- Search by keyword
- Search by citation
Page 1 of 2
Metric-centered and technology-independent architectural views for software comprehension
The maintenance of applications is a crucial activity in the software industry. The high cost of this process is due to the effort invested on software comprehension since, in most of cases, there is no up-to-...
- View Full Text
Back to the future: origins and directions of the “Agile Manifesto” – views of the originators
In 2001, seventeen professionals set up the manifesto for agile software development. They wanted to define values and basic principles for better software development. On top of being brought into focus, the ...
Investigating the effectiveness of peer code review in distributed software development based on objective and subjective data
Code review is a potential means of improving software quality. To be effective, it depends on different factors, and many have been investigated in the literature to identify the scenarios in which it adds qu...
On the benefits and challenges of using kanban in software engineering: a structured synthesis study
Kanban is increasingly being used in diverse software organizations. There is extensive research regarding its benefits and challenges in Software Engineering, reported in both primary and secondary studies. H...
Challenges on applying genetic improvement in JavaScript using a high-performance computer
Genetic Improvement is an area of Search Based Software Engineering that aims to apply evolutionary computing operators to the software source code to improve it according to one or more quality metrics. This ...
Actor’s social complexity: a proposal for managing the iStar model
Complex systems are inherent to modern society, in which individuals, organizations, and computational elements relate with each other to achieve a predefined purpose, which transcends individual goals. In thi...
Investigating measures for applying statistical process control in software organizations
The growing interest in improving software processes has led organizations to aim for high maturity, where statistical process control (SPC) is required. SPC makes it possible to analyze process behavior, pred...
An approach for applying Test-Driven Development (TDD) in the development of randomized algorithms
TDD is a technique traditionally applied in applications with deterministic algorithms, in which the input and the expected result are known. However, the application of TDD with randomized algorithms have bee...
Supporting governance of mobile application developers from mining and analyzing technical questions in stack overflow
There is a need to improve the direct communication between large organizations that maintain mobile platforms (e.g. Apple, Google, and Microsoft) and third-party developers to solve technical questions that e...
Working software over comprehensive documentation – Rationales of agile teams for artefacts usage
Agile software development (ASD) promotes working software over comprehensive documentation. Still, recent research has shown agile teams to use quite a number of artefacts. Whereas some artefacts may be adopt...
Development as a journey: factors supporting the adoption and use of software frameworks
From the point of view of the software framework owner, attracting new and supporting existing application developers is crucial for the long-term success of the framework. This mixed-methods study explores th...
Applying user-centered techniques to analyze and design a mobile application
Techniques that help in understanding and designing user needs are increasingly being used in Software Engineering to improve the acceptance of applications. Among these techniques we can cite personas, scenar...
A measurement model to analyze the effect of agile enterprise architecture on geographically distributed agile development
Efficient and effective communication (active communication) among stakeholders is thought to be central to agile development. However, in geographically distributed agile development (GDAD) environments, it c...
A survey of search-based refactoring for software maintenance
This survey reviews published materials related to the specific area of Search-Based Software Engineering that concerns software maintenance and, in particular, refactoring. The survey aims to give a comprehen...
Guest editorial foreword for the special issue on automated software testing: trends and evidence
Similarity testing for role-based access control systems.
Access control systems demand rigorous verification and validation approaches, otherwise, they can end up with security breaches. Finite state machines based testing has been successfully applied to RBAC syste...
An algorithm for combinatorial interaction testing: definitions and rigorous evaluations
Combinatorial Interaction Testing (CIT) approaches have drawn attention of the software testing community to generate sets of smaller, efficient, and effective test cases where they have been successful in det...
How diverse is your team? Investigating gender and nationality diversity in GitHub teams
Building an effective team of developers is a complex task faced by both software companies and open source communities. The problem of forming a “dream”
Investigating factors that affect the human perception on god class detection: an analysis based on a family of four controlled experiments
Evaluation of design problems in object oriented systems, which we call code smells, is mostly a human-based task. Several studies have investigated the impact of code smells in practice. Studies focusing on h...
On the evaluation of code smells and detection tools
Code smells refer to any symptom in the source code of a program that possibly indicates a deeper problem, hindering software maintenance and evolution. Detection of code smells is challenging for developers a...
On the influence of program constructs on bug localization effectiveness
Software projects often reach hundreds or thousands of files. Therefore, manually searching for code elements that should be changed to fix a failure is a difficult task. Static bug localization techniques pro...
DyeVC: an approach for monitoring and visualizing distributed repositories
Software development using distributed version control systems has become more frequent recently. Such systems bring more flexibility, but also greater complexity to manage and monitor multiple existing reposi...
A genetic algorithm based framework for software effort prediction
Several prediction models have been proposed in the literature using different techniques obtaining different results in different contexts. The need for accurate effort predictions for projects is one of the ...
Elaboration of software requirements documents by means of patterns instantiation
Studies show that problems associated with the requirements specifications are widely recognized for affecting software quality and impacting effectiveness of its development process. The reuse of knowledge ob...
ArchReco: a software tool to assist software design based on context aware recommendations of design patterns
This work describes the design, development and evaluation of a software Prototype, named ArchReco, an educational tool that employs two types of Context-aware Recommendations of Design Patterns, to support us...
On multi-language software development, cross-language links and accompanying tools: a survey of professional software developers
Non-trivial software systems are written using multiple (programming) languages, which are connected by cross-language links. The existence of such links may lead to various problems during software developmen...
SoftCoDeR approach: promoting Software Engineering Academia-Industry partnership using CMD, DSR and ESE
The Academia-Industry partnership has been increasingly encouraged in the software development field. The main focus of the initiatives is driven by the collaborative work where the scientific research work me...
Issues on developing interoperable cloud applications: definitions, concepts, approaches, requirements, characteristics and evaluation models
Among research opportunities in software engineering for cloud computing model, interoperability stands out. We found that the dynamic nature of cloud technologies and the battle for market domination make clo...
Game development software engineering process life cycle: a systematic review
Software game is a kind of application that is used not only for entertainment, but also for serious purposes that can be applicable to different domains such as education, business, and health care. Multidisc...
Correlating automatic static analysis and mutation testing: towards incremental strategies
Traditionally, mutation testing is used as test set generation and/or test evaluation criteria once it is considered a good fault model. This paper uses mutation testing for evaluating an automated static anal...
A multi-objective test data generation approach for mutation testing of feature models
Mutation approaches have been recently applied for feature testing of Software Product Lines (SPLs). The idea is to select products, associated to mutation operators that describe possible faults in the Featur...
An extended global software engineering taxonomy
In Global Software Engineering (GSE), the need for a common terminology and knowledge classification has been identified to facilitate the sharing and combination of knowledge by GSE researchers and practition...
A systematic process for obtaining the behavior of context-sensitive systems
Context-sensitive systems use contextual information in order to adapt to the user’s current needs or requirements failure. Therefore, they need to dynamically adapt their behavior. It is of paramount importan...
Distinguishing extended finite state machine configurations using predicate abstraction
Extended Finite State Machines (EFSMs) provide a powerful model for the derivation of functional tests for software systems and protocols. Many EFSM based testing problems, such as mutation testing, fault diag...
Extending statecharts to model system interactions
Statecharts are diagrams comprised of visual elements that can improve the modeling of reactive system behaviors. They extend conventional state diagrams with the notions of hierarchy, concurrency and communic...
On the relationship of code-anomaly agglomerations and architectural problems
Several projects have been discontinued in the history of the software industry due to the presence of software architecture problems. The identification of such problems in source code is often required in re...
An approach based on feature models and quality criteria for adapting component-based systems
Feature modeling has been widely used in domain engineering for the development and configuration of software product lines. A feature model represents the set of possible products or configurations to apply i...
Patch rejection in Firefox: negative reviews, backouts, and issue reopening
Writing patches to fix bugs or implement new features is an important software development task, as it contributes to raise the quality of a software system. Not all patches are accepted in the first attempt, ...
Investigating probabilistic sampling approaches for large-scale surveys in software engineering
Establishing representative samples for Software Engineering surveys is still considered a challenge. Specialized literature often presents limitations on interpreting surveys’ results, mainly due to the use o...
Characterising the state of the practice in software testing through a TMMi-based process
The software testing phase, despite its importance, is usually compromised by the lack of planning and resources in industry. This can risk the quality of the derived products. The identification of mandatory ...
Self-adaptation by coordination-targeted reconfigurations
A software system is self-adaptive when it is able to dynamically and autonomously respond to changes detected either in its internal components or in its deployment environment. This response is expected to ensu...
Templates for textual use cases of software product lines: results from a systematic mapping study and a controlled experiment
Use case templates can be used to describe functional requirements of a Software Product Line. However, to the best of our knowledge, no efforts have been made to collect and summarize these existing templates...
F3T: a tool to support the F3 approach on the development and reuse of frameworks
Frameworks are used to enhance the quality of applications and the productivity of the development process, since applications may be designed and implemented by reusing framework classes. However, frameworks ...
NextBug: a Bugzilla extension for recommending similar bugs
Due to the characteristics of the maintenance process followed in open source systems, developers are usually overwhelmed with a great amount of bugs. For instance, in 2012, approximately 7,600 bugs/month were...
Assessing the benefits of search-based approaches when designing self-adaptive systems: a controlled experiment
The well-orchestrated use of distilled experience, domain-specific knowledge, and well-informed trade-off decisions is imperative if we are to design effective architectures for complex software-intensive syst...
Revealing influence of model structure and test case profile on the prioritization of test cases in the context of model-based testing
Test case prioritization techniques aim at defining an order of test cases that favor the achievement of a goal during test execution, such as revealing failures as earlier as possible. A number of techniques ...
A metrics suite for JUnit test code: a multiple case study on open source software
The code of JUnit test cases is commonly used to characterize software testing effort. Different metrics have been proposed in literature to measure various perspectives of the size of JUnit test cases. Unfort...
Designing fault-tolerant SOA based on design diversity
Over recent years, software developers have been evaluating the benefits of both Service-Oriented Architecture (SOA) and software fault tolerance techniques based on design diversity. This is achieved by creat...
Method-level code clone detection through LWH (Light Weight Hybrid) approach
Many researchers have investigated different techniques to automatically detect duplicate code in programs exceeding thousand lines of code. These techniques have limitations in finding either the structural o...
The problem of conceptualization in god class detection: agreement, strategies and decision drivers
The concept of code smells is widespread in Software Engineering. Despite the empirical studies addressing the topic, the set of context-dependent issues that impacts the human perception of what is a code sme...
- Editorial Board
- Sign up for article alerts and news from this journal
- Publications
- News and Events
- Education and Outreach
Software Engineering Institute
Technical papers.
The SEI Digital Library houses thousands of technical papers and other documents, ranging from SEI Technical Reports on groundbreaking research to conference proceedings, survey results, and source code.
Explainable Verification: Survey, Situations, and New Ideas
April 16, 2024 • white paper, by bjorn andersson, mark h. klein, dionisio de niz.
This report focuses on potential changes in software development practice and research that would help tools used for formal methods explain their output, making software practitioners more likely to trust …
Zero Trust Industry Days 2024 Scenario: Secluded Semiconductors, Inc.
February 27, 2024 • white paper, by rhonda brown.
This scenario guides discussions of solutions submitted to address the challenges of implementing zero trust.
Considerations for Evaluating Large Language Models for Cybersecurity Tasks
February 20, 2024 • white paper, by jeff gennari, shing-hon lau, samuel j. perl, joel parish (openai), girish sastry (openai).
In this paper, researchers from the SEI and OpenAI explore the opportunities and risks associated with using large language models (LLMs) for cybersecurity tasks.
Navigating Capability-Based Planning: The Benefits, Challenges, and Implementation Essentials
February 7, 2024 • white paper, by anandi hira, william nichols.
Based on industry and government sources, this paper summarizes the benefits and challenges of implementing Capability-Based Planning (CBP).
Encoding Verification Arguments to Analyze High-Level Design Certification Claims: Experiment Zero (E0)
January 18, 2024 • white paper, by bjorn andersson, mark h. klein, dionisio de niz, douglas schmidt (vanderbilt university), ronald koontz (boeing company), john lehoczky (carnegie mellon university), george romanski (federal aviation administration), jonathan preston (lockheed martin corporation), daniel shapiro (institute of defense analysis), floyd fazi (lockheed martin corporation), david tate (institute of defense analysis), gordon putsche (the boeing company), hyoseung kim (university of california, riverside).
This paper discusses whether automation of certification arguments can identify problems that occur in real systems.
The Measurement Challenges in Software Assurance and Supply Chain Risk Management
December 22, 2023 • white paper, by nancy r. mead, carol woody, scott hissam.
This paper recommends an approach for developing and evaluating cybersecurity metrics for open source and other software in the supply chain.
Report to the Congressional Defense Committees on National Defense Authorization Act (NDAA) for Fiscal Year 2022 Section 835 Independent Study on Technical Debt in Software-Intensive Systems
December 7, 2023 • technical report, by ipek ozkaya, brigid o'hearn, julie b. cohen, forrest shull.
This independent study of technical debt in software-intensive systems was sent to Congress in December 2023 to satisfy the requirements of NDAA Section 835.
Assessing Opportunities for LLMs in Software Engineering and Acquisition
November 1, 2023 • white paper, by julie b. cohen, james ivers, ipek ozkaya, stephany bellomo, shen zhang.
This white paper examines how decision makers, such as technical leads and program managers, can assess the fitness of large language models (LLMs) to address software engineering and acquisition needs.
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices)
October 2, 2023 • technical note, by michael s. bandor, charles m. wallen, carol woody, christopher j. alberts.
This framework of practices helps programs coordinate their management of engineering and supply chain risks across the systems lifecycle.
Simulating Realistic Human Activity Using Large Language Model Directives
October 2, 2023 • technical report, by sean huff, thomas g. podnar, dustin d. updyke.
The authors explore how activities generated from the GHOSTS Framework’s NPC client compare to activities produced by GHOSTS’ default behavior and LLMs.
Why Your Software Cost Estimates Change Over Time and How DevSecOps Data Can Help Reduce Cost Risk
September 29, 2023 • white paper, by julie b. cohen.
Early software cost estimates are often off by over 40%; this paper discusses how programs must continually update estimates as more information becomes available.
A Retrospective in Engineering Large Language Models for National Security
By andrew o. mellinger, tyler brooks, shannon gallagher, bryan brown, eric heim, hollen barmer, william nichols, nick winski, nathan m. vanhoudnos, jasmine ratchford, angelique mcdowell, swati rallapalli.
This document discusses the findings, recommendations, and lessons learned from engineering a large language model for national security use cases.
U.S. Leadership in Software Engineering and AI Engineering
August 25, 2023 • white paper, by ipek ozkaya, douglas schmidt (vanderbilt university), forrest shull, john e. robert, erin harper, anita carleton.
A joint SEI/NITRD workshop will advance U.S. national interests through software and AI engineering and accelerate progress across virtually all scientific domains.
A Holistic View of Architecture Definition, Evolution, and Analysis
August 24, 2023 • technical report, by james ivers, sebastián echeverría, rick kazman.
This report focuses on performing architectural decisions and architectural analysis, spanning multiple quality attributes, in a sustainable and ongoing way.
Emerging Technologies: Seven Themes Changing the Future of Software in the DoD
August 24, 2023 • white paper, by scott hissam, shen zhang, michael abad-santos.
This report summarizes the SEI's Emerging Technologies Study (ETS) and identifies seven emerging technologies to watch in software engineering practices and technology.
Demonstrating the Practical Utility and Limitations of ChatGPT Through Case Studies
August 23, 2023 • white paper, by clarence worrell, matthew walsh, alejandro gomez, dominic a. ross.
In this study, SEI researchers conducted four case studies using GPT-3.5 to assess the practical utility of large language models such as ChatGPT.
Software Excellence Through the Agile High Velocity Development℠ Process
July 17, 2023 • technical report, by barti k. perini (ishpi information technologies, inc.), stephen shook (ishpi information technologies, inc.).
The High Velocity Development℠ process earned Ishpi Information Technologies, Inc. the 2023 Watts Humphrey Software Quality Award.
Coding the Future: Recommendations for Defense Software R&D
July 13, 2023 • white paper, by software engineering institute.
This report outlines the key recommendations from the November 2022 workshop "Software as a Modernization Priority."
Engineering of Edge Software Systems: A Report from the November 2022 SEI Workshop on Software Systems at the Edge
June 30, 2023 • white paper, by ipek ozkaya, grace lewis, kevin a. pitstick.
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for engineering software systems at the edge.
Software Bill of Materials Framework: Leveraging SBOMs for Risk Reduction
June 14, 2023 • white paper, by carol woody, christopher j. alberts, michael s. bandor, charles m. wallen.
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems risk.
Generative AI: Key Opportunities and Research Challenges
June 9, 2023 • white paper.
This 2023 workshop report identifies DoD use cases for generative AI and discusses meeting challenges and needs such as investing in guardrails and responsible AI amid a race to capability.
Securing UEFI: An Underpinning Technology for Computing
May 30, 2023 • white paper, by vijay s. sarvepalli.
This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.
Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure
May 23, 2023 • technical report, by timothy a. chick, nataliya shevchenko, scott pavetti.
This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.
A Strategy for Component Product Lines: Report 2: Specification Modeling for Components in a Component Product Line
May 17, 2023 • special report, by john mcgregor, john j. hudak, sholom g. cohen.
This report introduces the “model chain” concept for specifying a component product line and realizing architecture requirements through the creation–evolution process.
A Strategy for Component Product Lines: Report 3: Component Product Line Governance
May 4, 2023 • special report, by sholom g. cohen, alfred schenker.
