Posted: 06 May Published: 06 May In this guide, explore your options for infrastructure monitoring with Kubernetes, as well as how to utilize key performance metrics and more. Posted: 01 Mar Published: 01 Mar Learn how to conquer complexity and make it to Day 3 in this guide.
Posted: 27 Aug Published: 27 Aug Read more here. Posted: 10 Jun Published: 10 Jun In this cheat sheet, explore the top challenges of multi-cluster management for Kubernetes—and how to get it right. Save the cheat sheet here. Posted: 03 Mar Published: 03 Mar Stop living in the past — check out this white paper on the Application Access Cloud by Axis Security. Posted: 12 Jan Published: 12 Jan Home About Us Contact Us Advertise with Us Partners Site Index About TechTarget: TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific websites, magazines and events.
Posted: 13 Jul Published: 13 Jul Posted: 12 Jul Premiered: Jul 12, Open up this infographic to get more statistics about the rise of modern applications, as well as key requirements and solutions for your organization.
Posted: 15 Jun Published: 15 Jun Check out this blog post to learn more about the announcement including key benefits from the enhancement. Posted: 09 Jun Published: 01 Mar Posted: 12 May Published: 12 May They offer a way for organisations to work closely with an extended ecosystem of business partners, who are able to build value-added software-powered products and services.
Posted: 06 May Published: 06 May Here, explore what TechTarget and CircleCI identified as the top 4 key measurements that are useful across any development project. Learn how to leverage these findings here. Posted: 20 Apr Premiered: Apr 20, VMware vSphere makes this feat a guarantee, with application-focused management, cloud foundation services, and more. Posted: 19 Apr Published: 19 Apr However, modern applications post their own set of challenges.
In this guide, learn how to overcome the top challenges introduced by modern applications. Start here. Explore key strategies for the agile enterprise here. Posted: 16 Apr Published: 16 Apr Download this exclusive Forrester report to discover how to build great digital products.
Download the guide now. Use this guide to learn how your team can practically meet these new demands. In this guide, explore the road to container adoption to get the most out of both cloud-native and container technologies. In this IDC spotlight report, explore the ins and outs of containers and virtualization, current trends that incorporate both, and the main benefits of this pairing.
Download the exclusive report here to learn more. Posted: 15 Apr Published: 15 Apr
The accuracy of the results using proposed method when compared with PSO algorithm has higher accuracy for at least 10 times for majority of the models. Ahmed, M. April Ando, H. Okamura, T. Minohara and Y. Computer Engineering and Applications, , 44 11 Ant system: Optimization by a colony of cooperating agent [J]. IEEE Trans. Handbook of software reliability engineering [M]. DOI Agartala, P. Thousands of maintenance and replacement models have been created. However, all these models can fall into some categories of maintenance policies: age replacement policy, block replacement policy, periodic preventive maintenance policy, failure limit policy, sequential preventive maintenance policy, repair cost limit policy, repair time limit policy, repair number counting policy, reference time policy, mixed age policy, group maintenance policy, opportunistic maintenance policy, etc.
Each kind of policy has different characteristics, advantages and disadvantages with lot of contributions from Research scientist, Technologists This survey summarizes, classifies, and compares various existing maintenance policies Around Authors and their research works are presented in the Reference section.
It will help to look into the different policies which is appropriate to the organization and for further study the reference section will be helpful for the researchers for further knowledge. Reliability theory with applications to preventive maintenance.
Optimization of inspection intervals based on cost. J Appl Probab ; vol — Maintenance and monitoring policy under unrevealed failures. Nakagawa T. Periodic inspection policy with preventive maintenance. Naval Res Logist Quart , vol pp33— Optimization of test and maintenance intervals based on risk and cost ,Reliability Engineering andSystem Safety ;vol pp23— On time-dependent availability and maintenance optimization of standby units under various maintenance policies.
Reliability Engineering and System Safety ;vol pp 79— Stochastic processes, 2nd edition. Wiley: New York; Availability and cost functions for periodically inspected preventively maintained units. Reliability Engineering and System Safety ; vol pp— Barlow and F. Conference Mathetical.
