standing Up an AISIRT
38:29
38:29
Play later
Play later
Lists
Like
Liked
38:29
In the wake of widespread adoption of artificial intelligence (AI) in critical infrastructure, education, government, and national security entities, adversaries are working to disrupt these systems and attack AI-enabled assets. With nearly four decades in vulnerability management, the Carnegie Mellon University Software Engineering Institute (SEI)…
…
continue reading
1
3 API Security Risks (and How to Protect Against Them)
19:28
19:28
Play later
Play later
Lists
Like
Liked
19:28
The exposed and public nature of application programming interfaces (APIs) come with risks including the increased network attack surface. Zero trust principles are helpful for mitigating these risks and making APIs more secure. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), McKinley Sconiers-Hasan, a solu…
…
continue reading
1
Evaluating Large Language Models for Cybersecurity Tasks: Challenges and Best Practices
43:05
43:05
Play later
Play later
Lists
Like
Liked
43:05
How can we effectively use large language models (LLMs) for cybersecurity tasks? In this Carnegie Mellon University Software Engineering Institute podcast, Jeff Gennari and Sam Perl discuss applications for LLMs in cybersecurity, potential challenges, and recommendations for evaluating LLMs.
…
continue reading
1
Capability-based Planning for Early-Stage Software Development
33:55
33:55
Play later
Play later
Lists
Like
Liked
33:55
Capability-Based Planning (CBP) defines a framework that has an all-encompassing view of existing abilities and future needs for strategically deciding what is needed and how to effectively achieve it. Both business and government acquisition domains use CBP for financial success or to design a well-balanced defense system. The definitions understa…
…
continue reading
1
Safeguarding Against Recent Vulnerabilities Related to Rust
26:25
26:25
Play later
Play later
Lists
Like
Liked
26:25
What can the recently discovered vulnerabilities related to Rust tell us about the security of the language? In this podcast from the Carnegie Mellon University Software Engineering Institute, David Svoboda discusses two vulnerabilities, their sources, and how to mitigate them.
…
continue reading
1
Generative AI and Software Engineering Education
1:02:05
1:02:05
Play later
Play later
Lists
Like
Liked
1:02:05
Within a very short amount of time, the productivity and creativity improvements envisioned by generative artificial intelligence (AI), such as using tools based on large language models (LLMs), have taken the software engineering community by storm. The industry is in a race to develop your next best software development tool. Organizations are pe…
…
continue reading
1
Developing a Global Network of Computer Security Incident Response Teams (CSIRTs)
30:51
30:51
Play later
Play later
Lists
Like
Liked
30:51
Cybersecurity risks aren’t just a national concern. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), the CERT division’s Tracy Bills, senior cybersecurity operations researcher and team lead, and James Lord, security operations technical manager, discuss the SEI’s work developing Computer Security Incident R…
…
continue reading
Traditionally, cybersecurity has focused on finding and removing vulnerabilities. This is like driving backward down the highway using your rearview mirror. Most breaches are due to defects in design or code; thus, the only way to truly address the issue is to design and build more secure solutions. In this webcast, Tim Chick discusses how security…
…
continue reading
1
Can You Rely on Your AI? Applying the AIR Tool to Improve Classifier Performance
38:50
38:50
Play later
Play later
Lists
Like
Liked
38:50
Modern analytic methods, including artificial intelligence (AI) and machine learning (ML) classifiers, depend on correlations; however, such approaches fail to account for confounding in the data, which prevents accurate modeling of cause and effect and often leads to prediction bias. The Software Engineering Institute (SEI) has developed a new AI …
…
continue reading
1
Automated Repair of Static Analysis Alerts
27:05
27:05
Play later
Play later
Lists
Like
Liked
27:05
Developers know that static analysis helps make code more secure. However, static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda, a software security engineer in the SEI’s CERT Division, discusses Rede…
…
continue reading
