Secure Systems By Design

Secure Systems By Design

Tech Talk, Past Presentation

The May 2024 tech talk was presented by Tim Chick

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract

The SEI has been in the forefront of secure software development, promoting a “shift left” approach, whereby security weaknesses are addressed, prevented, or eliminated earlier in the software development cycle, saving time and money. 

In this presentation, we will discuss security being an integral aspect of the entire software lifecycle as a result of following deliberate, intentional engineering processes, rather than security being addressed in individual stages as one-off activities.

About the Presenter 

Tim Chick is the CERT Applied Systems Group Technical Manager at Carnegie Mellon University’s (CMU) Software Engineering Institute (SEI). He currently leads a team of software and system engineers as they build and operate technical solutions for both internally-funded research and customer-facing prototypes, and delivers trusted, valued, and relevant software engineering and cybersecurity approaches for software intensive systems through engineering and consulting support to DoD and DHS programs. In collaboration with technical experts across the SEI, the team assists organizations with the application of Agile and DevSecOps practices and the adoption of emerging technologies needed to keep pace with evolving opportunities, risks, and threats.

He is also an adjunct faculty member at CMU’s Software and Societal Systems Department (S3D), where he teaches courses on Agile and Software Project Management.

Prior to joining CMU, Chick worked for Naval Air Systems Command (NAVAIR) as a project manager, leading software development projects and software process improvement efforts for the E-2C Hawkeye Program, and as a software acquisition lead for the Vertical Take-Off and Landing Tactical Unmanned Aerial Vehicle (VTUAV) Program.

He holds an MS in Computer Science from Johns Hopkins University and a BS in Computer Engineering from Clemson University.

Why Can’t Johnny Program Securely?

Why Can’t Johnny Program Securely?

Tech Talk, Past Presentation

The October 2022 tech talk was presented by Robert Seacord

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract

Secure coding (unsurprisingly) is hard. Our educational systems have failed to properly prepare students, and our assessments have overestimated their abilities. Analysis and testing is useful but inadequate. This presentation will discuss the gap in qualified secure coders and what we can do to eliminate it.

About the Presenter 

Robert C. Seacord is the Standardization Lead at Woven Planet, where he works on the software craft. Robert was previously a Technical Director at NCC Group, Secure Coding Manager at Carnegie Mellon’s Software Engineering Institute, and an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University.

He is the author of seven books, including Effective C: An Introduction to Professional C Programming (No Starch Press, 2020), The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). He has also published more than 50 papers on software security, component- based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development. Robert has been teaching secure coding in C and C++ to private industry, academia, and government since 2005. He started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering; he  also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. Robert is on the advisory board for the Linux Foundation and is an expert at the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.

Designing and Launching Secure Software Development Degree Apprenticeships Partnering with Historically Black Colleges and Universities – Panel Session

Designing and Launching Secure Software Development Degree Apprenticeships Partnering with Historically Black Colleges and Universities – Panel Session

Past Presentation

The May 2022 tech talk was presented by Diana Elliott, Girish Seshagiri, and Nikunja Swain

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

About the Session

Currently, in the U.S. over one million software developer positions and 600,000 cybersecurity occupations are unfilled due to the lack of available skilled job seekers. At the same time, the percentage of women, minorities and veterans in technology professions continues to be low. In this panel discussion, we describe how a consortium of South Carolina Historically Black Colleges and Universities (HBCUs) is partnering with SC employers to design and launch IT and cybersecurity degree apprenticeship cohorts in fall 2022. The panelists will provide a status update of the exemplar government/industry/academic collaboration which will result in career pathways to technology jobs for cyber security and computer science graduates of HBCUs. The panelists will discuss the requirements of DOL Registered Apprenticeship Program which is a high-quality vocational training model with standard work process including 2,000 hours of on-the-job training and 61 academic credit hours. The panelists will present how the HBCU consortium colleges mapped cybersecurity and computer science degree curricula to National Initiative Cybersecurity Education (NICE) Framework competencies for developing software which is secure from cyber-attacks.

About the Presenters

Diana Elliott is a senior fellow in the Center on Labor, Human Services, and Population at the Urban Institute. Her work focuses on families’ financial security and economic mobility and the programs and policies that support them, including apprenticeships. Elliott is the director of several apprenticeship projects at Urban, including the Apprenticeship Expansion and Modernization Fund, which launched over 1500 apprentices into tech occupations. Prior to Urban, Elliott was a research manager at the Pew Charitable Trusts and a family demographer at the US Census Bureau. Elliott holds a PhD in sociology from the University of Maryland, College Park.

Girish Seshagiri Founder/CEO of Nonprofit Apprenticeship Implementation Solutions, Inc is an early adopter of the apprenticeship dual model. Under his leadership, the Community Initiative Center of Excellence for Secure Software (CICESS) was launched in Peoria, Illinois in 2015. CICESS received the 2018 Innovation in Cybersecurity Education Award given by the National Cyberwatch Center. Girish is currently focused on government/industry/academic collaboration partnering with Historically Black Colleges and Universities to design and launch IT and Cybersecurity degree apprenticeship cohorts. Girish is the immediate past co-chair of the NICE Apprenticeship Working Group. Girish has an MBA from Michigan State University.