Methods in Reliability. Blanton, R. Reliability Athens. Weibull, "A statistical theory of the strength of materials", Ing. Epstein, M. Sobel, "Life testing", J. Daniels, "The statistical theory of the strength of bundles of threads", Proc. London, vol. Epstein, "Application of the theory of extreme values in fracture problems", J. Weibull, "A statistical distribution function of wide applicability", J. Applied Mech. Davis, "An analysis of some failure data", J.
Buehler, "Confidence intervals for the product of two binomial parameters", J. Amer, Stat. Birnbaum, S. Saunders, "A statistical model for life-length of materials", J. Herd, "Some statistical concepts and techniques for reliability analysis and prediction", Proc. Tate, "Unbiased estimation: Functions of location and scale parameters", Ann. Zelen, M. Dannemiller, "The robustness of life testing procedures derived from the exponential distribution", Technometrics, vol.
Shortle, M. Mendel, "Physical foundations for lifetime distributions", Proc. System and Bayesian Rel. Watson and W. Wells, "On the possibility of improving the mean useful life of items by eliminating thosewith short lives", Technometrics, vol. Barlow, A. Marshall, F. Proschan, "Properties of probability distributions with monotone hazard rate", Ann. Block, T. Blanton, "Reliability-sensitivity- function analysis", Electronic Design, vol.
Dreste, "Statistics: Key to reliable military electronic design", Military Electronics, vol. Dreste, "Circuit design concepts for high reliability", Proc. Madansky, "Uses of tolerance limits in missile evaluation", Proc. Techniques in Missile EvaluationSymp.
Rosenblatt, "Confidence limits for the reliability of complex systems", Stat. Theory of Rel. Johns, G. Thoman, L. Bain, C. Martz, B. Duran, "Comparison of three methods for calculating lower confidence limits on systemreliability using component data", IEEE Trans. R- 34, no. Lotka, "A contribution to the theory of selfrenewing aggregates with special reference to industrialreplacement", Ann.
Campbell, "The replacement of perishable members of a continually operating system", J. Feller, "On the integral equation of renewal theory", Ann. Blackwell, "A renewal theorem", Duke Math. Doob, "Renewal theory from the point of view of the theory of probability", Trans. Feller, "Fluctuation theory of recurrent events", Trans.
Cox, W. Smith, "A direct proof of a fundamental theorem of renewal theory", Skand. Smith, "Asymptotic renewal theorems", Proc. Feller, Introduction to Probability Theory and its Applications, 2nd ed. Smith, "Renewal theory and its ramifications", J. B, vol. Smith, "On the cumulants of renewal processes," Biometrika, vol.
Barlow, L. EDL-E35, Aug Watson and M. Leadbetter, "Hazard Analysis. I," Biometrika, vol. Gnedenko, Y. Belyaev, A. Solovyev, Math. Please note that this book was published in in Russia 61 Z. Berkeley Symp. Birnbaum, J. Esary, S. Saunders, "Multicomponent systems and structures and their reliability",Technometrics, vol. Esary, F. Proschan, "Coherent structure of nonidentical components", Technometrics, no.
Esary, "Modules of coherent binary systems", J. SIAM, vol. Esary, A. Marshall, "Stochastic characterization of wear out for components andsystems", Ann. Satyanarayana, A. Satyanarayana, M. Chang, "Network reliability and the factoring theorem", Networks, 13, , pp. Bendell, J. Ansell, "The incoherency of multistate coherent system", Rel.
Huseby, "Domination Theory and the crapo beta-invariant", Networks, 19, , pp. Fu, M. Koutras, "Reliability bounds for coherent structures with independent components", Stat. Letters, vol. Tsitmidelis, M. Koutras, V. Zissimopoulos, "Evaluation of reliability bounds by genetic algorithm", Proc. Methods in Rel. Boutsikas, M. Koutras, "Generalized reliability bounds for coherent structures", J. Inagaki, E. R, no. Andrews, S. AD , Aug Haap, "Application of flowgraph techniques to the solution of reliability problems", J.
