Software Engineering Institute (SEI) Podcast Series
Technology
About
The SEI Podcast Series presents conversations in software engineering, cybersecurity, and future technologies.
Episodes
- Goal-Line Defense: A Tool to Discover and Mitigate UEFI Vulnerabilities
As recently as December 2025, the Carnegie Mellon University Software Engineering Institute (SEI's) CERT Coordination Center (CERT/CC) documented a UEFI-related vulnerability in certain motherboard models, illustrating that early-boot firm…
- Leadership, Legacy, and the Power of Mentors: Insights from Dr. Paul Nielsen
In February 2026, Paul Nielsen announced that he will transition out of his role as director and chief executive officer of the Software Engineering Institute (SEI) at Carnegie Mellon University. During Nielsen's tenure, the SEI has marked…
- With a Little Help from Our Civilian Friends: Cybersecurity Reserve Is Both Feasible and Advisable
Cybersecurity staffing shortages are a major concern in the government given the increasingly sophisticated cyber attacks on the nation's critical infrastructure. In the FY2023 National Defense Authorization Act (NDAA), Congress tasked the…
- Maturing AI Adoption: From Chaos to Consistency
While Stanford University found that AI investments, optimism, and accessibility are rising, a recent MIT report suggests that 95 percent of organizations are realizing no returns on their generative AI investments. Research from Accenture…
- Temporal Memory Safety in C and C++: An AI-Enhanced Pointer Ownership Model
In October 2025, CyberPress reported a critical security vulnerability in the Redis Server, an open-source in-memory database that allowed authenticated attackers to achieve remote code execution through a use-after-free flaw in the Lua sc…
- AI for the Warfighter: Acquisition Challenges and Guidance
On November 7, the Department of War released an acquisition transformation strategy that seeks to remove bureaucratic hurdles and streamline acquisition processes to enable even more rapid adoption of technologies, including artificial in…
- Visibility Through the Clouds with Network Flow Logs
Organizations, including the U.S. military, are increasingly adopting cloud deployments for their flexibility and cost savings. The shared security model utilized by cloud service providers removes some of the adopting organization's respo…
- Orchestrating the Chaos: Protecting Wireless Networks from Cyber Attacks
From early 2022 through late 2024, a group of threat actors publicly known as APT28 exploited known vulnerabilities, such as CVE-2022-38028, to remotely and wirelessly access sensitive information from a targeted company network. This atta…
- From Data to Performance: Understanding and Improving Your AI Model
Modern data analytic methods and tools—including artificial intelligence (AI) and machine learning (ML) classifiers—are revolutionizing prediction capabilities and automation through their capacity to analyze and classify data. To produce…
- What Could Possibly Go Wrong? Safety Analysis for AI Systems
How can you ever know whether an LLM is safe to use? Even self-hosted LLM systems are vulnerable to adversarial prompts left on the internet and waiting to be found by system search engines. These attacks and others exploit the complexity…
- Getting Your Software Supply Chain In Tune with SBOM Harmonization
Software bills of materials or SBOMs are critical to software security and supply chain risk management. Ideally, regardless of the SBOM tool, the output should be consistent for a given piece of software. But that is not always the case.…
- API Security: An Emerging Concern in Zero Trust Implementations
Application programing interfaces, more commonly known as APIs, are the engines behind the majority of internet traffic. The pervasive and public nature of APIs have increased the attack surface of the systems and applications they are use…
- Delivering Next-Generation AI Capabilities
Artificial intelligence (AI) is a transformational technology, but it has limitations in challenging operational settings. Researchers in the AI Division of the Carnegie Mellon University Software Engineering Institute (SEI) work to delive…
- The Benefits of Rust Adoption for Mission-and-Safety-Critical Systems
A recent Google survey found that many developers felt comfortable using the Rust programming language in two months or less. Yet barriers to Rust adoption remain, particularly in safety-critical systems, where features such as memory and…
- Threat Modeling: Protecting Our Nation's Complex Software-Intensive Systems
In response to Executive Order (EO) 14028, Improving the Nation's Cybersecurity , the National Institute of Standards and Technology (NIST) recommended 11 practices for software verification . Threat modeling is at the top of the list. In…
- Understanding Container Reproducibility Challenges: Stopping the Next Solar Winds
Container images are increasingly being used as the main method for software deployment, so ensuring the reproducibility of container images is becoming a critical step in protecting the software supply chain. In practice, however, builds…