This report provides guidance for the community involved with developing and sustaining product lines of components used by the U.S. government.
Program Managers—The DevSecOps Pipeline Can Provide Actionable Data
April 24, 2023 • white paper, by julie b. cohen, bill nichols.
This paper describes the Automated Continuous Estimation for a Pipeline of Pipelines research project, which automates data collection to track program progress.
Zero Trust Industry Day 2022: Areas of Future Research
January 25, 2023 • white paper, by timothy morrow, trista polaski, matthew nicolai.
This paper describes the future research discussed at the 2022 Zero Trust Industry Day event.
Industry Best Practices for Zero Trust Architecture
December 13, 2022 • white paper, by timothy morrow, nathaniel richmond, matthew nicolai.
This paper describes best practices identified during the SEI’s Zero Trust Industry Day 2022, and provides ways to help organizations shift to zero trust.
A Strategy for Component Product Lines: Report 1: Scoping, Objectives, and Rationale
December 8, 2022 • special report, by gabriel moreno, john j. hudak, sholom g. cohen, alfred schenker, john mcgregor.
This report establishes a Component Product Line Strategy to address problems in systematically reusing and integrating components built to conform to component specification models.
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
November 11, 2022 • technical note.
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
Zero Trust Industry Day Experience Paper
October 31, 2022 • white paper, by rhonda brown, mary popeck, timothy morrow.
This paper describes the results of the 2022 Zero Trust Industry Day event.
Challenge Development Guidelines for Cybersecurity Competitions
October 27, 2022 • technical report, by dennis m. allen, leena arora, joseph vessella, josh hammerstein, matt kaar, jarrett booz.
This paper draws on the SEI’s experience to provide general-purpose guidelines and best practices for developing effective cybersecurity challenges.
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
October 4, 2022 • white paper, by carol woody, christopher j. alberts, charles m. wallen, michael s. bandor.
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
September 15, 2022 • special report, by allen d. householder.
This report proposes a formal protocol specification for MPCVD to improve the interoperability of both CVD and MPCVD processes.
Common Sense Guide to Mitigating Insider Threats, Seventh Edition
September 7, 2022 • technical report.
The guide describes 22 best practices for mitigating insider threat based on the CERT Division's continued research and analysis of more than 3,000 insider threat cases.
Coordinated Vulnerability Disclosure User Stories
August 25, 2022 • white paper, by art manion, timur d. snoke, vijay s. sarvepalli, jonathan spring, allen d. householder, laurie tyzenhaus, brad runyon, eric hatleback, charles g. yarbrough.
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
LLVM Intermediate Representation for Code Weakness Identification
July 8, 2022 • white paper, by shannon gallagher, william klieber, david svoboda.
This paper examines whether intermediate representation used in Large Language Models can be useful to indicate the presence of software vulnerabilities.
Digital Engineering Effectiveness
May 19, 2022 • white paper, by alfred schenker, bill nichols, tyler smith (adventium labs, inc.).
This paper explores the reluctance of developers of cyber-physical systems to embrace digital engineering (DE), how DE methods should be tailored to achieve their stakeholders' goals, and how to measure …
A Brief Introduction to the Evaluation of Learned Models for Aerial Object Detection
May 2, 2022 • white paper, by eric heim.
The SEI AI Division assembled guidance on the design, production, and evaluation of machine-learning models for aerial object detection.
Guidance for Tailoring DoD Request for Proposals (RFPs) to Include Modeling
April 27, 2022 • special report, by tom merendino, robert wojcik, julie b. cohen.
This report provides guidance for government program offices that are including digital engineering/modeling requirements into a request for proposal.
Modeling to Support DoD Acquisition Lifecycle Events (Version 1.4)
April 26, 2022 • white paper, by tom merendino, julie b. cohen, robert wojcik.
This document provides suggestions for producing requirement, system, and software models that will be used to support various DoD system acquisition lifecycle events.
Experiences with Deploying Mothra in Amazon Web Services (AWS)
April 26, 2022 • technical report, by daniel ruef, john stogoski, brad powell.
The authors describe development of an at-scale prototype of an on-premises system to test the performance of Mothra in the cloud and provide recommendations for similar deployments.
Extensibility
April 6, 2022 • technical report.
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for extensibility.
TwinOps: Digital Twins Meets DevOps
March 24, 2022 • technical report, by joe yankel, jerome hugues, anton hristozov, john j. hudak.
This report describes ModDevOps, an approach that bridges model-based engineering and software engineering using DevOps concepts and code generation from models, and TwinOps, a specific ModDevOps pipeline.
March 16, 2022 • Technical Report
By philip bianco, james ivers, sebastián echeverría, rick kazman.
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for robustness.
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
March 9, 2022 • white paper, by jonathan spring.
This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
Using XML to Exchange Floating Point Data
February 10, 2022 • white paper, by john klein.
This paper explains issues of using XML to exchange floating point values, how to address them, and the limits of technology to enforce a correct implementation.
Using Machine Learning to Increase NPC Fidelity
December 1, 2021 • technical report, by dustin d. updyke, thomas g. podnar, geoffrey b. dobson, john yarger.
The authors describe how they used machine learning (ML) modeling to create decision-making preferences for non-player characters (NPCs).
A Prototype Set of Cloud Adoption Risk Factors
October 27, 2021 • white paper, by christopher j. alberts.
Alberts discusses the results of a study to identify a prototype set of risk factors for adopting cloud technologies.
Cloud Security Best Practices Derived from Mission Thread Analysis
September 2, 2021 • technical report, by timothy morrow, donald faatz, nathaniel richmond, angel luis hueca, vincent lapiana.
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource businesses.
Accenture: An Automation Maturity Journey
July 29, 2021 • technical report, by rajendra t. prasad (accenture).
This paper describes work in the area of automation that netted Accenture the 2020 Watts Humphrey Software Process Achievement Award.
Planning and Design Considerations for Data Centers
July 19, 2021 • technical note, by lyndsi a. hughes, david sweeney, mark kasunic.
This report shares important lessons learned from establishing small- to mid-size data centers.
Integrating Zero Trust and DevSecOps
July 5, 2021 • white paper, by timothy morrow, geoff sanders, nathaniel richmond, carol woody.
This paper discusses the interdependent strategies of zero trust and DevSecOps in the context of application development.
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
July 1, 2021 • special report, by allen d. householder, jonathan spring.
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
Human-Centered AI
June 25, 2021 • white paper, by jay palat, matt gaston, frank redner, carol j. smith, tanisha smith, hollen barmer, rachel dzombak.
This white paper discusses Human-Centered AI: systems that are designed to work with, and for, people.
Robust and Secure AI
By rachel dzombak, hollen barmer, eric heim, nathan m. vanhoudnos, tanisha smith, frank redner, matt gaston, jay palat.
This white paper discusses Robust and Secure AI systems: AI systems that reliably operate at expected levels of performance, even when faced with uncertainty and in the presence of danger …
Scalable AI
By jay palat, matt gaston, frank redner, tanisha smith, hollen barmer, rachel dzombak, john wohlbier.
This white paper discusses Scalable AI: the ability of AI algorithms, data, models, and infrastructure to operate at the size, speed, and complexity required for the mission.
The Sector CSIRT Framework: Developing Sector-Based Incident Response Capabilities
June 8, 2021 • technical report, by tracy bills, sharon mudd, justin novak, brittany manley, angel luis hueca, david mcintire.
This framework guides the development and implementation of a sector CSIRT.
Foundation of Cyber Ranges
May 19, 2021 • technical report, by bill reed, dustin d. updyke, geoffrey b. dobson, thomas g. podnar.
This report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.
Software Assurance Guidance and Evaluation (SAGE) Tool
May 3, 2021 • white paper, by robert schiela, ebonie mcneil, luiz antunes, hasan yasar.
The Software Assurance Guidance and Evaluation (SAGE) tool helps an organization assess the security of its systems development and operations practices.
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
April 30, 2021 • white paper, by jonathan spring, allen d. householder, art manion, vijay s. sarvepalli, eric hatleback, laurie tyzenhaus, madison oliver, charles g. yarbrough.
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System …
Modeling and Validating Security and Confidentiality in System Architectures
March 19, 2021 • technical report, by aaron greenhouse, lutz wrage, jörgen hansson (university of skovde).
This report presents an approach for modeling and validating confidentiality using the Bell–LaPadula security model and the Architecture Analysis & Design Language.
Overview of Practices and Processes of the CMMC 1.0 Assessment Guides (CMMC 1.0)
March 3, 2021 • white paper, by douglas gardner.
This document is intended to help anyone unfamiliar with cybersecurity standards get started with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
Zero Trust: Risks and Research Opportunities
March 1, 2021 • white paper, by geoff sanders, timothy morrow.
This paper describes a zero trust vignette and three mission threads that highlight risks and research areas to consider for zero trust environments.
Artificial Intelligence (AI) and Machine Learning (ML) Acquisition and Policy Implications
February 26, 2021 • white paper, by william e. novak.
This paper reports on a high-level survey of a set of both actual and potential acquisition and policy implications of the use of Artificial Intelligence (AI) and Machine Learning (ML) …
Security Engineering Risk Analysis (SERA) Threat Archetypes
December 16, 2020 • white paper, by carol woody, christopher j. alberts.
This report examines the concept of threat archetypes and how analysts can use them during scenario development.
Loss Magnitude Estimation in Support of Business Impact Analysis
December 15, 2020 • technical report, by brett tucker, daniel j. kambic, david tobar, andrew p. moore.
The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
Emerging Technologies 2020: Six Areas of Opportunity
December 14, 2020 • white paper.
This study seeks to understand what the software engineering community perceives to be key emerging technologies. The six technologies described hold great promise and, in some cases, have already attracted …
Maintainability
December 1, 2020 • technical report, by rick kazman, john klein, james ivers, philip bianco.
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for maintainability.
Advancing Risk Management Capability Using the OCTAVE FORTE Process
November 17, 2020 • technical note, by brett tucker.
OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.
Analytic Capabilities for Improved Software Program Management
November 2, 2020 • white paper, by christopher miller, david zubrow.
This white paper describes an update to the SEI Quantifying Uncertainty in Early Lifecycle Cost Estimation approach.
AI Engineering for Defense and National Security: A Report from the October 2019 Community of Interest Workshop
October 29, 2020 • special report.
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for AI Engineering for Defense and National Security.
NICE Framework Cybersecurity Evaluator
August 20, 2020 • white paper, by christopher herr.
This cybersecurity evaluator is designed to assess members of the cyber workforce within the scope of the NICE Cybersecurity Workforce Framework.
Current Ransomware Threats
August 19, 2020 • white paper, by marisa midler, kyle o'meara.
This report by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.
An Updated Framework of Defenses Against Ransomware
August 18, 2020 • white paper, by timur d. snoke, timothy j. shimeall.
This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.
Historical Analysis of Exploit Availability Timelines
August 13, 2020 • white paper, by david warren, jeff chrabaszcz (govini), trent novelly, allen d. householder, jonathan spring.
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
Architecture Evaluation for Universal Command and Control
August 3, 2020 • white paper, by john klein, harry l. levinson, reed little, jason popowski, philip bianco, patrick donohoe.
The SEI developed an analysis method to assess function allocations in existing C2 systems and reason about design choices and tradeoffs during the design of new C2 systems.
A Risk Management Perspective for AI Engineering
June 10, 2020 • white paper.
This paper describes several steps of OCTAVE FORTE in the context of adopting AI technology.
Attack Surface Analysis - Reduce System and Organizational Risk
June 8, 2020 • white paper, by robert j. ellison, carol woody.
This paper offers system defenders an overview of how threat modeling can provide a systematic way to identify potential threats and prioritize mitigations.
Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments
April 8, 2020 • technical report, by jose a. morales, peter capell, david james shepard, richard turner, patrick r. place, suzanne miller.
This Technical Report provides guidance to projects interested in implementing DevSecOps (DSO) in defense or other highly regulated environments, including those involving systems of systems.
Integrability
February 7, 2020 • technical report, by rick kazman, john klein, philip bianco, james ivers.
This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for integrability.
Comments on NISTIR 8269 (A Taxonomy and Terminology of Adversarial Machine Learning)
February 4, 2020 • white paper, by jonathan spring, april galyardt, nathan m. vanhoudnos.
Feedback to the U.S. National Institute of Standards and Technology (NIST) about NIST IR 8269, a draft report detailing the proposed taxonomy and terminology of Adversarial Machine Learning (AML).
Penetration Tests Are The Check Engine Light On Your Security Operations
January 7, 2020 • white paper, by dan j. klinedinst, allen d. householder.
A penetration test serves as a lagging indicator of a network security operations problem. Organizations should implement and document several security controls before a penetration test can be useful.
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
December 4, 2019 • white paper, by allen d. householder, jonathan spring, art manion, deana shick, eric hatleback.
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
AI Engineering: 11 Foundational Practices
September 12, 2019 • white paper.
This initial set of recommendations can help organizations that are beginning to build, acquire, and integrate artificial intelligence capabilities into business and mission systems.
Machine Learning in Cybersecurity: A Guide
September 5, 2019 • technical report, by ed stoner, joshua fallon, april galyardt, jonathan spring, leigh b. metcalf, angela horneman.
This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems.
Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems
September 2, 2019 • white paper, by john klein, christopher j. alberts, carol woody, charles m. wallen.
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud computing.
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2018: U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate
August 1, 2019 • technical report, by victor a. elias (u.s. army ccdc armaments center, fire control systems and technology directorate).
This report presents a systemic approach to software development process improvement and its impact for the U.S. Army Combat Capabilities Development Command Armaments Center, Fire Control Systems and Technology Directorate …
Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud
July 11, 2019 • technical report, by kelwyn pender, carrie lee (u.s. department of veteran affairs), donald faatz, timothy morrow.
This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud services.
Automatically Detecting Technical Debt Discussions
June 24, 2019 • white paper, by robert nord, ipek ozkaya, zachary kurtz, raghvinder sangwan.
This study introduces (1) a dataset of expert labels of technical debt in developer comments and (2) a classifier trained on those labels.
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
By allen d. householder, andrew p. moore.
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
SCAIFE API Definition Beta Version 0.0.2 for Developers
June 14, 2019 • white paper, by ebonie mcneil, lori flynn.
This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
Creating xBD: A Dataset for Assessing Building Damage from Satellite Imagery
May 21, 2019 • white paper.
We present a preliminary report for xBD, a new large-scale dataset for the advancement of change detection and building damage assessment for humanitarian assistance and disaster recovery research.
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
May 13, 2019 • technical report, by lori flynn, david svoboda, ebonie mcneil, zachary kurtz, derek leung, jiyeon lee (carnegie mellon university).
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
Cybersecurity Career Paths and Progression
May 7, 2019 • white paper, by nicholas giruzzi, marie baker, dennis m. allen, melissa burns.
This paper explores the current state of cybersecurity careers, from the importance of early exposure, to methods of entry into the field, to career progression.
Cybersecurity Talent Identification and Assessment
By dennis m. allen, marie baker, christopher herr.
To help fill cybersecurity roles, this paper explores how organizations identify talent, discusses assessment capabilities, and provides recommendations on recruitment and talent evaluations.
Cybersecurity Careers of the Future
By dennis m. allen.
Using workforce data analysis, this paper identifies key cybersecurity skills the workforce needs to close the cybersecurity workforce gap.
A Targeted Improvement Plan for Service Continuity
April 8, 2019 • technical note, by philip a. scolieri, jeffrey pinckard, robert a. vrtis, andrew f. hoover, gavin jurecko.
Describes how an organization can leverage the results of a Cyber Resilience Review to create a Targeted Improvement Plan for its service continuity management.
Exploring the Use of Metrics for Software Assurance
March 7, 2019 • technical note, by carol woody, robert j. ellison, charlie ryan.
This report proposes measurements for each Software Assurance Framework (SAF) practice that a program can select to monitor and manage the progress it's making toward software assurance.
Common Sense Guide to Mitigating Insider Threats, Sixth Edition
February 27, 2019 • technical report, by sarah miller, tracy cassidy, michael c. theis, daniel l. costa, william r. claycomb, andrew p. moore, randall f. trzeciak.
The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.
An Approach for Integrating the Security Engineering Risk Analysis (SERA) Method with Threat Modeling
February 6, 2019 • white paper.
This report examines how cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
Infrastructure as Code: Final Report
January 28, 2019 • white paper, by doug reynolds, john klein.
This project explored the feasibility of infrastructure as code, developed prototype tools, populated a model of the deployment architecture, and automatically generated IaC scripts from the model.
Incident Management Capability Assessment
December 19, 2018 • technical report, by samuel j. perl, mark zajicek, robin ruefle, christopher j. alberts, pennie walters, carly l. huth, audrey j. dorofee, david mcintire.
The capabilities presented in this report provide a benchmark of incident management practices.
Program Manager's Guidebook for Software Assurance
December 14, 2018 • special report, by carol woody, timothy a. chick, kenneth nidiffer.
This guidebook helps program managers address the software assurance responsibilities critical in defending software-intensive systems, including mission threads and cybersecurity.
DoD Developer’s Guidebook for Software Assurance
By bill nichols, tom scanlon.
This guidebook helps software developers for DoD programs understand expectations for software assurance and standards and requirements that affect assurance.
Towards Improving CVSS
December 4, 2018 • white paper, by allen d. householder, jonathan spring, deana shick, art manion, eric hatleback.
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation
December 3, 2018 • technical report, by adam d. cerini, benjamin l. earl, thomas g. podnar, geoffrey b. dobson, luke j. osterritter, dustin d. updyke.