Kleinerman, G. Weiss, "On the reliability of networks", Proc. Electronics Conf. Convention Record, pt. Holtzman, Jr. Marshall, "A new method of communication between engineering and mathematicianaids system reliability prediction", Proc. Dugan, S. Bavuso, M. Boyd, "Fault trees and Markov models for reliability analysis of fault tolerantsystems", Rel. Gulati, J. Dugan, "A modular approach for analyzing static and dynamic fault trees", Proc. RAMS, Coudert, J.
RAMS, , pp. Doyle, J. Dugan, "Dependability assessment using binary decision diagrams", Proc. IEEE Int. Dutuit, A. Martz, R. Almond, "Using higher-level failure data in fault tree quantification", Rel. Anand, A. Somani, "Hierarchical analysis of fault trees with dependencies, using decomposition", Proc.
RAMS, Jan , pp. Manian, D. Coppit, K. Sullivan, J. Dugan, "Bridging the gap between systems and dynamic fault treemodels", Proc. Griffin, "Introducing the fault tree as a tool for nuclear safety analysis", Trans. Nuclear Soc. Andrews, "The use of Not logic in fault tree analysis", Qual. Tsitmidelis, S. Zissimopoulos, M. Papazoglou, "Mathematical foundations of event trees", Rel. Dunnett, "Improving accuracy in event tree analysis", Proc.
Foresight and Precaution, Proc. Kolmogorov, "A number of target hits by several shots and general principles of effectiveness ofgunfire", Proc. Moscow Inst. Frantik, "The determination application and limitations of circuit reliability equations", Sandia Corp.
SC TR , April Elsayed, A. Bodin, "Approximation of system reliability using a modular decomposition", Technometrics, vol. Keilson, A. Kooharian, "On time dependent queuing processes", Ann. Brender, M. Tainiter, "A Markovian model for predicting the reliability of an electronic circuit from data on component drift and failure", IRE Intl. Convention Record, , pt. Pogozhev, "Estimation of deviation of failure flow in multi-use equipment from Poisson process",Cybernetics in Service for Communism, vol.
Solov'yev, "Reliability and queueing theory: standby with rapid renewal," Eng. Cybernetics, no. Solov'vey, "Redundancy with fast repair", Eng. Ouhbi, N. Limnios, "Estimation of kernel, availability and reliability of semiMarkov systems", Proc.
Limnios, "Non-parametric estimation for semi-Markov processes based on its hazard rate", Stat. Fricks, K. Trivedi, "Importance analysis with Markov Chains", Proc. Lefebvre, "Using equivalent failure rates to assess the unavailability of an ageing system", Proc. Moore, C. Shannon, "Reliable circuits using less reliable relays", J.
I, pp. Gnedenko, "On duplication with renewal", Eng. Cybernetics,Newyork no. Of Tech. Pasadena, CA, Memo ,Aug Mosteller, R. Rourke, G. Thomas, Jr. Waller, E. Fickas, "Bayesian reliability analysis of series systems of binomial subsystemsand components", Technometrics, vol. Hulting, J. Robinson, "The reliability of a series system of repairable subsystems: a Bayesian approach",Naval Research Logistics, vol.
Kerscher III, J. Booker, T. Bement, M. AD, June Belyaev, T. Dugina, E. Chepurin, "Computation of lower confidence limit for the complexsystem reliability", Eng. Moskowitz, J. Gordon, "Optimum component redundancy for maximum system reliability", Operations Res.
Bellman and S. Dreyfus, "Dynamic programming and reliability of multicomponent devices", Operations Res. Black, F. Proschan, "On optimal redundancy", Operations Res. Hunter, F. Proschan, "Optimum redundancy when components are subject to two kinds offailure", J. Proschan, T. Bray, "Optimum redundancy under multiple constraints", Operations Res. Tillman, H. Ching-Lai, W. Portz, H. Lipp, "Topology of switching elements vs. Kaufmann, R. Kaufmann, "Predicting reliability", Machine Design, Aug , pp.