- Mitigating Cyber Risk with Secure by Design
Software enables our way of life, but market forces have sidelined security concerns leaving systems vulnerable to attack. Fixing this problem will require the software industry to develop an initial standard for creating software that is…
- The Magic in the Middle: Evolving Scaled Software Solutions for National Defense
A January 2025 Defense Innovation Board study on scaling nontraditional defense innovation stated, "We must act swiftly to ensure the DoD leads in global innovation and competition over AI and autonomous systems – and is a trendsetter for…
- Making Process Respectable Again: Advancing DevSecOps in the DoD Mission Space
Warfighters in the Department of Defense (DoD) operate in high-stakes environments where security, efficiency, and speed are critical. In such environments DevSecOps has become crucial in the drive toward modernization and overall mission…
- Deploying on the Edge
Deploying cloud-centric technologies such as Kubernetes in edge environments poses challenges, especially for mission-critical defense systems. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Patri…
- The Best and Brightest: 6 Years of Supporting the President's Cup Cybersecurity Competition
A strong cyber defense is vital to public- and private-sector activities in the United States. In 2019, in response to an executive order to strengthen America's cybersecurity workforce, the Department of Homeland Security's Cybersecurity…
- Updating Risk Assessment in the CERT Secure Coding Standard
Evaluating source code to ensure secure coding qualities costs time and effort and often involves static analysis. But those who are familiar with static analysis tools know that the alerts are not always reliable and produce false positiv…
- Delivering Next Generation Cyber Capabilities to the DoD Warfighter
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Gregory Touhill, director of the SEI CERT Division, sits down with Matthew Butkovic, technical director of Cyber Risk and Resilience at CERT, to disc…
- Getting the Most Out of Your Insider Risk Data with IIDES
Insider incidents cause around 35 percent of data breaches, creating financial and security risks for organizations. In this podcast from the Carnegie Mellon University Software Engineering Institute, Austin Whisnant and Dan Costa discuss…
- Grace Lewis Outlines Vision for IEEE Computer Society Presidency
Grace Lewis , a principal researcher at the Carnegie Mellon University Software Engineering Institute (SEI) and lead of the SEI's Tactical and AI-Enabled Systems Initiative, was elected the 2026 president of the IEEE Computer Society (CS),…
- Improving Machine Learning Test and Evaluation with MLTE
Machine learning (ML) models commonly experience issues when integrated into production systems. In this podcast, researchers from the Carnegie Mellon University Software Engineering Institute and the U.S. Army AI Integration Center (AI2C)…
- DOD Software Modernization: SEI Impact and Innovation
As software size, complexity, and interconnectedness has grown, software modernization within the Department of Defense (DoD) has become more important than ever. In this discussion moderated by Matthew Butkovic, technical director of risk…
- Securing Docker Containers: Techniques, Challenges, and Tools
Containerization allows developers to run individual software applications in an isolated, controlled, repeatable way. With the increasing prevalence of cloud computing environments, containers are providing more and more of their underlyi…
- An Introduction to Software Cost Estimation
Software cost estimation is an important first step when beginning a project. It addresses important questions regarding budget, staffing, scheduling, and determining if the current environment will support the project. In this podcast fro…
- Cybersecurity Metrics: Protecting Data and Understanding Threats
One of the biggest challenges in collecting cybersecurity metrics is scoping down objectives and determining what kinds of data to gather. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Bill Nicho…
- 3 Key Elements for Designing Secure Systems
To make secure software by design a reality, engineers must intentionally build security throughout the software development lifecycle. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Timothy A. Ch…
- Using Role-Playing Scenarios to Identify Bias in LLMs
Harmful biases in large language models (LLMs) make AI less trustworthy and secure. Auditing for biases can help identify potential solutions and develop better guardrails to make AI safer. In this podcast from the Carnegie Mellon Universi…
- Best Practices and Lessons Learned in Standing Up an AISIRT
In the wake of widespread adoption of artificial intelligence (AI) in critical infrastructure, education, government, and national security entities, adversaries are working to disrupt these systems and attack AI-enabled assets. With nearl…