Nikunja Swain is a professor, department chair, and executive director of center of excellence in cybersecurity at South Carolina State University. Dr. Swain has over 35 years of college level teaching experience and he is a registered professional engineer in South Carolina. Dr. Swain has over 70 conference/journal publications, and number of grants from NSF, DOE, USDA/NIFA, DOD, and others. Dr. Swain is a life senior member of IEEE, a professional member of ACM, a member of SIGITE, and ASEE.

The Digital Transformation Spiral Model

The Digital Transformation Spiral Model

Past Presentation

The March 2022 tech talk was presented by Dr. Barry Dwolatzky

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract:

Digital transformation has become an imperative for organisations in the 21st Century irrespective of size, sector, or geographic location. Studies have shown that a very high percentage of digital transformation journeys have failed to deliver the desired results. In order to mitigate some of the risks associated with digital transformation and its associated organisational changes, we have proposed a lifecycle model approach. We call the lifecycle the “Digital Transformation Spiral Model”, or DTSM. It is an iterative and incremental model with both a “design and development” cycle and a “governance” cycle. The focus is on continuous innovation via continuous improvement. The DTSM draws on a number of tools and frameworks including the Business Model Canvas (BMC), CMMI, and Kent Beck’s 3X model.

About the Presenter 

PROFESSOR BARRY DWOLATZKY, BSc(Eng), PhD, FSAIEE, FIITPSA

Barry Dwolatzky is professor emeritus in the School of Electrical & Information Engineering at Wits University. He is the founder and Director of the University’s Joburg Centre for Software Engineering (JCSE). He is also the founder of Wits University’s Tshimologong Digital Innovation Precinct in Braamfontein, Johannesburg. While he remains the Director of the JCSE, in July 2021 he was appointed as Director of Innovation Strategy in the Office of the Wits Deputy Vice-Chancellor: Research and Innovation.

Barry’s undergraduate (BSc(Eng) ) and postgraduate degree (PhD) are in Electrical Engineering and are from Wits. In 1979, he left South Africa and worked in the UK as a postdoctoral researcher at the University of Manchester Institute of Science and Technology (UMIST), Imperial College, London, and at the GEC-Marconi Research Centre. Over this period, he worked on a number of large software research and development projects.

Barry returned to Wits from the UK as a senior lecturer in 1989. He became a full professor in 2000. In December 2017, he officially retired from Wits and was appointed a professor emeritus. His primary focus over the past 30 years has been the growth and development of the South African software engineering sector.

In 2005, Dwolatzky was the major driver in setting up the Joburg Centre for Software Engineering (JCSE) at Wits. The JCSE aims to grow skills, promote the adoption of best practices, and encourage innovation and entrepreneurship in South Africa’s digital economy. In 2007, he became Director and CEO of the JCSE.

In 2013, Dwolatzky spearheaded an initiative at Wits to establish a major digital innovation hub in the Braamfontein area of inner-city Johannesburg. Called the “Tshimologong Precinct,” the project has attracted significant support from government and a range of major local and international companies. IBM Research has established their 12th international laboratory in Braamfontein as an integral part of the precinct.

In recognition of his contribution to the South African IT industry, Barry Dwolatzky was named the “South African IT Personality of the Year” in 2013, and received an award for “Distinguished Service to IT” from the Institute of IT Professionals of South Africa (IITPSA) in 2016. Also in 2016, Wits University presented him with the “Vice Chancellor’s Award for Academic Citizenship.”

Why Is It So Hard to Do Easy Stuff?

Why Is It So Hard to Do Easy Stuff?

Past Presentation

The April 2021 tech talk was presented by Gerardo Lopez

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract:

Software technology is huge and seems complex, but it really isn’t: every technology is just an enormous bunch of small pieces (each only a few characters long). It is impossible for anyone to understand everything, but successful software implementations can be achieved with a thorough understanding of the “small set of pieces” required to solve a given problem.

To create a good software solution to address a given problem, we first must formulate a good understanding of that problem — specifically, we need to discover the structure of the problem. Good software should model the problem’s structure, thus making it easy to debug and maintain.

Engineering techniques to achieve this were invented many years ago, and many programmers and organizations were successful in applying this knowledge. These engineering techniques are easy to learn, but are not used widely enough by software engineers today.

About the Presenter 

Gerardo Lopez

Gerardo is an entrepreneur, businessman, and software engineer with more than 45 years of experience in transforming software development to well-established software engineering practices in order to achieve top quality and reduce development cost and time.

Gerardo holds a Bachelor’s degree in Electrical Engineering from Tec de Monterrey, and spent two years working for a Master of Arts degree in Computer Sciences at Texas University.

From 1982 through 2000, he founded and grew Softtek, a software development company in Mexico, to become the largest in Latin America. In 2002, he started Towa with the vision to excel in software quality and lead Mexico to become #1 in software quality in the world (“Mexico should achieve in software what the Japanese did in car manufacturing 60 years ago”). Gerardo is currently serving the SEA as leader of the Content Creation working group.