Cramer, U. Booker, M. Meyer, R. Marseguerra, E. Zio, M. Ammaturo, V. Fontana, "Predicting reliability via neural networks", Proc. An imperfect maintenance model with block replacements. Applied Stochastic Models and Data Analysis 3, 63— Inspection and maintenance policies of devices subject to deterioration. Advances in Applied Probability 10, — Advances in Applied Probability 27 2 , Modified block-replacement for multiplecomponent systems.
Fein gold H. Marcel Dekker, New York. Assaf, D. Optimal group maintenance policies with continuous and periodic inspections. Management Science 33, — Optimal replacement under a minimal repair strategy — a general failure model. Advances in Applied Probability 15 1 , — Stochastic Models in Reliability,Applications of Mathematics, vol.
Stochastic properties of a sequence of interfailure times under minimal repair andunder revival. In: Abdel-Hameed, M. Academic Press, Orlando, FL, pp. Optimum preventive maintenance policies. Operations Research 8, 90— Mathematical Theory of Reliability. Wiley, New York. Statistical Theory of Reliability and Life Testing.
A general preventive maintenance policy. Mathematische Operationsforschung und Statistik Series,Statistics 7, — A new approach to repair limit replacement policies. C, Prague, pp. A generalized block-replacement policy. Replacement policies based on system age and maintenance cost limits. Mathematische Operationsforschung und Statistik Series, Statistics 12 4 , — A replacement policy based on limits for the repair cost rate.
Download this exclusive Forrester report to discover how to build great digital products. Download the guide now. Use this guide to learn how your team can practically meet these new demands. In this guide, explore the road to container adoption to get the most out of both cloud-native and container technologies.
In this IDC spotlight report, explore the ins and outs of containers and virtualization, current trends that incorporate both, and the main benefits of this pairing. Download the exclusive report here to learn more. Posted: 15 Apr Published: 15 Apr In this guide, learn how central governance can conquer complexity and bring more value to your team and your business.
Get the details here. Learn more here. Posted: 14 Apr Published: 14 Apr Explore the value of microservices in this guide. Posted: 13 Apr Published: 13 Apr Discover the key findings here. In this guide, explore new insights on how low-code is driving organizational success.
While DevOps is lifting some of the pressure off these transformations, businesses will need more. Learn how automation can help your DevOps and digital transformation initiatives alike in this guide. Posted: 12 Apr Published: 12 Apr In this case study, explore why organizations are turning to collaborative development environments that automate and speed up every stage of the software delivery lifecycle.
The UK's largest supercomputer has gone live in Cambridge — we find out how it will transform healthcare research. Read the issue now. Posted: 12 Jul Published: 13 Jul Our latest buyer's guide examines the trends in secure, agile app development. And we find out what you need to consider when buying a VPN.
Posted: 05 Jul Published: 06 Jul Home About Us Contact Us Advertise with Us Partners Site Index About TechTarget: TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific websites, magazines and events.
In this paper, the authors provide background information on penetration testing processes and practices. In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software. In this paper, Robert Ellison surveys several profound technical problems faced by practitioners assembling and integrating secure and survivable systems.
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes. In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases. In this paper, the authors discuss the costs and benefits of incorporating security in software development and presents formulas for calculating security costs and security benefits. In this paper, Jeremy Epstein examines what real vendors do to ensure that their products are reasonably secure.
In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more. In this paper, Noopur Davis presents information about processes, standards, and more that support or could support secure software development. In this white paper, Char Sample discusses whether cultural influences leave traces in computer network attack CAN choices and behaviors. In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
In this paper, the authors describe software assurance challenges inherent in networked systems development and propose a solution. In this paper, Nancy Mead describes a tradeoff analysis that can select a suitable requirements prioritization method and the results of trying one method. In this paper, the authors explain an approach to documenting an assurance case for system security.
In this paper, Nancy Mead describes a tradeoff analysis that can be used to select a suitable requirements elicitation method. In this paper, Nancy Mead discusses how Common Criteria is evaluated, it also presents a standard that is related to developing security requirements. In this paper, the authors discuss how measurement can be applied improve the security characteristics of the software being developed. In this paper, the authors describes how the presence of security faults correlates strongly with the presence of a more general category of reliability faults.