This report outlines how the GHOSTS (General HOSTS) framework helps create realism in cyber-warfare simulations and discusses how it was used in a case study.
Composing Effective Software Security Assurance Workflows
October 18, 2018 • technical report, by bill nichols, jim mchale, aaron volkmann, david sweeney, william snavely.
In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static …
FedCLASS: A Case Study of Agile and Lean Practices in the Federal Government
October 5, 2018 • special report, by jeff davenport, tamara marshall-keim, linda parker gates, nanette brown.
This study reports the successes and challenges of using Agile and Lean methods and cloud-based technologies in a government software development environment.
Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation
September 25, 2018 • white paper, by nataliya shevchenko, carol woody, brent frye.
This paper compares threat modeling methods for cyber-physical systems and recommends which methods (and combinations of methods) to use.
Software Architecture Publications
September 17, 2018 • white paper.
The SEI compiled this bibliography of publications about software architecture as a resource for information about system architecture throughout its lifecycle.
Practical Precise Taint-flow Static Analysis for Android App Sets
August 27, 2018 • white paper, by william klieber, lori flynn, william snavely, michael zheng.
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
Threat Modeling: A Summary of Available Methods
August 9, 2018 • white paper, by carol woody, nataliya shevchenko, tom scanlon, timothy a. chick, paige o'riordan.
This paper discusses twelve threat modeling methods from a variety of sources that target different parts of the development process.
Navigating the Insider Threat Tool Landscape: Low-Cost Technical Solutions to Jump-Start an Insider Threat Program
July 3, 2018 • white paper, by michael j. albrethsen, derrick spooner, daniel l. costa, george silowash.
This paper explores low cost technical solutions that can help organizations prevent, detect, and respond to insider incidents.
Blacklist Ecosystem Analysis: July - December 2017
April 19, 2018 • white paper, by leigh b. metcalf, eric hatleback.
This short report provides a summary of the various analyses of the blacklist ecosystem performed from July 1, 2017, through December 31, 2017.
ROI Analysis of the System Architecture Virtual Integration Initiative
April 12, 2018 • technical report, by jörgen hansson (university of skovde), steve helton (the boeing company), peter h. feiler.
This report presents an analysis of the economic effects of the System Architecture Virtual Integration approach on the development of software-reliant systems for aircraft compared to existing development paradigms.
Implementing DevOps Practices in Highly Regulated Environments
April 2, 2018 • white paper, by jose a. morales, aaron volkmann, hasan yasar.
In this paper, the authors layout the process with insights on performing a DevOps assessment in a highly regulated environment.
A Mapping of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the Cyber Resilience Review (CRR)
March 29, 2018 • technical note, by robert a. vrtis, matthew trevors, greg porter (heinz college at carnegie mellon university).
This technical note describes mapping of HIPAA Security Rule requirements to practice questions found in the CERT Cyber Resilience Review for organizations' use in HIPAA compliance.
A Hybrid Threat Modeling Method
March 27, 2018 • technical note, by krishnamurthy vemuru (university of virginia), ole villadsen (carnegie mellon university), nancy r. mead, forrest shull.
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
Cyber Mutual Assistance Workshop Report
February 13, 2018 • special report, by katie c. stewart, jonathon monken (pjm interconnection), fernando maymi, phd (army cyber institute), dan bennett, phd (army cyber institute), dan huynh (army cyber institute), blake rhoades (army cyber institute), matt hutchison (army cyber institute), judy esquibel (army cyber institute), bill lawrence (north american electric reliability corporation).
The Army Cyber Institute hosted a Cyber Mutual Assistance Workshop to identify challenges in defining cyber requirements for Regional Mutual Assistance Groups.
Embedded Device Vulnerability Analysis Case Study Using Trommel
December 6, 2017 • white paper, by kyle o'meara, madison oliver.
This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities.
2017 Emerging Technology Domains Risk Survey
October 5, 2017 • technical report, by kyle o'meara, dan j. klinedinst, joel land.
This report describes our understanding of future technologies and helps US-CERT identify vulnerabilities, promote security practices, and understand vulnerability risk.
R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises
September 29, 2017 • technical report, by adam d. cerini, thomas g. podnar, geoffrey b. dobson, luke j. osterritter.
R-EACTR is a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience.
Architecture Practices for Complex Contexts
September 26, 2017 • white paper.
This doctoral thesis, completed at Vrije Universiteit Amsterdam, focuses on software architecture practices for systems of systems, including data-intensive systems.
Defining a Progress Metric for CERT-RMM Improvement
September 8, 2017 • technical note, by david tobar, nader mehravari, gregory crabb (united states postal service).
Describes the Cybersecurity Program Progress Metric and how its implementation in a large, diverse U.S. national organization can serve to indicate progress toward improving cybersecurity and resilience capabilities.
Blacklist Ecosystem Analysis: January - June, 2017
August 22, 2017 • white paper, by eric hatleback, leigh b. metcalf.
This short report provides a summary of the various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data …
The CERT Guide to Coordinated Vulnerability Disclosure
August 15, 2017 • special report, by allen d. householder, art manion, christopher king, garret wassermann.
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go …
Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers
July 11, 2017 • special report, by joel land.
This report describes a test framework that the CERT/CC developed to identify systemic and other vulnerabilities in CPE routers.
Department of Defense Software Factbook
July 11, 2017 • technical report, by david zubrow, christopher miller, rhonda brown, james mccurley, brad clark, mike zuccher (no affiliation).
In this report, the Software Engineering Institute has analyzed data related to DoD software projects and translated it into information that is frequently sought-after across the DoD.
DidFail: Coverage and Precision Enhancement
July 6, 2017 • technical report, by karan dwivedi (no affiliation), hongli yin (no affiliation), pranav bagree (no affiliation), xiaoxiao tang (no affiliation), william snavely, william klieber, lori flynn.
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
The Hard Choices Game Explained
June 26, 2017 • white paper, by erin lim, philippe kruchten, robert nord, nanette brown, ipek ozkaya.
The Hard Choices game is a simulation of the software development cycle meant to communicate the concepts of uncertainty, risk, and technical debt.
Federal Virtual Training Environment (FedVTE)
June 5, 2017 • white paper, by april galyardt, dominic a. ross, marie baker.
The Federal Virtual Training Environment (FedVTE) is an online, on‐demand training system containing cybersecurity and certification prep courses, at no cost to federal, state, and local government employees.
Blacklist Ecosystem Analysis: July – December 2016
June 1, 2017 • white paper.
This report provides a summary of various analyses of the blacklist ecosystem performed to date. It also appends the latest additional data to those analyses; the added data in this …
Guide to Software Architecture Tools
May 22, 2017 • white paper.
This document discusses tools and methods for analyzing the architecture, establishing requirements, evaluating the architecture, and defining the architecture.
System-of-Systems Software Architecture Evaluation
May 15, 2017 • white paper.
The SoS Architecture Evaluation Method provides an initial identification of SoS architectural risks and quality attribute inconsistencies across the constituent systems.
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award
SEI-Certified PSP Developer Examination: Sample Questions
This page contains sample questions similar to those found on the PSP Developer examination.
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement Award 2016: Raytheon Integrated Defense Systems
April 28, 2017 • technical report, by neal mackertich (raytheon), peter kraus (raytheon), kurt mittelstaedt (raytheon), brian foley (raytheon), dan bardsley (raytheon), kelli grimes (raytheon), mike nolan (raytheon).
The Raytheon Integrated Defense Systems DFSS team has been recognized with the 2016 Watts Humphrey Software Process Achievement Award.
IEEE Computer Society/Software Engineering Institute Watts S. Humphrey Software Process Achievement (SPA) Award 2016: Nationwide
April 13, 2017 • technical report, by will j.m. pohlman (nationwide it).
This report describes the 10-year history of Nationwide's software process improvement journey. Nationwide received the 2016 Watts Humphrey Software Process Achievement Award from the SEI and IEEE.
Prototype Software Assurance Framework (SAF): Introduction and Overview
April 6, 2017 • technical note.
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
15 Tips for Preparing and Delivering a Great Presentation at SATURN
March 14, 2017 • white paper.
You submitted a proposal to SATURN, and it got accepted. Congratulations! Here are 15 tips for creating and giving a great presentation at SATURN.
The CISO Academy
February 23, 2017 • white paper, by pamela d. curtis, summer c. fowler, david tobar, david ulicne.
In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.
Agile Acquisition and Milestone Reviews
February 15, 2017 • white paper.
Acquisition & Management Concerns for Agile Use in Government Series - 4
Management and Contracting Practices for Agile Programs
Acquisition & Management Concerns for Agile Use in Government Series - 3
Estimating in Agile Acquisition
Acquisition & Management Concerns for Agile Use in Government Series - 5
Agile Development and DoD Acquisitions
Acquisition & Management Concerns for Agile Use in Government Series - 1
Agile Culture in the DoD
Acquisition & Management Concerns for Agile Use in Government Series - 2
Adopting Agile in DoD IT Acquisitions
Acquisition & Management Concerns for Agile Use in Government Series - 6
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
January 24, 2017 • white paper.
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
COTS-Based Systems
This paper presents a summary of SEI commercial off-the-shelf (COTS) software documents and COTS tools.
Create a CSIRT
January 18, 2017 • white paper.
This white paper discusses the issues and decisions organizations should address when planning, implementing, and building a CSIRT.
Skills Needed When Staffing Your CSIRT
This white paper describes a set of skills that CSIRT staff members should have to provide basic incident-handling services.
CSIRT Frequently Asked Questions (FAQ)
This FAQ addresses CSIRTS, organizations responsible for receiving, reviewing, and responding to computer security incident reports and activity.
CERT-RMM Capability Appraisals
January 17, 2017 • white paper.
The white paper describe CERT-RMM appraisals and the benefits they offer organizations.
A Technical History of the SEI
January 6, 2017 • special report, by larry druffel.
This report chronicles the technical accomplishments of the Software Engineering Institute and its impact on the Department of Defense software community, as well as on the broader software engineering community.
SQUARE Frequently Asked Questions (FAQ)
January 5, 2017 • white paper.
This paper contains information about SQUARE, a process that helps organizations build security into the early stages of the software production lifecycle.
Common Sense Guide to Mitigating Insider Threats, Fifth Edition
December 21, 2016 • technical report, by tracy cassidy, michael j. albrethsen, michael c. theis, daniel l. costa, jason w. clark, andrew p. moore, randall f. trzeciak, matthew l. collins, jeremy r. strozer.
Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.
Architecture-Led Safety Process
By david p. gluch, julien delange, peter h. feiler, john mcgregor.
Architecture-Led Safety Analysis (ALSA) is a safety analysis method that uses early architecture knowledge to supplement traditional safety analysis techniques to identify faults as early as possible.
The Critical Role of Positive Incentives for Reducing Insider Threats
December 15, 2016 • technical report, by palma buttles-valdez, nathan m. vanhoudnos, samuel j. perl, tracy cassidy, andrew p. moore, daniel bauer, jennifer cowley, jeff savinda, allison parshall, matthew l. collins, elizabeth a. monaco, jamie l. moyes, denise m. rousseau (carnegie mellon university).
This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.
Update 2016: Considerations for Using Agile in DoD Acquisition
December 14, 2016 • technical note, by alfred schenker, mary ann lapham, suzanne miller, ray c. williams, charles (bud) hammons, dan ward (dan ward consulting), daniel burton.
This report updates a 2010 technical note, addressing developments in commercial Agile practices as well as the Department of Defense (DoD) acquisition environment.
Scaling Agile Methods for Department of Defense Programs
December 13, 2016 • technical note, by suzanne miller, mary ann lapham, peter capell, eileen wrubel, will hayes.
This report discusses methods for scaling Agile processes to larger software development programs in the Department of Defense.
Low Cost Technical Solutions to Jump Start an Insider Threat Program
December 12, 2016 • technical note.
This technical note explores free and low cost technical solutions to help organizations prevent, detect, and respond to malicious insiders.
RFP Patterns and Techniques for Successful Agile Contracting
December 2, 2016 • special report, by larri ann rosser (raytheon intelligence information and services), steven martin (space and missile systems center), thomas e. friend (agile on target), greg howard (mitre), michael ryan (btas), john h. norton iii (raytheon integrated defense systems), keith korzec, peter capell, mary ann lapham.
This report discusses request-for-proposal patterns and techniques for successfully contracting a federal Agile project.
Ultra-Large-Scale Systems: Socio-adaptive Systems
December 1, 2016 • white paper, by mark h. klein, gabriel moreno, linda m. northrop, scott hissam, lutz wrage.
Ultra-large-scale systems are interdependent webs of software, people, policies, and economics. In socio-adaptive systems, humans and software interact as peers.
Cyber-Physical Systems
By david kyle, scott hissam, gabriel moreno, jeffrey hansen, john j. hudak, bjorn andersson, mark h. klein, dionisio de niz, sagar chaki.
Cyber-physical systems (CPS) integrate computational algorithms and physical components. SEI promotes the efficient development of high-confidence, distributed CPS.
Pervasive Mobile Computing
By edwin j. morris, grace lewis, james edmondson, william anderson, marc novakouski, jeff boleng, ben w. bradshaw, james root.
Pervasive mobile computing focuses on how soldiers and first responders can use smartphones, tablets, and other mobile/wearable devices at the tactical edge.
Predictability by Construction
By scott hissam, gabriel moreno, linda m. northrop, kurt c. wallnau, sagar chaki.
Predictability by construction (PBC) makes the behavior of a component-based system predictable before implementation, based on known properties of components.
Blacklist Ecosystem Analysis: January – June, 2016
Faa research project on system complexity effects on aircraft safety: testing the identified metrics, november 30, 2016 • white paper, by bill nichols, sarah sheard, michael d. konrad, charles weinstock.
This report describes a test of an algorithm for estimating the complexity of a safety argument.
FAA Research Project on System Complexity Effects on Aircraft Safety: Estimating Complexity of a Safety Argument
By charles weinstock, michael d. konrad, sarah sheard, bill nichols.
This report presents a formula for estimating the complexity of an avionics system and directly connects that complexity to the size of its safety argument.
FAA Research Project on System Complexity Effects on Aircraft Safety: Identifying the Impact of Complexity on Safety
By donald firesmith, sarah sheard, michael d. konrad, charles weinstock.
This report organizes our work on the impact of software complexity on aircraft safety by asking, “How can complexity complicate safety and, thus, certification?”
FAA Research Project on System Complexity Effects on Aircraft Safety: Candidate Complexity Metrics
By sarah sheard, bill nichols.
This special report identifies candidate measures of complexity for systems with embedded software that relate to safety, assurance, or both.
FAA Research Project on System Complexity Effects on Aircraft Safety: Literature Search to Define Complexity for Avionics Systems
By sarah sheard, michael d. konrad.
This special report describes the results of a literature review sampling what is known about complexity for application in the context of safety and assurance.
Seven Proposal-Writing Tips That Make Conference Program Committees Smile
By mike petock, bill pollak.
Writing a great session proposal for a conference is difficult. Here are seven tips for writing a session proposal that will make reviewers go from frown to smile.
Definition and Measurement of Complexity in the Context of Safety Assurance
October 27, 2016 • technical report, by bill nichols, charles weinstock, michael d. konrad, sarah sheard.
This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety.
Establishing Trusted Identities in Disconnected Edge Environments
October 27, 2016 • white paper, by dan j. klinedinst, sebastián echeverría, keegan m. williams.
he goal of this paper is to present a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field.
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
October 25, 2016 • technical note, by jeffrey pinckard, robert a. vrtis, michael rattigan.
To help financial organizations assess cyber resilience, we map FFIEC Cybersecurity Assessment Tool (CAT) statements to Cyber Resilience Review (CRR) questions.
Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
September 27, 2016 • white paper, by john haller, charles m. wallen.
A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.
Agile Development in Government: Myths, Monsters, and Fables
September 21, 2016 • white paper, by mary ann lapham, suzanne miller, david j. carney.
This volume is a reflection on attitudes toward Agile software development now current in the government workplace.
Striving for Effective Cyber Workforce Development
September 12, 2016 • white paper, by marie baker.
This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.
Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks
August 18, 2016 • technical report, by ragunathan (raj) rajkumar, junsung kim, jian-jia chen, wen-hung huang, geoffrey nelissen, bjorn andersson, dionisio de niz.
This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks.
Creating Centralized Reporting for Microsoft Host Protection Technologies: The Enhanced Mitigation Experience Toolkit (EMET)
August 18, 2016 • technical note, by joseph tammariello, craig lewis.
This report describes how to set up a centralized reporting console for the Windows Enhanced Mitigation Experience Toolkit.
The QUELCE Method: Using Change Drivers to Estimate Program Costs
August 17, 2016 • technical note, by sarah sheard.
This technical note introduces Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), a method for estimating program costs early in development.
Blacklist Ecosystem Analysis: 2016 Update
August 15, 2016 • white paper, by eric hatleback, leigh b. metcalf, jonathan spring.
This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.
Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2
June 22, 2016 • technical report, by peter h. feiler, julien delange, john j. hudak, david p. gluch.
This report describes the Error Model Annex, Version 2 (EMV2), notation for architecture fault modeling, which supports safety, reliability, and security analyses.
A Requirement Specification Language for AADL
By lutz wrage, julien delange, peter h. feiler.
This report describes a textual requirement specification language, called ReqSpec, for the Architecture Analysis & Design Language (AADL) and demonstrates its use.
DMPL: Programming and Verifying Distributed Mixed-Synchrony and Mixed-Critical Software
June 21, 2016 • technical report, by sagar chaki, david kyle.
