Nominations Sought for 2019 Northrop Software Architecture Award
February 6, 2019—The nomination period for the Software Engineering Institute's Linda M. Northrop Software Architecture Award is now open. This honor recognizes an individual or team that has used software architecture to significantly improve practices or outcomes, or both, in an organization or in the software-development community. The award will be presented at the 2019 SEI Architecture Technology User Network (SATURN) Conference, which will be held May 6 through 9 in Pittsburgh.
The winning entry will be selected based on the following criteria:
Success through Architecture. Significant, influential use of architecture as a critical factor in the successful launch of a product or system.
Leadership. Motivating others in an organization or in the community to adopt an innovative software architecture practice.
Persistent Change. Product or innovative software architecture practice that produced a persistent change in behavior and results.
Perspective. Emergence of a new or different perspective on software architecture.
Winners will receive free admission to SATURN, and the conference will cover travel and lodging expenses. The winners will also present their experiences and insights in an invited talk at SATURN.
The award is named for Linda M. Northrop, an SEI Fellow who led the SEI program that was instrumental in the creation and development of the field of software engineering known as software architecture. SEI software architecture methods are today in wide use throughout the world, documented in a series of highly acclaimed books and disseminated by means of a software architecture curriculum and certificate programs. To date, more than 20,000 people from more than 1,800 organizations have attended courses in the SEI Software Architecture Curriculum, and more than 2,500 people have earned software-architecture-related certificates.
To learn more about eligibility requirements, conditions, nominations guidelines, and nomination materials, visit https://resources.sei.cmu.edu/news-events/events/northrop-award/index.cfm.
To learn more about SATURN 2019, and to register, visit https://resources.sei.cmu.edu/news-events/events/saturn/.
CERT Division Releases Assessment Guide for Incident Management
January 17, 2019—Computer security incident response teams (CSIRTs) and security operations centers (SOCs) that are interested in assessing their effectiveness currently do not have many options. A new tool released recently by the SEI’s CERT Division changes that.
The Incident Management Capability Assessment provides an extensive workbook to evaluate incident management and other supporting functions to help CSIRTs and SOCs identify strengths and weaknesses and improve their effectiveness.
“The assessment is broader than incident management and looks at other functions that support or interface with incident management activities, such as vulnerability management and risk management,” said Robin Ruefle, team lead, CSIRT Development and Training. “If you want to learn what your strengths and weaknesses are with respect to incident management, then this workbook can help you. You can also use the capabilities and associated indicators as guidance for building or improving your incident management function.”
Successful management of incidents that threaten an organization’s computer security is a complex endeavor. Frequently, an organization’s primary focus is on response, which results in a failure to manage incidents beyond simply reacting to threatening events, yet incident management is more than just responding when a threatening event occurs.
The capabilities presented in this workbook provide a baseline or benchmark of incident management practices for an organization. This benchmark can be used by an organization to assess its current incident management capability, guide process improvement, and help assure system owners, data owners, and operators that their incident management services meet a high standard of quality within acceptable levels of risk.
Organizations can use this workbook to do a self-assessment (instructions are included) or they can have a third party use it as an assessment tool.
To download the Incident Management Capability Assessment visit https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538848.
SEI-ACE Implementation Supports Secure IoT in Edge Environments
January 14, 2018—The SEI has released an implementation for authentication and authorization of Internet of Things (IoT) devices for use in edge environments. As part of the SEI’s mission to transition the technologies it develops to the larger software engineering community, the SEI has made this implementation, SEI-ACE, freely available in its open-source code repository on GitHub.
SEI researchers Sebastián Echeverría, Dan Klinedinst, and Grace Lewis based this implementation on an Internet Engineering Task Force (IETF) proposal for authentication and authorization in resource-constrained environments (ACE).
First responders, the military, medics, and other field personnel increasingly rely on IoT devices to support operations in edge environments in which network connectivity is often disconnected, intermittent, and limited (DIL). Threats in these environments often include sabotage, capture, and the impersonation of both IoT devices and their clients. To address these challenges, strong yet decentralized authentication and authorization mechanisms are necessary. This is what motivated the SEI team to develop SEI-ACE.