In this paper, Nancy Mead describes a measurement approach to security requirements engineering to analyze projects that were developed with and without SQUARE. In this paper, the authors discuss significant new sources of risk and recommend ways to address them. In this paper, Julia Allen discusses the role that risk management and risk assessment play in choosing which security practices to implement. In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.
In this paper, Dan Shoemaker presents the standard process for acquiring software products and services in business. In this paper, Julia Allen presents a summary of ten leading sources of security practice definition and implementation guidance. In this paper, Rita Creel identifies acquirer activities and resources necessary to support contractor efforts to build secure software-intensive systems.
In this paper, Ken van Wyk provides a primer on the most commonly used tools for traditional penetration testing. In this paper, the authors introduce the concept of standardized third-party certification of supplier process capability.
This report describes line-funded exploratory new starts LENS projects that were conducted during fiscal year October through September In this report, George Silowash maps common attributes of insider threat cases to characteristics important for detecting, preventing, or mitigating the threat. System-of-systems SoS architectures based on common software platforms have been commercially successful, but progress on creating and adopting them has been slow.
This study aimed to understand technical issues for their development and adoption. In this paper, the authors present common topics, course materials, and resources related to the Software Assurance for Executives course held in June This legal form was used in the Software Assurance for Executives course that was held in June This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.
In this paper, the authors discuss the results of comparing the Common Body of Knowledge for Secure Software Assurance with traditional computing disciplines. In this paper, Julia Allen identifies indicators that organizations are addressing security as a governance and management concern, at the enterprise level. In this paper, Julia Allen describes the key relationship between IT processes and security controls. In this paper, Dan Shoemaker describes existing professional certifications in information assurance and emerging certifications for secure software assurance.
In this paper, Julia Allen provides guidelines for answering this question, including means for determining adequate security based on risk. In this paper, the authors present IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes.
In this paper, Ken van Wyk provides background information on penetration testing processes and practices. In this paper, Nancy Mead provides a bibliography of sources related to requirements engineering. In this paper, the authors characterize the current state of secure software assurance work and suggest future directions. In this paper, Nancy Mead provides an overview of the Business Case content area. In this report, the authors provide a snapshot of individuals involved in insider threat cases and recommends how to mitigate the risk of similar incidents.
In this paper, the authors describe a software assurance competency model that can be used by professionals to improve their software assurance skills. In this paper, Samuel Redwine provides references related to modeling tools.
In this paper, Nancy Mead discusses the growing demand for skilled professionals who can build security and correct functionality into software. In this paper, Julia Allen provides references related to governance and management. In this paper, the authors describe three educational initiatives in support of software assurance education.
In this paper, Samuel Redwine introduces several concepts related to the Introduction to Modeling Tools for Software Security article and modeling in general. In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work. In this paper, Julia Allen describes six "assets" or requirements of being in business that can be compromised by insufficient security investment.
In this paper, Julia Allen provides a list of references related to deployment and operations. In this paper, Julia Allen provides a brief overview of deployment and operations security issues and advice for using related practices. In this paper, the authors describe two efforts that support national cybersecurity education goals.
In this paper, the authors highlight efforts underway to address our society's growing dependence on software and the need for effective software assurance. In this paper, Howard Lipson introduces the concepts and benefits of developing and maintaining assurance cases for security.
In this paper, Dan Shoemaker presents a standard approach to increasing the security capability of a typical IT function. In this guide, the authors discuss our reliance on software and systems that use the internet or internet-exposed private networks. In this paper, Nancy Mead discusses elicitation methods and the kind of tradeoff analysis that can be done to select a suitable one. In this paper, Nancy Mead discusses using a systematic prioritization approach to prioritize security requirements.
In this paper, the authors introduce a novel method of optimizing using integer programming IP. In this paper, Julia Allen defines the scope of governance concern as they apply to security. This paper describes a proposal for integrating Verified Design by Contract into PSP in order to reduce the amount of defects present at the Unit Testing phase, while preserving or improving productivity.