DMPL is a language for programming distributed real-time, mixed-criticality software. It supports distributed systems in which each node executes a set of periodic real-time threads that are scheduled by priority …
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
June 9, 2016 • special report, by christopher j. alberts, carol woody, audrey j. dorofee.
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element …
Report Writer and Security Requirements Finder: User and Admin Manuals
June 7, 2016 • special report, by anand sankalp (carnegie mellon university), gupta anurag (carnegie mellon), priyam swati (carnegie mellon university), yaobin wen (carnegie mellon university), walid el baroni (carnegie mellon university), nancy r. mead.
This report presents instructions for using the Malware-driven Overlooked Requirements (MORE) website applications.
Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis
May 23, 2016 • technical note, by douglas gray.
This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).
An Insider Threat Indicator Ontology
May 10, 2016 • technical report, by matthew l. collins, samuel j. perl, michael j. albrethsen, derrick spooner, daniel l. costa, george silowash.
This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.
Using Honeynets and the Diamond Model for ICS Threat Analysis
May 6, 2016 • technical report, by deana shick, kyle o'meara, john kotheimer.
This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an industrial control system honeynet—a network of seemingly vulnerable machines designed to lure …
April 19, 2016 • White Paper
This report introduces the Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method for estimating program costs early in a development lifecycle.
A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology
April 19, 2016 • technical report, by kyle o'meara, deana shick.
As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with …
On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle
April 13, 2016 • white paper, by christopher king, dan j. klinedinst.
This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.
2016 Emerging Technology Domains Risk Survey
April 8, 2016 • technical report, by todd lewellen, dan j. klinedinst, christopher king, garret wassermann.
This 2016 report provides a snapshot of our current understanding of future technologies.
Malware Capability Development Patterns Respond to Defenses: Two Case Studies
March 7, 2016 • white paper, by ed stoner, deana shick, jonathan spring, kyle o'meara.
In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
Cyber-Foraging for Improving Survivability of Mobile Systems
February 18, 2016 • technical report, by sebastián echeverría, grace lewis, james root, ben w. bradshaw.
This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.
CERT-RMM Version 1.2 Release Notes
February 14, 2016 • white paper.
This document contains the release notes for CERT-RMM Version 1.2, released February 2014.
DoD Software Factbook
December 31, 2015 • white paper, by david zubrow, james mccurley, brad clark.
This DoD Factbook is an initial analysis of software engineering data from the perspective of policy and management questions about software projects.
Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 31, 2015 • special report, by peter h. feiler.
This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.
Requirements and Architecture Specification of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
This report describes a method for capturing information from requirements documents in AADL and the draft Requirement Definition & Analysis Language Annex.
Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
By john j. hudak, peter h. feiler.
This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.
Extending AADL for Security Design Assurance of Cyber-Physical Systems
December 16, 2015 • technical report, by allen d. householder, rick kazman, john j. hudak, robert j. ellison, carol woody.
This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of …
Cybersecurity Considerations for Vehicles
December 10, 2015 • white paper, by mark sherman, jens palluch (method park).
In this paper the authors discuss the number of ECUs and software in modern vehicles and the need for cybersecurity to include vehicles.
Analytic Approaches to Detect Insider Threats
December 9, 2015 • white paper.
This paper identifies steps that organizations can use to enhance their security posture to detect potential insider threats.
Intelligence Preparation for Operational Resilience (IPOR)
December 7, 2015 • special report.
The author describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
Evaluating and Mitigating the Impact of Complexity in Software Models
December 3, 2015 • technical report, by min-young nam, john j. hudak, julien delange, jim mchale, bill nichols.
This report defines software complexity, metrics for complexity, and the effects of complexity on cost and presents an analysis tool to measure complexity in models.
Cyber + Culture Early Warning Study
November 30, 2015 • special report, by char sample.
This study was designed to profile cyber actors, and to examine the time interval between cyber and kinetic events in order to gain greater insights into nation-state cyber responses to …
Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
October 16, 2015 • white paper, by matthew l. collins, randall f. trzeciak, andrew p. moore, william e. novak, michael c. theis.
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and engage the community to discuss its concerns.
Structuring the Chief Information Security Officer Organization
October 6, 2015 • technical note, by pamela d. curtis, gregory crabb (united states postal service), brendan fitzpatrick, david tobar, nader mehravari, julia h. allen.
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution
September 16, 2015 • technical report, by robert w. stoddard, julia h. allen, anne connell, c. aaron cois, douglas gray, michael riley (veris group), brian d. wisniewski, erik ebel (veris group), william gulley (veris group), marie vaughn (veris group).
This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to …
Secure Coding Analysis of an AADL Code Generator's Runtime System
September 12, 2015 • white paper, by david keaton.
This paper describes a secure coding analysis of the PolyORB-HI-C runtime system used by C language code output from the Ocarina AADL code generator.
Contracting for Agile Software Development in the Department of Defense: An Introduction
August 18, 2015 • technical note, by eileen wrubel, jon gross.
This technical note addresses effective contracting for Agile software development and offers a primer on Agile based on a contracting officer's goals.
CND Equities Strategy
July 22, 2015 • white paper, by jonathan spring, ed stoner.
In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.
Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items
By art manion, allen d. householder.
In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.
Enabling Incremental Iterative Development at Scale: Quality Attribute Refinement and Allocation in Practice
June 4, 2015 • technical report, by neil ernst, robert nord, stephany bellomo, ipek ozkaya.
This report describes industry practices used to develop business capabilities and suggests approaches to enable large-scale iterative development, or agile at scale.
State of Practice Report: Essential Technical and Nontechnical Issues Related to Designing SoS Platform Architectures
May 13, 2015 • technical report, by john klein, sholom g. cohen.
This report analyzes the state of the practice in system-of-systems (SoS) development, based on 12 interviews of leading SoS developers in the DoD and industry.
Emerging Technology Domains Risk Survey
April 30, 2015 • technical note, by andrew o. mellinger, christopher king, jonathan chu.
This report provides a snapshot in time of our current understanding of future technologies.
SCALe Analysis of JasPer Codebase
April 1, 2015 • white paper, by david svoboda.
In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.
Model-Driven Engineering: Automatic Code Generation and Beyond
March 25, 2015 • technical note, by harry l. levinson, john klein, jay marchetti.
This report offers guidance on selecting, analyzing, and evaluating model-driven engineering tools for automatic code generation in acquired systems.
Defining a Maturity Scale for Governing Operational Resilience
March 19, 2015 • technical note, by julia h. allen, katie c. stewart, lisa r. young, michelle a. valdez, audrey j. dorofee.
Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
SEI SPRUCE Project: Curating Recommended Practices for Software Producibility
March 16, 2015 • white paper, by bill pollak, michael d. konrad, mike petock, tamara marshall-keim, b. craig meyers, gerald w. miller.
This paper describes the Systems and Software Producibility Collaboration Environment (SPRUCE) project and the resulting recommended practices on five software topics.
Improving Quality Using Architecture Fault Analysis with Confidence Arguments
March 10, 2015 • technical report, by peter h. feiler, julien delange, charles weinstock, john b. goodenough, neil ernst, ari z. klein.
The case study shows that by combining an analytical approach with confidence maps, we can present a structured argument that system requirements have been met and problems in the design …
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets
March 4, 2015 • technical report, by william snavely, jonathan burket, jonathan lim, wei shen, lori flynn, william klieber.
In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
Eliminative Argumentation: A Basis for Arguing Confidence in System Properties
February 25, 2015 • technical report, by john b. goodenough, charles weinstock, ari z. klein.
This report defines the concept of eliminative argumentation and provides a basis for assessing how much confidence one should have in an assurance case argument.
A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
February 10, 2015 • technical note, by gregory crabb (united states postal service), pamela d. curtis, julia h. allen, nader mehravari.
This report describes how the CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives.
Measuring What Matters Workshop Report
February 9, 2015 • technical note, by katie c. stewart, julia h. allen, lisa r. young, michelle a. valdez.
This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
A Dynamic Model of Sustainment Investment
February 5, 2015 • technical report, by sarah sheard, mike phillips, andrew p. moore, robert ferguson.
This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.
Cybersecurity Assurance
January 15, 2015 • white paper.
This paper describes the SEI research and solutions that help organizations gain justified confidence in their cybersecurity posture.
Blacklist Ecosystem Analysis Update: 2014
January 7, 2015 • white paper, by leigh b. metcalf, jonathan spring.
This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.
Predicting Software Assurance Using Quality and Reliability Measures
December 22, 2014 • technical note, by bill nichols, carol woody, robert j. ellison.
In this report, the authors discuss how a combination of software development and quality techniques can improve software security.
Regional Use of Social Networking Tools
December 17, 2014 • technical report, by kate meeuf.
This paper explores the regional use of social networking services (SNSs) to determine if participation with a subset of SNSs can be applied to identify a user's country of origin.
Domain Parking: Not as Malicious as Expected
December 10, 2014 • white paper, by jonathan spring, leigh b. metcalf.
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be …
Pattern-Based Design of Insider Threat Programs
December 9, 2014 • technical note, by robin ruefle, dave mundie, andrew p. moore, david mcintire, matthew l. collins.
In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
Introduction to the Security Engineering Risk Analysis (SERA) Framework
December 4, 2014 • technical note, by audrey j. dorofee, christopher j. alberts, carol woody.
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
Using Malware Analysis to Tailor SQUARE for Mobile Platforms
November 18, 2014 • technical note, by nancy r. mead, gregory paul alice.
This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.
A Method for Aligning Acquisition Strategies and Software Architectures
October 29, 2014 • technical note, by david j. carney, cecilia albert, patrick r. place, lisa brownsword.
This report describes the third year of the SEI's research into aligning acquisition strategies and software architecture.
Agile Methods in Air Force Sustainment: Status and Outlook
October 23, 2014 • technical note, by mary ann lapham, eileen wrubel, stephen beck, michael s. bandor, colleen regan.
This paper examines using Agile techniques in the software sustainment arena—specifically Air Force programs. The intended audience is the staff of DoD programs and related personnel who intend to use …
Development of an Intellectual Property Strategy: Research Notes to Support Department of Defense Programs
October 14, 2014 • special report, by charlene gross.
This report is intended to help program managers understand categories of intellectual property, various intellectual property challenges, and approaches to assessing the license rights that the program needs for long-term …
AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment
October 10, 2014 • technical report, by david p. gluch, peter h. feiler, julien delange, john j. hudak.
This report describes how the Architecture Analysis and Design Language (AADL) Error Model Annex supports the safety-assessment methods in SAE Standard ARP4761.
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0)
September 18, 2014 • technical note, by pamela d. curtis, gregory crabb (united states postal service), sam lin, dawn wilkes, nader mehravari, julia h. allen.
This report describes a new process area that ensures that international mail is transported according to Universal Postal Union standards.
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0)
By julia h. allen, nader mehravari, david w. white, gregory crabb (united states postal service), pamela d. curtis.
This report describes a new process area that ensures that the USPS is compensated for mail that is accepted, transported, and delivered.
CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0)
By pamela d. curtis, gregory crabb (united states postal service), david w. white, nader mehravari, julia h. allen.
This report describes a new process area that ensures that mail is inducted into the U.S. domestic mail stream according to USPS standards and requirements.
Smart Collection and Storage Method for Network Traffic Data
September 15, 2014 • technical report, by angela horneman, nathan dell.
This report discusses considerations and decisions to be made when designing a tiered network data storage solution.
A Systematic Approach for Assessing Workforce Readiness
August 18, 2014 • technical report, by david mcintire, christopher j. alberts.
In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.
Assuring Software Reliability
August 15, 2014 • special report, by robert j. ellison.
This report describes ways to incorporate the analysis of the potential impact of software failures--regardless of their cause--into development and acquisition practices through the use of software assurance.
Patterns and Practices for Future Architectures
August 15, 2014 • technical note, by eric werner, scott mcmillan, jonathan chu.
This report discusses best practices and patterns that will make high-performance graph analytics on new and emerging architectures more accessible to users.
Abuse of Customer Premise Equipment and Recommended Actions
August 7, 2014 • white paper, by jonathan spring, paul vixie, chris hallenbeck.
In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
Performance of Compiler-Assisted Memory Safety Checking
July 31, 2014 • technical note, by david keaton, robert c. seacord.
This technical note describes the criteria for deploying a compiler-based memory safety checking tool and the performance that can be achieved with two such tools whose source code is freely …
Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector
July 18, 2014 • technical note, by cert insider threat team.
This report analyzes unintentional insider threat cases of phishing and other social engineering attacks involving malware.
Evaluation of the Applicability of HTML5 for Mobile Applications in Resource-Constrained Edge Environments
July 2, 2014 • technical note, by grace lewis, bryan yan (carnegie mellon university – institute for software research).
This technical note presents an analysis of the feasibility of using HTML5 for developing mobile applications, for "edge" environments where resources and connectivity are uncertain, such as in battlefield or …
Agile Software Teams: How They Engage with Systems Engineering on DoD Acquisition Programs
July 1, 2014 • technical note, by mary ann lapham, suzanne miller, timothy a. chick, eileen wrubel.
This technical note addresses issues with Agile software teams engaging systems engineering functions in developing and acquiring software-reliant systems.
Improving the Automated Detection and Analysis of Secure Coding Violations
June 27, 2014 • technical note, by daniel plakosh, robert c. seacord, robert w. stoddard, david svoboda, david zubrow.
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2
June 11, 2014 • technical note, by lisa r. young, kevin g. partridge, mary popeck.
This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.
The Business Case for Systems Engineering: Comparison of Defense Domain and Non-defense Projects
June 10, 2014 • special report, by dennis goldenson, joseph p. elm.
This report analyzes differences in systems-engineering activities for defense and non-defense projects and finds differences in both deployment and effectiveness.
Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
June 3, 2014 • technical report, by jennifer cowley.
This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
May 30, 2014 • technical note, by christopher j. alberts, robin ruefle, mark zajicek, audrey j. dorofee.
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
A Taxonomy of Operational Cyber Security Risks Version 2
May 21, 2014 • technical note, by lisa r. young, mary popeck, james j. cebula.
This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.
An Evaluation of A-SQUARE for COTS Acquisition
May 13, 2014 • technical note, by nancy r. mead, sidhartha mani.
An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.
Investigating Advanced Persistent Threat 1 (APT1)
May 12, 2014 • technical report, by deana shick, angela horneman.
This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.
Precise Static Analysis of Taint Flow for Android Application Sets
May 9, 2014 • white paper, by amar s. bhosale (no affiliation).
This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.
Data-Driven Software Assurance: A Research Study
May 9, 2014 • technical report, by julia l. mullaney, michael f. orlando, erin harper, michael d. konrad, art manion, bill nichols, andrew p. moore.
In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
ALTernatives to Signatures (ALTS)
April 30, 2014 • white paper, by george jones, john stogoski.
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.
Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management
April 29, 2014 • technical note, by david j. carney, kenneth nidiffer, suzanne miller.
This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.
The Readiness & Fit Analysis: Is Your Organization Ready for Agile?
April 28, 2014 • white paper, by suzanne miller.
This paper summarizes the Readiness & Fit Analysis and describes its extension to support risk identification for organizations that are adopting agile methods.
International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany
April 16, 2014 • technical report, by randall f. trzeciak, george silowash, lori flynn, michael c. theis, tracy cassidy, palma buttles-valdez, carly l. huth, travis wright (carnegie mellon university, master of science in information security policy and management program).
This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All …
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
March 31, 2014 • special report, by the wea project team.
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance …
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service
February 28, 2014 • special report, by carol woody, robert j. ellison.
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert …
Wireless Emergency Alerts: Trust Model Simulations
February 26, 2014 • special report, by timothy morrow, joseph p. elm, robert w. stoddard.
This report presents four types of simulations run on the public trust model and the alert originator trust model developed for the Wireless Emergency Alerts (WEA) service, focusing on how …
Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy
February 24, 2014 • technical report.
This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about …
Best Practices in Wireless Emergency Alerts
February 19, 2014 • special report, by elizabeth trocki stark (sra international, inc.), jennifer lavan (sra international, inc.), robert j. ellison, john mcgregor, tamara marshall-keim, rita c. creel, carol woody, christopher j. alberts, joseph p. elm.
This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, …
Study of Integration Strategy Considerations for Wireless Emergency Alerts
This report identifies key challenges and offers recommendations for alert originators navigating the process of adopting and integrating the Wireless Emergency Alerts (WEA) service into their emergency management systems.
Results in Relating Quality Attributes to Acquisition Strategies
February 4, 2014 • technical note, by lisa brownsword, cecilia albert, patrick r. place, david j. carney.
This technical note describes the second phase of a study that focuses on the relationships between software architecture and acquisition strategy -- more specifically, their alignment or misalignment.
Agile Metrics: Progress Monitoring of Agile Contractors
January 27, 2014 • technical note, by timothy a. chick, eileen wrubel, will hayes, mary ann lapham, suzanne miller.
This technical note offers a reference for those working to oversee software development on the acquisition of major systems from developers using Agile methods.
Agile Methods and Request for Change (RFC): Observations from DoD Acquisition Programs
January 24, 2014 • technical note, by mary ann lapham, eileen wrubel, michael s. bandor.
This technical note looks at the evaluation and negotiation of technical proposals that reflect iterative development approaches that in turn leverage Agile methods.
Unintentional Insider Threats: Social Engineering
January 21, 2014 • technical note, by cert insider threat center.
In this report, the authors explore the unintentional insider threat (UIT) that derives from social engineering.
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using the CERT® Resilience Management Model
January 17, 2014 • technical note.
In this report, the authors describe how to improve the resilience of U.S. Postal Service products and services
A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure
By nader mehravari, julia h. allen, pamela d. curtis, gregory crabb (united states postal service).