- 3 API Security Risks (and How to Protect Against Them)
The exposed and public nature of application programming interfaces (APIs) come with risks including the increased network attack surface. Zero trust principles are helpful for mitigating these risks and making APIs more secure. In this po…
- Evaluating Large Language Models for Cybersecurity Tasks: Challenges and Best Practices
How can we effectively use large language models (LLMs) for cybersecurity tasks? In this Carnegie Mellon University Software Engineering Institute podcast, Jeff Gennari and Sam Perl discuss applications for LLMs in cybersecurity, potential…
- Capability-based Planning for Early-Stage Software Development
Capability-Based Planning (CBP) defines a framework that has an all-encompassing view of existing abilities and future needs for strategically deciding what is needed and how to effectively achieve it. Both business and government acquisit…
- Safeguarding Against Recent Vulnerabilities Related to Rust
What can the recently discovered vulnerabilities related to Rust tell us about the security of the language? In this podcast from the Carnegie Mellon University Software Engineering Institute, David Svoboda discusses two vulnerabilities, t…
- Developing a Global Network of Computer Security Incident Response Teams (CSIRTs)
Cybersecurity risks aren't just a national concern. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), the CERT division's Tracy Bills, senior cybersecurity operations researcher and team lead, and Ja…
- Automated Repair of Static Analysis Alerts
Developers know that static analysis helps make code more secure. However, static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast from the Carnegie Mellon University Software Engi…
- Developing and Using a Software Bill of Materials Framework
With the increasing complexity of software systems, the use of third-party components has become a widespread practice. Cyber disruptions, such as SolarWinds and Log4j, demonstrate the harm that can occur when organizations fail to manage…
- Using Large Language Models in the National Security Realm
At the request of the White House, the Office of the Director of National Intelligence (ODNI) began exploring use cases for large language models (LLMs) within the Intelligence Community (IC). As part of this effort, ODNI sponsored the May…
- Atypical Applications of Agile and DevSecOps Principles
Modern software engineering practices of Agile and DevSecOps have provided a foundation for producing working software products faster and more reliably than ever before. Far too often, however, these practices do not address the non-softw…
- When Agile and Earned Value Management Collide: 7 Considerations for Successful Interaction
Increasingly in government acquisition of software-intensive systems, we are seeing programs using Agile development methodology and earned value management. While there are many benefits to using both Agile and EVM, there are important co…
- The Impact of Architecture on Cyber-Physical Systems Safety
As developers continue to build greater autonomy into cyber-physical systems (CPSs), such as unmanned aerial vehicles (UAVs) and automobiles, these systems aggregate data from an increasing number of sensors. However, more sensors not only…
- ChatGPT and the Evolution of Large Language Models: A Deep Dive into 4 Transformative Case Studies
To better understand the potential uses of large language models (LLMs) and their impact, a team of researchers at the Carnegie Mellon University Software Engineering Institute CERT Division conducted four in-depth case studies. The case s…
- The Cybersecurity of Quantum Computing: 6 Areas of Research
Research and development of quantum computers continues to grow at a rapid pace. The U.S. government alone spent more than $800 million on quantum information science research in 2022. Thomas Scanlon, who leads the data science group in th…
- User-Centric Metrics for Agile
Far too often software programs continue to collect metrics for no other reason than that is how it has always been done. This leads to situations where, for any given environment, a metrics program is defined by a list of metrics that mus…
- The Product Manager's Evolving Role in Software and Systems Development
In working with software and systems teams developing technical products, Judy Hwang, a senior software engineer in the SEI CERT Division, observed that teams were not investing the time, resources and effort required to manage the product…
- Measuring the Trustworthiness of AI Systems
The ability of artificial intelligence (AI) to partner with the software engineer, doctor, or warfighter depends on whether these end users trust the AI system to partner effectively with them and deliver the outcome promised. To build app…
- Actionable Data in the DevSecOps Pipeline
In this podcast from the Carnegie Mellon University Software Engineering Institute, Bill Nichols and Julie Cohen talk with Suzanne Miller about how automation within DevSecOps product-development pipelines provides new opportunities for pr…