This technical note explores application virtualization as a more lightweight alternative to VM synthesis for cloudlet provisioning. This paper reviews the perils of insufficiently engaging key software domain experts during program development. This white paper presents an improvement strategy comprising four pillars of an integrate-then-build practice that lead to improved quality through early defect discovery and incremental end-to-end validation and verification.
In this paper, the authors describe how state-of-the-art multi-media technologies were used to develop the MERIT InterActive training simulator. In this report, the authors describe a model that helps create a foundation for assessing and advancing the capability of software assurance professionals. In this report, the authors present methods for detecting and preventing data exfiltration using a Linux-based proxy server in a Microsoft Windows environment.
In this report, the authors present results of the Malware Analysis Lexicon MAL initiative, which developed the first common vocabulary for malware analysis. In this report, the authors present methods for auditing USB device use in a Microsoft Windows environment.
This study, known as the Cyber Intelligence Tradecraft Project CITP , seeks to advance the capabilities of organizations performing cyber intelligence by elaborating on best practices and prototyping solutions to shared challenges. In this report, the authors present methods for controlling removable media devices in a MS Windows environment. Examples cover diverse domains and show the kind of improvements you can achieve using a product line approach.
This document describes the activities and practices in which an organization must be competent before it can benefit from fielding a product line of software systems. In this paper, the authors examine 15 cases of insider threat sabotage of IT systems to identify points in the attack time-line. This report describes the data collection and analysis process used to support the assessment of project performance for the systems engineering SE effectiveness study.
In this report, the authors describe research aimed at helping organizations to know the business value of implementing resilience processes and practices. In this report, the authors define insider threats and outline current insider threat patterns and trends. The TSP Symposium was organized by the SoThe goal of the TSP Symposium is to bring together practitioners and academics who share a common passion to change the world of software engineering for the better through disciplined practice.
This paper discusses the natural tension between rapid fielding and response to change characterized as agility and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives. This report discusses the reliability validation and improvement framework developed by the SEI. The purpose of this framework is to provide a foundation for addressing the challenges of qualifying increasingly software-reliant, safety-critical systems.
This report summarizes the results of a survey that had the goal of quantifying the connection between the application of systems engineering SE best practices to projects and programs and the performance of those projects and programs. Analysis revealed strong relationships between project performance and best practices. In this paper, the authors explain the history and evolution of and applications for maturity models. This article discusses the technical debt metaphor and considers it beyond a "rhetorical concept.
This report documents the program and outcomes of presentations and working groups from Dagstuhl Seminar , "Architecture-Driven Semantic Analysis of Embedded Systems. In this article, the authors focus on cases in which the malicious insider was employed by a trusted business partner of the victim organization. This report explores the role of standards in cloud-computing interoperability. It covers cloud-computing basics and standard-related efforts, discusses several use cases, and provides recommendations for cloud-computing adoption.
This technical note presents a strategy to overcome the challenges of obtaining sufficient computation power to run applications needed for warfighting and disaster relief missions. It discusses the use of cloudlets-- localized, stateless servers running one or more virtual machines--on which soldiers can offload resource-intensive computations from their handheld mobile devices. In this report, Allen Householder describes an algorithm for reverting bits from a fuzzed file to those found in the original seed file to recreate the crash.
When warfighting missions are conducted in a dynamic environment, the allocation of resources needed for mission operation can change from moment to moment. This report addresses two challenges of resource allocation in dynamic environments: overstatement of resource needs and unpredictable network availability.
In this report, the authors describe the Competency Lifecycle Roadmap CLR , a preliminary roadmap for understanding and building workforce readiness. In this report, the authors describe three factors for helping or hindering the cooperation of incident responders. In this report, the authors present a framework for thinking about confidence in assurance case arguments. In this report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.
This report describes the line-funded exploratory new starts LENS projects that were undertaken during fiscal year For each project, the report presents a brief description and a recounting of the research that was done, as well as a synopsis of the results of the project. In this report, the authors provide a step-by-step guide for profiling and discovering public-facing assets on a network using netflow data.