In this report, the authors describe a method of identifying physical security gaps in international mail processing centers and similar facilities.
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations
January 8, 2014 • technical note, by chas difatta (no affiliation), greg porter (heinz college at carnegie mellon university), lori flynn.
In this report, the authors discuss the countermeasures that cloud service providers use and how they understand the risks posed by insiders.
TSP Symposium 2013 Proceedings
January 8, 2014 • special report, by sergio cardona (universidad del quindío), leticia pérez (universidad de la república), rafael rincón (universidad eafit), joão pascoal faria (university of porto), mushtaq raza (university of porto), pedro c. henriques (strongstep – innovation in software quality), diego vallespir (universidad de la república), fernanda grazioli (universidad de la república), silvana moreno (universidad de la república), bill nichols, jim mchale.
This special report contains proceedings of the 2013 TSP Symposium. The conference theme was “When Software Really Matters,” which explored the idea that when product quality is critical, high-quality practices …
Understanding Patterns for System-of-Systems Integration
December 17, 2013 • technical report, by klaus schmid, claus nielsen (no affiliation), rick kazman.
This report discusses how a software architect can address the system-of-systems integration challenge from an architectural perspective.
Foundations for Software Assurance
December 16, 2013 • white paper, by carol woody, nancy r. mead, dan shoemaker (university of detroit mercy).
In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.
The Topological Properties of the Local Clustering Coefficient
December 9, 2013 • white paper, by leigh b. metcalf.
In this paper, Leigh Metcalf examines the local clustering coefficient for and provides a new formula to generate the local clustering coefficient.
Using Software Development Tools and Practices in Acquisition
December 3, 2013 • technical note, by harry l. levinson, richard librizzi.
This technical note provides an introduction to key automation and analysis techniques.
Spotlight On: Programmers as Malicious Insiders–Updated and Revised
December 2, 2013 • white paper, by andrew p. moore, randall f. trzeciak, dawn cappelli, matthew l. collins, thomas c. caron (john heinz iii college, school of information systems management, carnegie mellon university).
In this paper, the authors describe the who, what, when, where, and how of attacks by insiders using programming techniques and includes case examples.
Software Assurance Measurement – State of the Practice
November 29, 2013 • technical note, by dan shoemaker (university of detroit mercy), nancy r. mead.
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
A Defect Prioritization Method Based on the Risk Priority Number
November 26, 2013 • white paper, by will hayes, julie b. cohen, robert ferguson.
This paper describes a technique that helps organizations address and resolve conflicting views and create a better value system for defining releases.
Agile Security - Review of Current Research and Pilot Usage
November 21, 2013 • white paper, by carol woody.
This white paper was produced to focus attention on the opportunities and challenges for embedding information assurance considerations into Agile development and acquisition.
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase I
November 15, 2013 • technical note, by greg porter (heinz college at carnegie mellon university).
In this report, Greg Porter documents preliminary findings from interviews with cloud service providers on their insider threat controls.
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
November 8, 2013 • technical report, by david svoboda, dean sutherland, william klieber, lori flynn, limin jia (carnegie mellon university, department of electrical and computer engineering), lujo bauer (carnegie mellon university, department of electrical and computer engineering), fred long.
In this report, the authors describe Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project.
Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale
November 7, 2013 • technical note, by richard a. caralli, matthew j. butkovic.
In this report, the authors review the specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed.
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk
October 28, 2013 • technical note, by ma-nyahn kromah (sungard availability services), lisa r. young.
In this report, the authors map CERT-RMM process areas to key activities in NIST Special Publication 800-66 Revision 1.
Passive Detection of Misbehaving Name Servers
October 4, 2013 • technical report.
In this report, the authors explore name-server flux and two types of data that can reveal it.
Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time
October 3, 2013 • technical note, by todd lewellen, daniel l. costa, george silowash.
In this report, the authors describe how an insider threat control can monitor an organization's web request traffic for text-based data exfiltration.
Introduction to the Mission Thread Workshop
October 1, 2013 • technical report, by william wood, michael j. gagliardi, timothy morrow.
This report introduces the Mission Thread Workshop, a method for understanding architectural and engineering considerations for developing and sustaining systems of systems. It describes the three phases of the workshop …
Parallel Worlds: Agile and Waterfall Differences and Similarities
October 1, 2013 • technical note, by ipek ozkaya, suzanne miller, mary ann lapham, timothy a. chick, steve palmquist.
This report helps readers understand Agile. The report assembles terms and concepts from both the traditional world of waterfall-based development and the Agile environment to show the many similarities and …
Everything You Wanted to Know About Blacklists But Were Afraid to Ask
September 30, 2013 • white paper.
This document compares the contents of 25 different common public-internet blacklists in order to discover any patterns in the shared entries.
Roadmap to Software Assurance Competency
September 23, 2013 • white paper.
This white paper describes the Software Assurance (SwA) Core Body of Knowledge and SwA competency levels.
TSP Performance and Capability Evaluation (PACE): Customer Guide
September 1, 2013 • special report, by mark kasunic, bill nichols, timothy a. chick.
This guide describes the evaluation process and lists the steps organizations and programs must complete to earn a TSP-PACE certification.
TSP Performance and Capability Evaluation (PACE): Team Preparedness Guide
By timothy a. chick, bill nichols, mark kasunic.
This document describes the TSP team data that teams normally produce and that are required as input to the TSP-PACE process.
Best Practices Against Insider Threats in All Nations
August 27, 2013 • technical note, by carly l. huth, palma buttles-valdez, lori flynn, randall f. trzeciak.
In this report, the authors summarize best practices for mitigating insider threats in international contexts.
The Role of Computer Security Incident Response Teams in the Software Development Life Cycle
August 20, 2013 • white paper, by robin ruefle.
In this paper, Robin Ruefle describes how an incident management can provide input to the software development process.
State of Cyber Workforce Development
August 15, 2013 • white paper.
This paper summarizes the current posture of the cyber workforce and several initiatives designed to strengthen, grow, and retain cybersecurity professionals.
Training and Awareness
August 7, 2013 • white paper, by carol sledge, ken van wyk (no affiliation).
In this paper, the authors provide guidance on training and awareness opportunities in the field of software security.
Evidence of Assurance: Laying the Foundation for a Credible Security Case
By howard f. lipson, charles weinstock.
In this paper, the authors provide examples of several of the kinds of evidence that can contribute to a security case.
Security and Project Management
August 6, 2013 • white paper.
In this paper, Robert Ellison explains what project managers should consider because they relate to security needs.
An Evaluation of Cost-Benefit Using Security Requirements Prioritization Methods
August 5, 2013 • white paper, by travis christian, nancy r. mead.
In this paper, the authors provide background information on penetration testing processes and practices.
Unintentional Insider Threats: A Foundational Study
August 1, 2013 • technical note.
In this report, the CERT Insider Threat team examines unintentional insider threat (UIT), a largely unrecognized problem.
Teaching Security Requirements Engineering Using SQUARE
July 31, 2013 • white paper, by nancy r. mead, dan shoemaker (university of detroit mercy), jeff ingalsbe (university of detroit mercy).
In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software.
Trustworthy Composition: The System Is Not Always the Sum of Its Parts
In this paper, Robert Ellison surveys several profound technical problems faced by practitioners assembling and integrating secure and survivable systems.
Development of a Master of Software Assurance Reference Curriculum - 2013 IJSSE
By julia h. allen, nancy r. mead, mark a. ardis (stevens institute of technology), thomas b. hilburn (embry-riddle aeronautical university), andrew j. kornecki (embry-riddle aeronautical university), richard c. linger (oak ridge national laboratory), james mcdonald (monmouth university).
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes
Strengthening Ties Between Process and Security
In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases.
Estimating Benefits from Investing in Secure Software Development
By ashish arora, rahul telang, steven frank.
In this paper, the authors discuss the costs and benefits of incorporating security in software development and presents formulas for calculating security costs and security benefits.
What Measures Do Vendors Use for Software Assurance?
By jeremy epstein.
In this paper, Jeremy Epstein examines what real vendors do to ensure that their products are reasonably secure.
The Development of a Graduate Curriculum for Software Assurance
By nancy r. mead, mark a. ardis (stevens institute of technology).
In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more.
Secure Software Development Life Cycle Processes
By noopur davis.
In this paper, Noopur Davis presents information about processes, standards, and more that support or could support secure software development.
Applicability of Cultural Markers in Computer Network Attack Attribution
July 11, 2013 • white paper.
In this 2013 white paper, Char Sample discusses whether cultural influences leave traces in computer network attack (CAN) choices and behaviors.
Improving Software Assurance
July 5, 2013 • white paper.
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
Scale: System Development Challenges
In this paper, the authors describe software assurance challenges inherent in networked systems development and propose a solution.
Requirements Prioritization Case Study Using AHP
By nancy r. mead.
In this paper, Nancy Mead describes a tradeoff analysis that can select a suitable requirements prioritization method and the results of trying one method.
Arguing Security - Creating Security Assurance Cases
By john b. goodenough, charles weinstock, howard f. lipson.
In this paper, the authors explain an approach to documenting an assurance case for system security.
SQUARE Process
In this paper, Nancy Mead describes the SQUARE process as a means for eliciting, categorizing, and prioritizing security requirements for IT systems.
Requirements Elicitation Case Studies Using IBIS, JAD, and ARM
In this paper, Nancy Mead describes a tradeoff analysis that can be used to select a suitable requirements elicitation method.
The Common Criteria
In this paper, Nancy Mead discusses how Common Criteria is evaluated, it also presents a standard that is related to developing security requirements.
Measures and Measurement for Secure Software Development
July 3, 2013 • white paper, by david zubrow, james mccurley, carol dekkers.
In this paper, the authors discuss how measurement can be applied improve the security characteristics of the software being developed.
Predictive Models for Identifying Software Components Prone to Failure During Security Attacks
By laurie williams, michael gegick, mladan vouk.
In this paper, the authors describes how the presence of security faults correlates strongly with the presence of a more general category of reliability faults.
Measuring the Software Security Requirements Engineering Process
In this paper, Nancy Mead describes a measurement approach to security requirements engineering to analyze projects that were developed with and without SQUARE.
System-of-Systems Influences on Acquisition Strategy Development
July 2, 2013 • white paper, by rita c. creel, robert j. ellison.
In this paper, the authors discuss significant new sources of risk and recommend ways to address them.
Risk-Centered Practices
By julia h. allen.
In this paper, Julia Allen discusses the role that risk management and risk assessment play in choosing which security practices to implement.
Supply-Chain Risk Management: Incorporating Security into Software Development
In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.
Prioritizing IT Controls for Effective, Measurable Security
By daniel phelps, kurt milne, gene kim (ip services and itpi).
In this paper, the authors summarize results from the IT Controls Performance Study conducted by the IT Process Institute.
Building Security into the Business Acquisition Process
By dan shoemaker (university of detroit mercy).
In this paper, Dan Shoemaker presents the standard process for acquiring software products and services in business.
Navigating the Security Practice Landscape
In this paper, Julia Allen presents a summary of ten leading sources of security practice definition and implementation guidance.
Assuring Software Systems Security: Life Cycle Considerations for Government Acquisitions
By rita c. creel.
In this paper, Rita Creel identifies acquirer activities and resources necessary to support contractor efforts to build secure software-intensive systems.
Plan, Do, Check, Act
In this paper, Ken van Wyk provides a primer on the most commonly used tools for traditional penetration testing.
Finding a Vendor You Can Trust in the Global Marketplace
By dan shoemaker (university of detroit mercy), art conklin.
In this paper, the authors introduce the concept of standardized third-party certification of supplier process capability.
Results of SEI Line-Funded Exploratory New Starts Projects: FY 2012
July 1, 2013 • technical report, by robert nord, robert w. stoddard, lisa brownsword, dennis goldenson, mary ann lapham, david zubrow, william r. claycomb, lori flynn, peter h. feiler, rick kazman, robert ferguson, stephany bellomo, ipek ozkaya, sagar chaki, arie gurfinkel, julie b. cohen, john j. hudak, jeff havrilla, bjorn andersson, john mcgregor, james mccurley, carly l. huth, david mcintire, david p. gluch, wesley jin, chuck hines, brittany phillips, yuanfang cai (drexel university).
This report describes line-funded exploratory new starts (LENS) projects that were conducted during fiscal year 2012 (October 2011 through September 2012).
Insider Threat Attributes and Mitigation Strategies
July 1, 2013 • technical note, by george silowash.
In this report, George Silowash maps common attributes of insider threat cases to characteristics important for detecting, preventing, or mitigating the threat.
Pointer Ownership Model
June 10, 2013 • white paper.
In this paper, David Svoboda describes the Pointer Ownership Model, which can statically identify classes of errors involving dynamic memory in C/C++ programs.
Common Software Platforms in System-of-Systems Architectures: The State of the Practice
June 6, 2013 • white paper, by rick kazman, sholom g. cohen, john klein.
System-of-systems (SoS) architectures based on common software platforms have been commercially successful, but progress on creating and adopting them has been slow. This study aimed to understand technical issues for …
Software Assurance for Executives: Mapping of Common Topics to Specific Materials
June 3, 2013 • white paper.
In this paper, the authors present common topics, course materials, and resources related to the Software Assurance for Executives course held in June 2013.
Software Assurance for Executives
This legal form was used in the Software Assurance for Executives course that was held in June 2013.
Isolating Patterns of Failure in Department of Defense Acquisition
June 1, 2013 • technical note, by lisa brownsword, patrick r. place, cecilia albert, john j. hudak, charles (bud) hammons, david j. carney.
This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.
Socio-Adaptive Systems Challenge Problems Workshop Report
June 1, 2013 • special report, by mark h. klein, timothy morrow, scott hissam.
This report presents a summary of the findings of the Socio-Adaptive Systems Challenge Problem Workshop, held in Pittsburgh, PA, on April 12-13, 2012.
Strengths in Security Solutions
May 31, 2013 • white paper, by carol woody, allen d. householder, robert c. seacord, arjuna shunn (microsoft).
In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.
Integrating Software Assurance Knowledge into Conventional Curricula
May 23, 2013 • white paper.
In this paper, the authors discuss the results of comparing the Common Body of Knowledge for Secure Software Assurance with traditional computing disciplines.
Maturity of Practice
In this paper, Julia Allen identifies indicators that organizations are addressing security as a governance and management concern, at the enterprise level.
Integrating Security and IT
May 21, 2013 • white paper.
In this paper, Julia Allen describes the key relationship between IT processes and security controls.
Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going?
In this paper, Dan Shoemaker describes existing professional certifications in information assurance and emerging certifications for secure software assurance.
How Much Security Is Enough?
In this paper, Julia Allen provides guidelines for answering this question, including means for determining adequate security based on risk.
Models for Assessing the Cost and Value of Software Assurance
By john bailey, dan shoemaker (university of detroit mercy), antonio drommi, jeff ingalsbe (university of detroit mercy), nancy r. mead.
In this paper, the authors present IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes.
Adapting Penetration Testing for Software Development Purposes
By ken van wyk (no affiliation).
In this paper, Ken van Wyk provides background information on penetration testing processes and practices.
Requirements Engineering Annotated Bibliography
In this paper, Nancy Mead provides a bibliography of sources related to requirements engineering.
Defining the Discipline of Secure Software Assurance: Initial Findings from the National Software Assurance Repository
By nancy r. mead, jeff ingalsbe (university of detroit mercy), dan shoemaker (university of detroit mercy), rita barrios.
In this paper, the authors characterize the current state of secure software assurance work and suggest future directions.
Making the Business Case for Software Assurance
software engineering Recently Published Documents
Total documents.
- Latest Documents
- Most Cited Documents
- Contributed Authors
- Related Sources
- Related Keywords
Identifying Non-Technical Skill Gaps in Software Engineering Education: What Experts Expect But Students Don’t Learn
As the importance of non-technical skills in the software engineering industry increases, the skill sets of graduates match less and less with industry expectations. A growing body of research exists that attempts to identify this skill gap. However, only few so far explicitly compare opinions of the industry with what is currently being taught in academia. By aggregating data from three previous works, we identify the three biggest non-technical skill gaps between industry and academia for the field of software engineering: devoting oneself to continuous learning , being creative by approaching a problem from different angles , and thinking in a solution-oriented way by favoring outcome over ego . Eight follow-up interviews were conducted to further explore how the industry perceives these skill gaps, yielding 26 sub-themes grouped into six bigger themes: stimulating continuous learning , stimulating creativity , creative techniques , addressing the gap in education , skill requirements in industry , and the industry selection process . With this work, we hope to inspire educators to give the necessary attention to the uncovered skills, further mitigating the gap between the industry and the academic world.
Opportunities and Challenges in Code Search Tools
Code search is a core software engineering task. Effective code search tools can help developers substantially improve their software development efficiency and effectiveness. In recent years, many code search studies have leveraged different techniques, such as deep learning and information retrieval approaches, to retrieve expected code from a large-scale codebase. However, there is a lack of a comprehensive comparative summary of existing code search approaches. To understand the research trends in existing code search studies, we systematically reviewed 81 relevant studies. We investigated the publication trends of code search studies, analyzed key components, such as codebase, query, and modeling technique used to build code search tools, and classified existing tools into focusing on supporting seven different search tasks. Based on our findings, we identified a set of outstanding challenges in existing studies and a research roadmap for future code search research.