“The SEI-ACE code, and especially the resource-constrained version, are a crucial contribution to the IETF standardization process, because they allow interoperability testing with other implementations of the ACE framework, which is a condition for the IETF standardization process to move forward,” said Dr. Ludwig Seitz, senior researcher at the Security Lab of the RISE Research Institutes of Sweden. Seitz is the main author of the ACE draft. “The constrained implementation is especially important because all other publicly available implementations are aimed at less-constrained device classes,” said Seitz.
The constrained resource server implementation is targeted at Class 2 IoT devices, which are limited to approximately 50KB of memory and 250KB of storage. “This enables secure deployment of very low power sensors and actuators and supports common IoT networks such as Bluetooth Low Energy and Zigbee,” said Klinedinst.
“SEI-ACE can be used by anyone interested in the secure integration of IoT devices in their systems,” said Lewis, principal investigator for the Authentication and Authorization for IoT Devices in Edge Environments research project that created SEI-ACE.
Echeverría notes the team developed a number of new extensions to ACE to add functionality. “Besides being an implementation of ACE, SEI-ACE adds optional functionalities that are out-of-scope for ACE but needed in hostile DIL environments. These include support for bootstrapping and securely distributing credentials as well as the ability to revoke tokens due to devices being compromised. SEI-ACE implements this while still being fully ACE compliant,” said Echeverría.
“As ACE continues to make progress through the IETF standardization process we will continue to create awareness that not all IoT devices operate in stable and connected environments, such as home and industry, and that standards need to account for less stable edge environments,” said Lewis.
The SEI-ACE implementation contains code for the ACE client, authorization server, unconstrained resource server, constrained resource server, and supporting libraries.
Interested developers can download the code from the SEI GitHub repository: https://github.com/SEI-TTG/ace-client/wiki.
SCSS 2019 Explores Acquisition, Security, and the Supply Chain
January 14, 2019—Registration is open for the Software Engineering Institute's Software and Cyber Solutions Symposium (SCSS) 2019, a two-day event focusing on acquisition, security, and the supply chain. The symposium, which is free to attendees, will be held on Wednesday, February 13, in Arlington, Va. Four optional tutorials will be offered on February 14.
SCSS will present two dynamic keynote speakers, Shannon Lietz, DevSecOps Leader and director at Intuit; and Dr. Will Roper, assistant secretary for Acquisition, Technology and Logistics, U.S. Air Force, who will discuss the risks facing the supply chain in today’s world.
Other topic experts on the SCSS program include
David Danks, Carnegie Mellon University researcher on moving beyond correlations and predictions to causal knowledge that can guide action, policy, and plans
Derek Weeks, vice president at Sonatype and world-renowned researcher on securing software supply chains
Ceci Albert, Software Engineering Institute expert on how software development processes affect your acquisition strategy
Grace Lewis, Software Engineering Institute expert who will give a mini-tutorial on emerging technologies for software-reliant systems
Four affordably priced half-day tutorials are available on Thursday, February 14:
Secure DevOps: Build a Secure Deployment Pipeline to Deploy Secure Applications
Software Assurance for the Supply Chain
Scaling Agile Metrics to Large Complex Programs
Understanding Software Architecture, Quality, and Security through Code Analysis
Tutorials are free to U.S. government employees using the promotional code GOVMIL.
Non-government employees can use the promotional code BONUS20 to receive 20 percent off the standard tutorial fee of $250 if purchasing more than one tutorial.
For more information about SCSS or to register, visit https://resources.sei.cmu.edu/news-events/events/scss/.
Registration Now Open for 15th Annual SATURN Conference
December 18, 2018—Registration is now open for SATURN 2019, a premier software architecture conference in its 15th year, designed for practitioners who are responsible for producing robust software architectures as well as for those who view software architecture as a critical element in the achievement of their business or organizational missions. SATURN 2019 will take place at the Sheraton Pittsburgh Hotel at Station Square from May 6 to 9.
The SATURN 2019 program includes a full day of courses to start the week and three days of conference sessions and networking opportunities.
Early-bird registration is open now through March 22 with additional discounts available to those in government and academic organizations, current full-time students, and groups of three or more within the same organization. Sponsorship packages, most of which include free conference registration, are also available.
If you want to be part of the SATURN 2019 program, submit a proposal by January 11 to the online submission system. For information about tracks, session types, and session lengths, see the SATURN 2019 Call for Submissions. Presenters whose proposals are accepted will receive free or discounted admission to the conference depending on the submission type.
For more information about SATURN 2019, visit the SATURN 2019 website.