Psychometrics in Behavioral Software Engineering: A Methodological Introduction with Guidelines
A meaningful and deep understanding of the human aspects of software engineering (SE) requires psychological constructs to be considered. Psychology theory can facilitate the systematic and sound development as well as the adoption of instruments (e.g., psychological tests, questionnaires) to assess these constructs. In particular, to ensure high quality, the psychometric properties of instruments need evaluation. In this article, we provide an introduction to psychometric theory for the evaluation of measurement instruments for SE researchers. We present guidelines that enable using existing instruments and developing new ones adequately. We conducted a comprehensive review of the psychology literature framed by the Standards for Educational and Psychological Testing. We detail activities used when operationalizing new psychological constructs, such as item pooling, item review, pilot testing, item analysis, factor analysis, statistical property of items, reliability, validity, and fairness in testing and test bias. We provide an openly available example of a psychometric evaluation based on our guideline. We hope to encourage a culture change in SE research towards the adoption of established methods from psychology. To improve the quality of behavioral research in SE, studies focusing on introducing, validating, and then using psychometric instruments need to be more common.
Towards an Anatomy of Software Craftsmanship
Context: The concept of software craftsmanship has early roots in computing, and in 2009, the Manifesto for Software Craftsmanship was formulated as a reaction to how the Agile methods were practiced and taught. But software craftsmanship has seldom been studied from a software engineering perspective. Objective: The objective of this article is to systematize an anatomy of software craftsmanship through literature studies and a longitudinal case study. Method: We performed a snowballing literature review based on an initial set of nine papers, resulting in 18 papers and 11 books. We also performed a case study following seven years of software development of a product for the financial market, eliciting qualitative, and quantitative results. We used thematic coding to synthesize the results into categories. Results: The resulting anatomy is centered around four themes, containing 17 principles and 47 hierarchical practices connected to the principles. We present the identified practices based on the experiences gathered from the case study, triangulating with the literature results. Conclusion: We provide our systematically derived anatomy of software craftsmanship with the goal of inspiring more research into the principles and practices of software craftsmanship and how these relate to other principles within software engineering in general.
On the Reproducibility and Replicability of Deep Learning in Software Engineering
Context: Deep learning (DL) techniques have gained significant popularity among software engineering (SE) researchers in recent years. This is because they can often solve many SE challenges without enormous manual feature engineering effort and complex domain knowledge. Objective: Although many DL studies have reported substantial advantages over other state-of-the-art models on effectiveness, they often ignore two factors: (1) reproducibility —whether the reported experimental results can be obtained by other researchers using authors’ artifacts (i.e., source code and datasets) with the same experimental setup; and (2) replicability —whether the reported experimental result can be obtained by other researchers using their re-implemented artifacts with a different experimental setup. We observed that DL studies commonly overlook these two factors and declare them as minor threats or leave them for future work. This is mainly due to high model complexity with many manually set parameters and the time-consuming optimization process, unlike classical supervised machine learning (ML) methods (e.g., random forest). This study aims to investigate the urgency and importance of reproducibility and replicability for DL studies on SE tasks. Method: In this study, we conducted a literature review on 147 DL studies recently published in 20 SE venues and 20 AI (Artificial Intelligence) venues to investigate these issues. We also re-ran four representative DL models in SE to investigate important factors that may strongly affect the reproducibility and replicability of a study. Results: Our statistics show the urgency of investigating these two factors in SE, where only 10.2% of the studies investigate any research question to show that their models can address at least one issue of replicability and/or reproducibility. More than 62.6% of the studies do not even share high-quality source code or complete data to support the reproducibility of their complex models. Meanwhile, our experimental results show the importance of reproducibility and replicability, where the reported performance of a DL model could not be reproduced for an unstable optimization process. Replicability could be substantially compromised if the model training is not convergent, or if performance is sensitive to the size of vocabulary and testing data. Conclusion: It is urgent for the SE community to provide a long-lasting link to a high-quality reproduction package, enhance DL-based solution stability and convergence, and avoid performance sensitivity on different sampled data.
Predictive Software Engineering: Transform Custom Software Development into Effective Business Solutions
The paper examines the principles of the Predictive Software Engineering (PSE) framework. The authors examine how PSE enables custom software development companies to offer transparent services and products while staying within the intended budget and a guaranteed budget. The paper will cover all 7 principles of PSE: (1) Meaningful Customer Care, (2) Transparent End-to-End Control, (3) Proven Productivity, (4) Efficient Distributed Teams, (5) Disciplined Agile Delivery Process, (6) Measurable Quality Management and Technical Debt Reduction, and (7) Sound Human Development.
Software—A New Open Access Journal on Software Engineering
Software (ISSN: 2674-113X) [...]
Improving bioinformatics software quality through incorporation of software engineering practices
Background Bioinformatics software is developed for collecting, analyzing, integrating, and interpreting life science datasets that are often enormous. Bioinformatics engineers often lack the software engineering skills necessary for developing robust, maintainable, reusable software. This study presents review and discussion of the findings and efforts made to improve the quality of bioinformatics software. Methodology A systematic review was conducted of related literature that identifies core software engineering concepts for improving bioinformatics software development: requirements gathering, documentation, testing, and integration. The findings are presented with the aim of illuminating trends within the research that could lead to viable solutions to the struggles faced by bioinformatics engineers when developing scientific software. Results The findings suggest that bioinformatics engineers could significantly benefit from the incorporation of software engineering principles into their development efforts. This leads to suggestion of both cultural changes within bioinformatics research communities as well as adoption of software engineering disciplines into the formal education of bioinformatics engineers. Open management of scientific bioinformatics development projects can result in improved software quality through collaboration amongst both bioinformatics engineers and software engineers. Conclusions While strides have been made both in identification and solution of issues of particular import to bioinformatics software development, there is still room for improvement in terms of shifts in both the formal education of bioinformatics engineers as well as the culture and approaches of managing scientific bioinformatics research and development efforts.
Inter-team communication in large-scale co-located software engineering: a case study
AbstractLarge-scale software engineering is a collaborative effort where teams need to communicate to develop software products. Managers face the challenge of how to organise work to facilitate necessary communication between teams and individuals. This includes a range of decisions from distributing work over teams located in multiple buildings and sites, through work processes and tools for coordinating work, to softer issues including ensuring well-functioning teams. In this case study, we focus on inter-team communication by considering geographical, cognitive and psychological distances between teams, and factors and strategies that can affect this communication. Data was collected for ten test teams within a large development organisation, in two main phases: (1) measuring cognitive and psychological distance between teams using interactive posters, and (2) five focus group sessions where the obtained distance measurements were discussed. We present ten factors and five strategies, and how these relate to inter-team communication. We see three types of arenas that facilitate inter-team communication, namely physical, virtual and organisational arenas. Our findings can support managers in assessing and improving communication within large development organisations. In addition, the findings can provide insights into factors that may explain the challenges of scaling development organisations, in particular agile organisations that place a large emphasis on direct communication over written documentation.
Aligning Software Engineering and Artificial Intelligence With Transdisciplinary
Study examined AI and SE transdisciplinarity to find ways of aligning them to enable development of AI-SE transdisciplinary theory. Literature review and analysis method was used. The findings are AI and SE transdisciplinarity is tacit with islands within and between them that can be linked to accelerate their transdisciplinary orientation by codification, internally developing and externally borrowing and adapting transdisciplinary theories. Lack of theory has been identified as the major barrier toward towards maturing the two disciplines as engineering disciplines. Creating AI and SE transdisciplinary theory would contribute to maturing AI and SE engineering disciplines. Implications of study are transdisciplinary theory can support mode 2 and 3 AI and SE innovations; provide an alternative for maturing two disciplines as engineering disciplines. Study’s originality it’s first in SE, AI or their intersections.
Export Citation Format
Share document.
Software Engineering
At Google, we pride ourselves on our ability to develop and launch new products and features at a very fast pace. This is made possible in part by our world-class engineers, but our approach to software development enables us to balance speed and quality, and is integral to our success. Our obsession for speed and scale is evident in our developer infrastructure and tools. Developers across the world continually write, build, test and release code in multiple programming languages like C++, Java, Python, Javascript and others, and the Engineering Tools team, for example, is challenged to keep this development ecosystem running smoothly. Our engineers leverage these tools and infrastructure to produce clean code and keep software development running at an ever-increasing scale. In our publications, we share associated technical challenges and lessons learned along the way.
Recent Publications
Some of our teams.
Africa team
Climate and sustainability
Software engineering and programming languages
We're always looking for more talented, passionate people.
Large Language Models for Software Engineering: Survey and Open Problems
Ieee account.
- Change Username/Password
- Update Address
Purchase Details
- Payment Options
- Order History
- View Purchased Documents
Profile Information
- Communications Preferences
- Profession and Education
- Technical Interests
- US & Canada: +1 800 678 4333
- Worldwide: +1 732 981 0060
- Contact & Support
- About IEEE Xplore
- Accessibility
- Terms of Use
- Nondiscrimination Policy
- Privacy & Opting Out of Cookies
A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
An official website of the United States government
The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
- Publications
- Account settings
Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .
- Advanced Search
- Journal List
- Comput Intell Neurosci
- v.2022; 2022
Trends in Intelligent and AI-Based Software Engineering Processes: A Deep Learning-Based Software Process Model Recommendation Method
Fahad h. alshammari.
College of Computing and Information Technology, Shaqra University, Shaqra, Saudi Arabia
Associated Data
The data used to support the findings of this study are included within this article.
In recent years, numerous studies have successfully implemented machine learning strategies in a wide range of application areas. Therefore, several different deep learning models exist, each one tailored to a certain software task. Using deep learning models provides numerous advantages for the software development industry. Testing and maintaining software is a critical concern today. Software engineers have many responsibilities while developing a software system, including coding, testing, and delivering the software to users via the cloud. From this list, it is easy to see that each task calls for extensive organization and preparation, as well as access to a variety of resources. A developer may consult other code repositories, websites with related programming content, and even colleagues for information before attempting to build and test a solution to the problem at hand. In this investigation, we aim to identify the factors that led to developing the recommender. This system analyzes the recommender's performance and provides suggestions for improving the software based on users' opinions.
1. Introduction
When developing a software system, software engineers execute various tasks, including creating code, testing code, deploying to the cloud, and coordinating via e-mail and meetings [ 1 ]. Each of these tasks necessitates searching for and working with a wide range of information and resources, as well as planning and preparing for the upcoming one [ 2 ]. A developer may investigate other code repositories for prospective solutions, explore online sites with relevant programming material, or contact coworkers for information before programming a possible solution to the problem at hand and testing the answer [ 3 ].
For example, performing these tasks can be intimidating for novices in the field [ 4 ]. Near-perfect performance in these activities is nearly unattainable for even the most experienced coders. Recommender systems for software engineering have been implemented to easily perform tasks and improve workflow [ 5 ]. In other words, “software applications that deliver information items deemed to be relevant for software engineering tasks” are “recommenders” for the discipline [ 6 ]. Software engineers are used to working with certain recommenders that are closely relevant to their development operations. Such issues as missing import declarations in Java code can be solved using recommenders in various integrated development environments, such as the Eclipse IDE4 [ 7 ]”.
Recommendation systems for different tasks and workflows have been developed, including those for code reorganization, learning the next set of commands, and discovering needs. For instance, the Eclipse Mylyn recommender, which provides specific recommendations of which source code is connected with a task, has been demonstrated to boost the productivity of developers. Recommenders have much unrealized potential in the software development process because of their vast variety of actions [ 8 ].
One of the primary problems with the current recommender system is that it forecasts products that the user will find irrelevant or uninteresting. As a result, a recommender system is required, which must supply services in accordance with the resemblance of goods. By incorporating user and product data into a collaborative recommendation system, true user preferences can be learned [ 9 – 11 ].
The first stage in developing a recommender is to define the problem the recommender is intended to solve and verify the assumption that a recommender can deliver suggestions of value to the developer facing the problem. Framing the problem is the term we use to describe the activities occurring during this phase. The introduction's definition of a software engineering recommender provides a foundation for investigating the problem and solution targeted by a recommendation engine. The task and context for which a recommender will be used must be crystal apparent when thinking about creating one. Another consideration is for whom a recommender is intended: developers or end users. The idea of a task targeted by a recommender relates to the specific purpose of a developer at a certain moment in time, such as the implementation of an assigned feature in source code. Even though a developer is aware of the current task at all times, the task may not be expressed directly in the code. The context of a recommender refers to the information and tool environment in which the task is conducted, such as the source code and other artifacts available and the set of tools that can be used to complete the work. The context also captures the developer's steps in completing the given task. This helps define when and what information a recommender may provide: novices often have fundamentally different information needs compared to experts. While frequent proposals may be helpful to the first group, the latter often has a poor tolerance for interruptions of their work that convey already known facts. The main contributions of this study are as follows:
- Determining the inputs for the recommender's construction was how we phrased the issue
- This system provides recommendations for software development based on client happiness and evaluates the usefulness of the recommender
2. Related Work
Wen et al. [ 12 ] systematically examined machine learning models from four perspectives: the kind of ML approach, estimation accuracy, model comparison, and context of estimation, which is the goal of this study. A systematic review of empirical studies on the ML model published between 1991 and 2010 was conducted. The author compiled a list of 84 primary studies related to our research question and detected eight different types of ML approaches used in SDEE models after looking into these studies. Overall, these ML models have better estimation accuracy than non-ML models and are near to it. For this reason, certain ML models are more effective in certain estimation scenarios. SDEE is a potential field for ML models. However, the industry's use of ML models is still limited, necessitating additional efforts and financial incentives. Following the conclusions of this review, the author offers advice for researchers and guidance for practitioners.
Wan et al. [ 13 ] were curious about the impact of machine learning on software development techniques, given the growing popularity of this approach. From interviews with 14 people and surveys with 342 people from 26 nations across four continents, we could identify substantial differences between the development of machine and nonmachine learning systems. Software engineering (e.g., requirements, design, testing, and process) and work characteristics are significantly different across the two groups, according to our research (e.g., skill variety, problem-solving, and task identity). In light of our findings, the author outlined potential future research areas and offered practice-oriented suggestions.
Del Carpio and Angarita [ 14 ] used machine learning approaches in various knowledge domains with promising results. Many deep learning models now focus on a wide range of software operations, which is a good sign for the future systematic investigation of deep learning model-supported software processes that yield useful findings for the software industry. Software testing and maintenance were the most often studied subprocesses in this study. It is common to utilize deep learning models such as CNN and RNN to process bug reports, malware categorization, and recommendation creation in these subprocesses. Some solutions are focused on estimating effort, classifying software requirements, identifying GUI visual aspects, identifying code authors, finding the similarity between source codes, predicting and classifying defects, and analyzing bug reports in testing and maintenance operations.
Meziane and Vadera [ 15 ] suggested that, due to its ability to automate time-consuming or complex processes, artificial intelligence has recently gained much attention. There have been no exceptions to this rule regarding software engineering projects. Artificial intelligence and software maintenance are covered in depth in this thesis. The recent advances in applying artificial intelligence to software maintenance duties were also studied through thorough mapping research. Research kind, research contribution, software maintenance domains, and artificial intelligence solution type were the most important aspects of this study.
Barenkamp et al. [ 16 ] involved a systematic evaluation of prior research and five qualitative interviews with software developers. The study's conclusions are categorized throughout software development. Major AI achievements and future potentials include (a) using algorithms to automate time-consuming, routine tasks in software development and testing (such as bug hunting and documentation); (b) conducting structured analyses of large datasets to uncover patterns and new information clusters; and (c) conducting systematic evaluations of these datasets in neural networks. AI accelerates development, reduces expenses, and increases efficiency. Software engineering automation is superior to the present AI, which relies on human-made structures and is essentially reproductive. Developers can enhance their creativity with AI tools.
Harman claimed that the artificial intelligence (AI) approaches to software engineering also focuses on the software development related challenges [ 17 ]. While search-based software engineering is a more recent development, the field's history of work in probabilistic reasoning and machine learning for software engineering is well-established. For the purpose of this paper, the author examined some of the connections between these two areas of research, claiming that they share many characteristics.
Tate [ 18 ] compared software quality models. Case studies apply software quality models to the current processes. Case study results complement empirical model assessment. Standard selection criteria are used to recommend and select models. Procedures are evaluated using success criteria. Theoretical assessment methods evaluate process model quality. Conformity to ideal process quality model requirements and relevance to software stakeholders are tested. Discussing the models' breadth and scale: empirical assessment methods are established to evaluate the model's performance in real software operations. There are approaches to determine if process quality models produce different results and, if so, which model to choose. Case study software processes are measured for differences.
Fadhil et al. [ 11 ] determined how AI can improve software issue detection and prediction methods. Artificial intelligence has helped identify software issues and predict bugs, as data shows. Combining AI with software engineering reduces overhead and produces more efficient solutions, improving software quality.
Kothawar and Vajrapu [ 19 ] addressed these behaviors' difficulties and solutions. Methods: the author chose 15 best practices from eight startups, each with unique challenges and solutions. Our research indicates startups' mixed prioritization. Six of the eight companies used formal methods, while two used unstructured prioritization. Startups' value: prioritizing based on consumer input and ROI is key. This study examines startup priority needs and obstacles. The literature supports the study's findings. Finding solutions helps practitioners. The poll should include Swedish software startups. Some of these solutions may also be useful for practitioners wishing to begin a software startup and priority requirements.
This study's aggregation method is clear, realistic, and interpretable [ 9 ]. This method makes quality model and metric-based software quality assessment reliable and reproducible. Based on all observable software artifacts, good and bad quality are assigned probabilities. Validation was theoretical and empirical. Bug prediction, maintainability, and information quality were evaluated. Software visualization was used to evaluate the usefulness of aggregation for multivariate data and the impact of different aggregation methods. Finally, the author assessed MCR's transferability and used it to rate real-world options. The author used machine learning, created a benchmark employing regression issues, and evaluated how well the aggregate result matches a ground truth and represents input variables. Our method is accurate, sensitive, and facilitates multicriteria decision-making. Our approach can be used as an agnostic unsupervised predictor without ground truth.
Recently, sentiment analysis on social networks, such as Twitter and Facebook, has become a valuable tool for gaining insight into the thoughts and feelings of people. In contrast, sentiment analysis suffers from the difficulties of natural language processing (NLP). Deep learning models have recently been a promising solution to NLP difficulties. To address the issues with sentiment analysis, such as sentiment polarity, the paper [ 10 ] analyzes the most recent experiments to make use of deep learning. Word embedding and the TF-IDF model have been used to analyze several different datasets. Comparative studies of the experimental findings for various models and input features have also been undertaken.
Software defect prediction anticipates troublesome code sections to help find faults and priorities testing. Previous work focused on manually encoding program information and using machine learning to generate accurate prediction models. Standard characteristics do not capture semantic differences between programs for accurate prediction models [ 8 ]. Deep learning is proposed to bridge the gap between program semantics and fault prediction characteristics. The deep belief network (DBN) learns semantic features from Abstract Syntax Tree (AST) token vectors automatically. Our research on 10 open-source projects shows that our automatically learned semantic features increase both within-project and cross-project defect prediction over traditional characteristics. Precision, recall, and F1 improve WPDP by 14.7%, 11.5%, and 14.2%, respectively. Our semantic feature-based technique beats TCA + by 8.9% in F1 for CPDP.
Reference [ 20 ] proposed LEMNA, a high-fidelity security explanation approach. LEMNA generates a limited set of features that explain how an input sample is categorized. The goal is to create a simple interpretable model to approximate the deep learning decision boundary. It manages feature dependency to better interact with security applications (such as binary code analysis) and nonlinear local boundaries to boost explanation fidelity. Local interpretable model (LIM): the author tested our method with two deep learning security apps (a malware classifier and a function start detector for binary reverse engineering). Extensive testing demonstrates that LEMNA's explanation is more correct than others. The author shows how LEMNA may help machine learning developers verify model behavior, fix classification issues, and automatically patch target model defects.
Reference [ 7 ] reviewed machine learning papers for software project management. Web Science, Science Directs, and IEEE Explore have research on machine learning, software project management, and methodology. Three repositories contain 111 papers in four groupings. First group: software project management papers. The second category contains machine learning methods and tactics utilized in projects. The third category comprises studies on machine learning management phases and tests, as well as study findings, contribution to and promotion of machine learning project prediction, and other studies. It gives a broader context for future project risk management efforts. Machine learning-based project risk assessment is more successful in reducing project losses, increasing project success, and reducing project failure probabilities while increasing the growth output ratio.
Recent machine learning discoveries have prompted interest in integrating AI into IT software and services. To fulfill this goal, organizations adapted their development methodologies. The author shares research on Microsoft's AI-app development teams. It is built on designing AI apps (search and NLP) using data science tools (R and Python) (e.g., application diagnostics and bug reporting). Reference [ 5 ] found that multiple Microsoft teams have integrated this workflow into established, well-evolved software engineering processes, providing insights into numerous important engineering problems organizations may encounter while developing large-scale AI products for the market. These difficulties required Microsoft's best practices. Aside from that, the author found three main AI differences: (1) model customization and reuse demand different abilities than those found in software teams. (2) AI components are more challenging to handle as independent modules than typical software components. Microsoft teams provided critical knowledge.
Yang et al. [ 6 ] proposed “deep neural networks” (DNNs) and an updated model training approach. Alpha Go showed deep learning's potential in 2016. Deep learning helps software engineering (SE) experts construct cutting-edge research tools. Model selection, internal structure, and tuning affect DNN performance in SE. Deep learning in SE is understudied. The author searched for relevant publications since 2006. First, SE deep learning is shown. SE's deep learning methods are classified. The author looked at deep learning model optimization methodologies and highlighted SE research problems that will benefit from DNNs. Our findings highlight existing problems and suggest a potential study route.
Machine learning is rapidly used by the software engineering community as a means of transforming modern software into intelligent and self-learning systems. Software engineers are still exploring methods in which machine learning can aid with various stages of the software development life cycle. Herein, the author reports the results of a study on the application of machine learning at various stages of the software development life cycle. Overall, [ 3 ] investigated the relationship between software development life cycle stages and machine learning tools, techniques, or types, which is a broad goal. In an attempt to answer the question of whether machine learning favors specific stages or methodologies, we conduct a comprehensive analysis.
Business transactions, revenues, and general success are becoming increasingly dependent on the use of recommendation systems. Recommendation systems and their implementation approaches are the focus of this survey. The components and attributes of a recommender system can change based on the organization's needs. Design criteria and key recommender system attributes are presented in this study. There are a few well-known approaches that are scrutinized. In conclusion, [ 4 ] introduced movie recommenders from the three most relevant industries: film, music, and online shopping. The survey seeks to provide readers with a broad understanding of the circumstances in which certain recommender systems are appropriate.
Machine learning models are frequently developed by data scientists to handle a wide range of problems in both industry and academia, but they are not without their own set of hurdles. One of the issues with machine learning development is that many people working in the field are unaware of the benefits that may be reaped from following the steps outlined in the software engineering development lifecycle (SEDL). Of course, because machine learning systems are distinct from typical software systems, there will be certain peculiarities in the development process. Regarding software engineering, [ 2 ] aimed to examine the issues and practices that arise during model creation by looking at how developers might benefit from using or changing the standard workflow to machine learning.
Software engineering has recently used deep learning (SE). Unanswered questions remain. Li et al. [ 1 ] looked at 98 SE publications that employ deep learning to tackle these questions. Deep learning technologies have simplified 41 SE jobs across all phases. Deep learning models and their variations are utilized to answer 84.7% of SE issues in publications. Deep learning's practicality is questioned. More SE scholars may be interested in improving deep learning-based solutions in the future.
3. Methodology
In this section, we have proposed a novel framework of LSTM which can recommend the software development features based on the dataset of clients. Figure 1 shows the proposed framework workflow of the current study:
The proposed framework workflow.
3.1. Dataset Description
The dataset used in this study is an excel-generated synthetic dataset curated from a real BI tools' dataset. This dataset has 100 rows and 11 features with 1 output feature (i.e., rating); when the rating of software is more than 3, this will be recommended. Otherwise, it will not be recommended by the proposed model. Table 1 shows the dataset description and feature explanation.
Dataset description and feature explanation.
Table 2 shows the dataset samples from the acquired dataset as given below.
Dataset samples from the acquired dataset.
Figure 2 shows the visualization of the dataset and frequency distribution of each feature as given below.
Visualization of the dataset and frequency distribution of attributes.
Figure 3 shows the distribution of feature business scale with respect to large, small, and medium deployment on premise, hybrid, and cloud OS for Windows, Mac, and Linux and pricing on Freemium, open source, and enterprise.
Distribution of features: (a) business scale, (b) deployment, (c) OS, and (d) pricing.
3.2. Raw Data Processing
The raw data have been collected. Finally, data purification has been completed using various methods, such as deleting duplicates and null values. This technique is employed in data mining to transform unstructured data into a form suitable for analysis. It is not uncommon for data in the real world to be inconsistent or even missing. Prediction models are complicated when classifications are not dispersed uniformly throughout. The number of occurrences in each class is often the same in categorization machine learning algorithms. In the wake of this study, resampling procedures have substantially evolved. Remove records from each cluster such that the majority class records are captured and undersampling is prevented. For more diverse synthetic samples, oversampling can be utilized in place of producing identical reproductions of data from the minority classes [ 21 ]. When conducting data mining research, it is critical that our dataset is balanced and consistent. It is possible to find outliers in a dataset. An outlier in a dataset is a value that stands out from the rest because of its uniqueness. The outliers could result from reading errors, equipment faults, or human error. Before undertaking any statistical analysis or study, it must be deleted from the dataset. The analysis and subsequent treatment can be influenced by incomplete or erroneous findings from any information outliner [ 22 , 23 ].
3.3. Feature Engineering
By using data from a certain domain, learning machines can use these functions. In order to make machine learning representations of raw data, this must be done manually. Correlation matrices are used in this study to determine the correlation between the variables. Covariance matrices are the same as correlation matrices. Using the correlation, one may determine the strength of a linear link. The concept of correlation summarizes the frequency and direction of a straight-line link between two quantitative variables. Values can be represented by r , which ranges from −1 to +1.
3.4. Proposed Model
In the proposed model (shown in Figure 4 ), input sequences are feature embedded and then extracted in the contented layer. There is a hyperband optimization algorithm that can be used to distribute hyperparameter tuning for TensorFlow models in just a few lines of code in the Keras–Tuner module. For hyperparameter tuning, a validation dataset containing 10% of randomly selected samples from the training data is used. Furthermore, we employed sparse categorical accuracy as a ranking metric for optimization trials. We experimented with various batch size variables before settling on batch size = 512. Data from previous optimization stages are used to train a final model with a set of hyperparameters that is as good as it can possibly be. In order to assess the accuracy of our new recommender system, we implemented a back-testing technique.
Proposed model architecture.
3.4.1. Novel LSTM Cell
Long short-term memory networks are a subset of the broader category of recurrent neural networks. An example of time- or sequence-dependent behavior is language, stock prices, and power demand; recurrent neural networks seek to represent such phenomena. In order to achieve this, the output of a layer in a neural network at time t is fed back into the input of the same layer at time t + 1. Figure 5 shows the modified recurrent units of the new version of LSTM:
Recurrent nodes of modified LSTM.
During training and prediction, recurrent neural networks are “unrolled” programmatically, resulting in Figure 6 .
Unrolled nodes.
New data are sent to the network at each time step, and the output of the previous F ($h t −1$) is also supplied, as shown in Figure 6 .
In place of the typical neural network layers, an LSTM network uses LSTM cell blocks to store information for future use. The input, forget, and output gates are all parts of these cells that will be discussed in greater depth below. Our planned LSTM cell is depicted graphically below in Figure 7 .
Modified cell of LSTM.
3.4.2. Input Gate
First, a tanh activation function is applied, compressing the input to a range from −1 to 1. To put it another way,
where x t U g and V g represent the input and previous cell output weights and b g represents the input bias. The g exponents do not represent an increased power but rather the weights and biases used in the input calculations (as opposed to the input gate, forget gate, output gate etc.). The output of the input gate, which is a chain of sigmoid-activated nodes, is multiplied by this compressed input, element by element:
3.4.3. Forget Gate and State Loop
Forget gate of the cell is expressed as
The product of the previous state with the forget gate yields an expression of the form (( b f + x t U f + h t −1 V f )) as its output. Following the forget gate/state loop, the product is
3.4.4. Output Gate
The output gate of LSTM is expressed as
Finally, the product of all gates is
Recall and accuracy were utilized to assess the effectiveness of the strategies under consideration for the software development recommender system. The computations of the metrics utilized in this study are shown in Table 3 .
Description of metrics.
4. Results and Discussion
Our approach was put to the test using data from the Steam project. In order to test our strategy, there are no existing datasets that can be used for this purpose. For testing purposes, we used the most recent records as a test set and the rest of the records as training sets.
In this experiment, we used a serial filling with a time series length of T = 12 and a dimensionality reduction with an aimed dimension k = 50. Finally, we gave each user a list of the top 50 ( N = 50) things. We used two separate control trials to assess the effectiveness of each component of our strategy. Neither the serial filling (noSF) nor the dimensionality reduction (noDR) was applied in one experiment.
In order to establish a baseline, we compared our method to collaborative filtering for implicit feedback (IF) and temporal decay (TD). To evaluate the correctness of our recommendations, we looked at the recall rate, whereas for determining system efficiency, we looked at training and execution times. Our final step was to examine each software's average recommendation time to see if there was a wide range of recommendation times for each method.
The recall rates for various techniques are shown in Table 4 . When IR and serial filling were tested, it was found to have a greater recall rate than the baseline techniques. Time spent in IR is shown in Table 5 . Matrix factorization is a useful way to reduce the number of dimensions in a system because the recall rate of IR was nearly the same as that of IRnoDR.
Recall rates of the proposed LSTM with different approaches.
Time of the proposed LSTM with different approaches.
Figure 8 displays the IR and Figure 9 depicts the IF distribution of the top software recommendation times. Because IR recommends more diverse items than baseline collaborative filtering, we can conclude that our approach is more diverse than baseline collaborative filtering.
Recommendation of LSTM with IR.
Recommendation of LSTM with IF.
5. Conclusions
Within the scope of this work, an LSTM-based recommendation model for interaction records was suggested. Based on the results of our evaluations, our model performed admirably in all three categories: accuracy, efficiency, and variety. In the future, we intend to evaluate the generalizability of our approach by applying it to a wide variety of datasets. In addition, we considered the total amount of time spent communicating with one another as a quality factor in this study. There is a high probability that reviews will be distorted due to the viewpoints of various individuals and types of goods. As a direct consequence of this, we ought to direct our attention going forward toward enhancing the quality of our rating vectors in the future. In order to deal with time series, we will also investigate a variety of other approaches and models.
Acknowledgments
This study could not have been started or achieved without the encouragement of Shaqra University and its continued support. The research work was supported by the College of Computing and Information Technology, Shaqra University, KSA.
Data Availability
Conflicts of interest.
The author declares no conflicts of interest.
- Skip to content
- Skip to search
- Skip to footer
Products, Solutions, and Services
Want some help finding the Cisco products that fit your needs? You're in the right place. If you want troubleshooting help, documentation, other support, or downloads, visit our technical support area .
Contact Cisco
- Get a call from Sales
Call Sales:
- 1-800-553-6387
- US/CAN | 5am-5pm PT
- Product / Technical Support
- Training & Certification
Products by technology
- Software-defined networking
- Cisco Silicon One
- Cloud and network management
- Interfaces and modules
- Optical networking
- See all Networking
Wireless and Mobility
- Access points
- Outdoor and industrial access points
- Controllers
- See all Wireless and Mobility
- Secure Firewall
- Secure Endpoint
- Secure Email
- Secure Access
- Multicloud Defense
- See all Security
Collaboration
- Collaboration endpoints
- Conferencing
- Cisco Contact Center
- Unified communications
- Experience Management
- See all Collaboration
Data Center
- Servers: Cisco Unified Computing System
- Cloud Networking
- Hyperconverged infrastructure
- Storage networking
- See all Data Center
- Nexus Dashboard Insights
- Network analytics
- Cisco Secure Network Analytics (Stealthwatch)
- Video endpoints
- Cisco Vision
- See all Video
Internet of Things (IoT)
- Industrial Networking
- Industrial Routers and Gateways
- Industrial Security
- Industrial Switching
- Industrial Wireless
- Industrial Connectivity Management
- Extended Enterprise
- Data Management
- See all industrial IoT
- Cisco+ (as-a-service)
- Cisco buying programs
- Cisco Nexus Dashboard
- Cisco Networking Software
- Cisco DNA Software for Wireless
- Cisco DNA Software for Switching
- Cisco DNA Software for SD-WAN and Routing
- Cisco Intersight for Compute and Cloud
- Cisco ONE for Data Center Compute and Cloud
- See all Software
- Product index
Products by business type
Service providers
Small business
Midsize business
Cisco can provide your organization with solutions for everything from networking and data center to collaboration and security. Find the options best suited to your business needs.
- By technology
- By industry
- See all solutions
CX Services
Cisco and our partners can help you transform with less risk and effort while making sure your technology delivers tangible business value.
- See all services
Design Zone: Cisco design guides by category
Data center
- See all Cisco design guides
End-of-sale and end-of-life
- End-of-sale and end-of-life products
- End-of-Life Policy
- Cisco Commerce Build & Price
- Cisco Software Central
- Cisco Feature Navigator
- See all product tools
- Cisco Mobile Apps
- Design Zone: Cisco design guides
- Cisco DevNet
- Marketplace Solutions Catalog
- Product approvals
- Product identification standard
- Product warranties
- Cisco Security Advisories
- Security Vulnerability Policy
- Visio stencils
- Local Resellers
- Technical Support
Study on the Weathering Characteristics of a Solitary Rock in Chishui Based on Pore Structure with Depth
- Original Paper
- Published: 29 May 2024
Cite this article
- Jinfeng Zhang 1 ,
- Genlan Yang ORCID: orcid.org/0009-0000-4277-5566 1 , 2 ,
- Kunpeng Lu 1 , 2 ,
- Wenjie Jiang 1 , 2 ,
- Xiqiong Xiang 1 , 2 ,
- Dajuan Wang 1 &
- Chongping Huang 1
Solitary boulders emerge in the thick-bed red sandstone in the Chishui red bed area due to weathering, which can potentially induce engineering disasters. This paper measures the porosity, pore size, pore throat distribution, T 2 spectrum distribution, chemical oxide content, and rebound value of the red sandstone boulder at different depths, and explores their variation trends, rules, and relationships. The research results show that: (1) the deterioration of red sandstone pores caused by weathering is reflected in the increase of porosity and pore size. The pore size of the red sandstone in the slightly weathered zone is dominated by micro and small pores, accounting for > 75.11%. There are mainly three peaks on the T 2 spectrum curve of red sandstone. With the enhancement of weathering, the T 2 spectrum curve shifts to the right, and the peak area gradually increases as a whole. (2) The element enrichment intensity of red sandstone is in the order of Fe > Ti > Si > Al, and the loss intensity is in the order of Ca > Mg > Na. The growth rate of rock rebound value decreases continuously with the increase of rock depth, and the rebound value eventually tends to be stable. (3) The chemical alteration index CIA can be indicative of the deterioration degree of physical properties (porosity etc.) of red sandstone, and the division of slightly and moderately weathered zones. (4) The rock rebound value shows that the mechanical properties of red sandstone decrease with the increase of weathering degree, which is closely related to the damage of rock pore structure.
This is a preview of subscription content, log in via an institution to check access.
Access this article
Price includes VAT (Russian Federation)
Instant access to the full article PDF.
Rent this article via DeepDyve
Institutional subscriptions
Data Availability
Enquiries about data availability should be directed to the authors.
Aladejare AE (2020) Evaluation of empirical estimation of uniaxial compressive strength of rock using measurements from the index and physical tests. Rock Mech Geotech Eng 12(2):256–268. https://doi.org/10.1016/j.jrmge.2019.08.001
Article Google Scholar
Alejano LR, Pérez-Rey I, Múñiz-Menéndez M, Riquelme A, Walton G (2022) Considerations relevant to the stability of granite boulders. Rock Mech Rock Eng 55:2729–2745. https://doi.org/10.1007/s00603-021-02525-9
Bilen C (2021) Schmidt hammer rebound (SHR) values as a guide for the initial estimates of limestone uniaxial compressive strength (UCS) and hardgrove grindability index (HGI). Arab J Geosci 14:2184. https://doi.org/10.1007/s12517-021-08421-4
Bozkurtoğlu E, Karakaş A, Özdamar Ş (2022) Evaluation of weathering and alteration effects by rock change value (RCV) and weathering indices of volcanic rocks in the Şile Region (NW Turkey). Arab J Geosci 15:1543. https://doi.org/10.1007/s12517-022-10683-5
Çetintaş S, Bağcı M, Yıldız A (2023) Variations in capillary water absorption and porosity of some limestones during weathering due to salt and air pollutants. Environ Earth Sci 82(14):352. https://doi.org/10.1007/s12665-023-11043-6
Article CAS Google Scholar
Chaudhary V, Kumar S, Tiwari SK, Pandey HK (2023) Evaluation of engineering properties of KBH and KCH Kaimur sandstone based on petrological analyses. Arab J Geosci 16(11):602. https://doi.org/10.1007/s12517-023-11712-7
Gökceoglu C, Ulusay R, Sönmez H (2000) Factors affecting the durability of selected weak and clay-bearing rocks from Turkey, with particular emphasis on the influence of the number of drying and wetting cycles. Eng Geol 57(3–4):215–237. https://doi.org/10.1016/S0013-7952(00)00031-4
Habib R, Belhai D, Alloul B (2017) Estimation of uniaxial compressive strength of North Algeria sedimentary rocks using density, porosity, and Schmidt hardness. Arab J Geosci. https://doi.org/10.1007/s12517-017-3144-4
Hallek F, Ouaja M, Hallek T, Amiri A, Inoubli MH, Gallala W (2024) Upper neogene climate change in Northern Africa based on chemical weathering indices and clay mineralogy: a case study of Southeastern Tunisia (Gulf of Gabès). Sediment Environ. https://doi.org/10.1007/s43217-024-00176-8
Hirata Y, Chigira M, Chen Y (2017) Spheroidal weathering of granite porphyry with well-developed columnar joints by oxidation, iron precipitation, and rindlet exfoliation. Earth Surf Proc Land 42(4):657–669. https://doi.org/10.1002/esp.4008
Hosseinzadeh S, Mollajan A, Akbarzadeh S, Kadkhodaie A (2024) Rock type based-estimation of pore throat size distribution in carbonate reservoirs using integrated analysis of well logs and seismic attributes. Carbonates Evaporites 39:46. https://doi.org/10.1007/s13146-024-00954-5
Knopp J, Steger H, Moormann C, Blum P (2022) Influence of weathering on pore size distribution of soft rocks. Geotech Geol Eng 40:5333–5346. https://doi.org/10.1007/s10706-022-02217-3
Kogure T (2019) Analysis of Schmidt hammer rebound test results with repetitive impacts for determining the mechanical characteristics of weathered pyroclastic rock surfaces: a case study along the Isotake coast, Japan. Bull Eng Geol Environ 78:3425–3432. https://doi.org/10.1007/s10064-018-1334-2
Kovler K, Wang F, Muravin B (2018) Testing of concrete by rebound method: Leeb versus Schmidt hammers. Mater Struct 51(5):138. https://doi.org/10.1617/s11527-018-1265-1
Li S, Yang G, Jiang W, Xiang X, Huang C (2024) “Iron ion relative weathering index”: a new index for identifying the weathering degree in red sandstone. ACS Omega 9(9):10233–10242. https://doi.org/10.1021/acsomega.3c07417
Liu X, Rao L, Zhuang T, Yan C, Wang J, He T, Zhu W, Li X, Liang M (2024) Characterization of Micro-nano pore structure of tight sandstone based on nuclear magnetic resonance experiments (NMR). In: Lin J (ed) Proceedings of the international field exploration and development conference 2023. Springer, Singapore. https://doi.org/10.1007/978-981-97-0468-2_17
Chapter Google Scholar
Qiao J, Nie M, Zhao Q, Liu Q, Tang X (2023) The effect of weathering on the mineral grains and macroscale young’s modulus of granites. Rock Mech Rock Eng. https://doi.org/10.1007/s00603-023-03670-z
Qin Y, Yang G, Liu B, Xu J (2024) Study on deformation and failure mechanism of low-dip red bed slope with soft-hard interbedded structure: a case study of Chishui, China. Nat Hazards. https://doi.org/10.1007/s11069-024-06617-x
Rueda-Garzon LF, Miranda-Avilés R, Carrillo-Chavez A, Puy-Alquiza MJ, Kshirsagar P, Li Y (2024) Variability of chemical weathering from 7000 years ago to the present in a basin influenced by mining activity in central Mexico. Environ Earth Sci 83:281. https://doi.org/10.1007/s12665-024-11579-1
Sadhukhan S (2024) 3D Pore geometry and electrical conductivity. Geotech Geol Eng. https://doi.org/10.1007/s10706-024-02803-7
Shah KS, Hashim MH, Rehman H, Ariffin KS (2023) Loading rate-induced failure characteristics and fracture classification of various weathering grade sandstone. Arab J Geosci 16(6):384. https://doi.org/10.1007/s12517-023-11473-3
Singh D, Singh PK, Kainthola A, Pandey HK, Saurabh K, Singh TN (2022) Analysis of failure pattern in cut slopes of bedded sandstone: a case study. Environ Earth Sci 81:398. https://doi.org/10.1007/s12665-022-10528-0
Souza L, Menningen J, Doncel RL, Siegesmund S (2021) Petrophysical properties of limestones: influence on behaviour under different environmental conditions and applications. Environ Earth Sci 80:814. https://doi.org/10.1007/s12665-021-10064-3
Tang Z, Zhang Q, Zhang Y (2021) cyclic drying-wetting effect on shear behaviors of red sandstone fracture. Rock Mech Rock Eng 54(5):2595–2613. https://doi.org/10.1007/s00603-021-02413-2
Torabi-Kaveh M, Rizi FS, Tajbakhsh G, Khodami M, Ménendez B (2023) The use of chemical and textural indices to predict geotechnical properties of granites with different degrees of weathering. Bull Eng Geol Environ 82:362. https://doi.org/10.1007/s10064-023-03387-x
Vidana Pathiranagei S, Gratchev I, Cui C, Elsmore B (2023) New weathering classification system of rocks based on the engineering properties. Bull Eng Geol Environ 82:60. https://doi.org/10.1007/s10064-023-03071-0
Wang D (2020) Research on weathering characteristics of red beds in Chishui Danxia landform area. Guizhou Univ. https://doi.org/10.27047/d.cnki.ggudu.2020.001062
Whiteley JS, Chambers JE, Uhlemann S, Wilkinson PB, Kendall JM (2019) Geophysical monitoring of moisture-induced landslides: a review. Rev Geophys 57(1):106–145. https://doi.org/10.1029/2018rg000603
Xue W, Peng X, Alam MS, Wang Z, Wu H, Lin J (2024) Pore structure, mechanical property and permeability of concrete under sulfate attack exposed to freeze–thaw cycles. Archiv Civ Mech Eng 24:130. https://doi.org/10.1007/s43452-024-00944-3
Yang H, Ni J, Chen C, Chen Y (2023) Weathering assessment approach for building sandstone using hyperspectral imaging technique. Herit Sci 11:70. https://doi.org/10.1186/s40494-023-00914-7
Zhang H, Sun Q, Jia H, Dong Z, Luo T (2021) Effects of high-temperature thermal treatment on the porosity of red sandstone: an NMR analysis. Acta Geophys 69(7):113–124. https://doi.org/10.1007/s11600-020-00526-w
Zhao L, Zhang Z, Wang S, Qiao N (2024) Investigation on the large-deformation instability characteristics of solitary boulder slopes by material point method. Arab J Sci Eng 49:5531–5546. https://doi.org/10.1007/s13369-023-08429-w
Download references
Acknowledgements
Thanks to Chongqing Huang, Dajuan Wang, and Dengwu Long for their help in the process of sample collection and test data analysis, and thank Kunpeng Lu, Zhengyang Li, and Hexing Zhang for their suggestions on paper revision.
This study was supported by the Guizhou Provincial Basic Research Program (Natural Science) (ZK [2021] Basic 200).
Author information
Authors and affiliations.
College of Resources and Environmental Engineering, Guizhou University, Guiyang, 550025, China
Jinfeng Zhang, Genlan Yang, Kunpeng Lu, Wenjie Jiang, Xiqiong Xiang, Dajuan Wang & Chongping Huang
Key Laboratory of Karst Geological Resources and Environment, Ministry of Education, Guizhou University, Guiyang, 550025, China
Genlan Yang, Kunpeng Lu, Wenjie Jiang & Xiqiong Xiang
You can also search for this author in PubMed Google Scholar
Corresponding author
Correspondence to Genlan Yang .
Ethics declarations
Competing interests.
A competing interests declaration is mandatory for publication in this journal. Please confirm that this declaration is accurate, or provide an alternative.
Additional information
Publisher's note.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Reprints and permissions
About this article
Zhang, J., Yang, G., Lu, K. et al. Study on the Weathering Characteristics of a Solitary Rock in Chishui Based on Pore Structure with Depth. Geotech Geol Eng (2024). https://doi.org/10.1007/s10706-024-02823-3
Download citation
Received : 18 December 2023
Accepted : 10 May 2024
Published : 29 May 2024
DOI : https://doi.org/10.1007/s10706-024-02823-3
Share this article
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative
- Red sandstone
- Weathering characteristics
- Nuclear magnetic resonance
- Chemical alteration index
- Rebound value
- Find a journal
- Publish with us
- Track your research
IMAGES
VIDEO
COMMENTS
From 1 January 2019, Journal of Software Engineering Research and Development will be published by the Brazilian Computer Society. ... This survey reviews published materials related to the specific area of Search-Based Software Engineering that concerns software maintenance and, in particular, refactoring. ... This paper uses mutation testing ...
Journal of Software: Evolution and Process is a computer science and software engineering journal that enables the software community to communicate new ideas for developing, managing and improving software, systems and services. We publish original research, empirical studies, surveys and more covering topics including software testing, continuous improvement of software processes and ...
This paper describes the future research discussed at the 2022 Zero Trust Industry Day event. ... This report describes ModDevOps, an approach that bridges model-based engineering and software engineering using DevOps concepts and code generation from models, and TwinOps, a specific ModDevOps pipeline. ...
End To End . Predictive Software. The paper examines the principles of the Predictive Software Engineering (PSE) framework. The authors examine how PSE enables custom software development companies to offer transparent services and products while staying within the intended budget and a guaranteed budget.
For this theme issue on the 50th anniversary of software engineering (SE), Redirections offers an overview of the twists, turns, and numerous redirections seen over the years in the SE research literature. Nearly a dozen topics have dominated the past few decades of SE research—and these have been redirected many times. Some are gaining popularity, whereas others are becoming increasingly ...
Software is an international, peer-reviewed, open access journal on all aspects of software engineering published quarterly online by MDPI.. Open Access — free for readers, with article processing charges (APC) paid by authors or their institutions.; Rapid Publication: manuscripts are peer-reviewed and a first decision is provided to authors approximately 19.3 days after submission ...
Software engineering and the application of knowledge-based, simulation-based, data-driven, human-centred and automated approaches. | Explore the latest full-text research PDFs, articles ...
Software Engineering. At Google, we pride ourselves on our ability to develop and launch new products and features at a very fast pace. This is made possible in part by our world-class engineers, but our approach to software development enables us to balance speed and quality, and is integral to our success. Our obsession for speed and scale is ...
In this context, there is a need to explore Software Engineering (SE) practices to develop, maintain and evolve AI-based systems. This paper aims to characterize SE practices for AI-based systems in the new wave of AI, i.e., Software Engineering for Artificial Intelligence (SE4AI). The motivation of this work is to synthesize the current
Title: A Systematic Literature Review on Explainability for Machine/Deep Learning-based Software Engineering Research. ... and spans 63 papers across 21 unique SE tasks. Based on three key Research Questions (RQs), we aim to (1) summarize the SE tasks where XAI techniques have shown success to date; (2) classify and analyze different XAI ...
Overview. Empirical Software Engineering serves as a vital forum for applied software engineering research with a strong empirical focus. A platform for empirical results relevant to both researchers and practitioners. Features industrial experience reports detailing the application of software technologies. Addresses the gap between research ...
An analysis of the most cited papers in software engineering journals-2002 • The top cited paper is "Preliminary guidelines for empirical research in software engineering" with 64 citations. [25] 2008: An analysis of research topics in software engineering-2006 • The paper examines all the 691 papers published in a selected list of ...
2.2. Related literature review studies. Three literature review studies on SEC were found from the literature search. Cruz et al. (2015) used a systematic mapping study to plot the current landscape of published empirical and theoretical studies that explored the role of personality in software engineering. The authors reviewed 90 papers published from 1970 to 2010.
1 Introduction. Design science is a paradigm for conducting and communicating applied re-. paradigm may be a viable way to presen t research contributions in existing. search contributions comm ...
While search-based software engineering is a more recent development, the field's history of work in probabilistic reasoning and machine learning for software engineering is well-established. For the purpose of this paper, the author examined some of the connections between these two areas of research, claiming that they share many ...
This paper provides a survey of the emerging area of Large Language Models (LLMs) for Software Engineering (SE). It also sets out open research challenges for the application of LLMs to technical problems faced by software engineers. LLMs' emergent properties bring novelty and creativity with applications right across the spectrum of Software Engineering activities including coding, design ...
of Software Engineering paper' by Harman, one of the present authors [215]. appear at first sight, that these questions involve dif ferent aspects of software engineering, would be covered by ...
Research shows that many of the challenges currently encountered with agile development are related to requirements engineering. Based on design science research, this paper investigates critical challenges that arise in agile development from an undefined requirements strategy. We explore potential ways to address these challenges and synthesize the key building blocks of requirements ...
1.. IntroductionAt ICSE04, Kitchenham et al. [23] suggested software engineering researchers should adopt "Evidence-based Software Engineering" (EBSE). EBSE aims to apply an evidence-based approach to software engineering research and practice. The ICSE paper was followed-up by an article in IEEE Software [5] and a paper at Metrics05 [17].. Evidence-based research and practice was ...
In software engineering, research papers are customary vehicles for reporting results to the research community. In a research paper, the author explains to an interested ... based on reading the abstracts (but not the papers), followed by graphs of the counts and distributions in Figures 3 and 4. Table 3. Types of software engineering research ...
While search-based software engineering is a more recent development, the field's history of work in probabilistic reasoning and machine learning for software engineering is well-established. For the purpose of this paper, the author examined some of the connections between these two areas of research, claiming that they share many characteristics.
This paper introduces Data-Driven Search-based Software Engineer-ing (DSE), which combines insights from Mining Software Reposito-ries (MSR) and Search-based Software Engineering (SBSE). While MSR formulates software engineering problems as data mining prob-lems, SBSE reformulate Software Engineering (SE) problems as optimization problems and ...
The papers were published between 1980 and 2022 and were subjected to bibliometric analysis based on the most prolific contributors, references, countries, and keywords. CiteSpace software 6.1 R6 was applied to visualize information about seed orchard research.
The idea of developing software components was envisioned more than forty years ago. In the past two decades, Component-Based Software Engineering (CBSE) has emerged as a distinguishable approach in software engineering, and it has attracted the attention of many researchers, which has led to many results being published in the research literature.
In order to solve the above problems, this paper established a 3D electromagnetic and stress coupling simulation model of oil-immersed transformer by finite element simulation software. The vibration characteristics of oil-immersed transformer core winding are obtained, and at the same time, this paper obtained the vibration signals at ...
5) Software Testing. 6) Software Measurement. 7) Software Product Lines. 8) Software Architecture. 9) software verification. 10) software business. 11) Software Refactoring. 12) software design ...
Cisco+ (as-a-service) Cisco buying programs. Cisco Nexus Dashboard. Cisco Networking Software. Cisco DNA Software for Wireless. Cisco DNA Software for Switching. Cisco DNA Software for SD-WAN and Routing. Cisco Intersight for Compute and Cloud. Cisco ONE for Data Center Compute and Cloud.
Solitary boulders emerge in the thick-bed red sandstone in the Chishui red bed area due to weathering, which can potentially induce engineering disasters. This paper measures the porosity, pore size, pore throat distribution, T2 spectrum distribution, chemical oxide content, and rebound value of the red sandstone boulder at different depths, and explores their variation trends, rules, and ...