In this paper, the authors explain how cloud computing related insider threats are a serious concern, but that this threat has not been thoroughly explored. In this report, the authors describe insights and risk indicators of malicious insider activity in the banking and finance sector. In this report, the authors provide guidance for helping DoD acquisition programs address software security in acquisitions. This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.
In this paper, the authors discuss the effects of the changing operational environment on the development of secure systems. In this paper, Samuel Redwine introduces security concepts and tools useful for modeling security properties. In this paper, the authors provide a bibliography of sources related to security.
This report presents the Virtual Upgrade Validation VUV method, an approach that uses architecture-centric, model-based analysis to identify system-level problems early in the upgrade process to complement established test qualification techniques. In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property. In this paper, the authors describe an approach for deriving measures of software security from well-established and commonly used standard practices.
In this report, David Fisher provides substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems. In this paper, the authors describe an approach for deriving measures of software security from common standard practices for information security. In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
In this report, the authors describe the Mission Risk Diagnostic MRD method, which is used to assess risk in systems across the lifecycle and supply chain. This report contains a collection of presentations given at FloCon in January In this paper, Jonathan Spring models internet competition on large, decentralized networks using a modification of Lanchester's equations for combat.
In this paper, the authors demonstrate that there are name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters. In this paper, Rich Caralli discusses how using maturity models and characterizing security posture are activities with different intents, outcomes, and uses.
In this paper, the authors describe preliminary results of a study of how effective nine autonomous incident response organizations are. This report describes some of the challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices. This report describes a proposed model through which to understand interoperability in the e-government context.
In this report, Christopher King provides a snapshot of who malicious insiders are, what and how they strike, and why. The information in this report is intended to help program managers reason about actions they may need to take to adapt and comply with the Section NDAA for and associated guidance. In this report, the authors describe work to develop standards for automated remediation of vulnerabilities and compliance issues on DoD networked systems.
In this report, the authors describe how implementation-level processes can provide context for identifying and defining measures of operational resilience. The method of quantifying uncertainty described in this report synthesizes scenario building, Bayesian Belief Network BBN modeling and Monte Carlo simulation into an estimation method that quantifies uncertainties, allows subjective inputs, visually depicts influential relationships among program change drivers and outputs, and assists with the explicit description and documentation underlying an estimate.
This research demonstrated the effectiveness of various statistical techniques for discovering quantitative data anomalies. This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context. This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation.
In this report, the authors explain how CERT-RMM process areas, industry standards, and codes of practice are used by organizations in an operational setting. In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.
This document shows a matrix related to Smart Grid Maturity Model levels. This report summarizes the proceedings from the MESOA workshop and includes the accepted papers that were the basis for the presentations given during the workshop. In this report, the authors focus on community college courses for software assurance. This guidebook helps acquisition organizations formulate questions for their suppliers related to CMMI. It also helps organizations interpret responses to identify and evaluate risks for a given supplier.
The Smart Grid Maturity Model SGMM is business tool that provides a framework for electric power utilities to help modernize their operations and practices for delivering electricity. In this paper, the authors describe the risks of being victims of theft, including becoming involved unknowingly in illegal activities over a networked device.
A short white paper that provides guidance on selecting the best CMMI model for process improvement. This report presents guidelines for architecting service-oriented systems and the effect of architectural principles on system quality attributes. In this report, the authors describe work to develop standards for vulnerability and compliance remediation on DoD networked systems.
This report describes standard noncommercial software licensing alternatives as defined by U. Government and DoD regulations. It suggests an approach for identifying agency needs for license rights and the license type for various systems. In this report, the Resilient Enterprise Management REM team suggests a set of top ten strategic measures for managing operational resilience.
In this paper, the authors describe the development of a secure coding module that shows how to capture content, ensure learning, and scale to meet demand. In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security. In this report, the authors describe general observations about and a preliminary system dynamics model of insider crime based on our empirical data.
In this paper, the authors discuss confidence in system and SoS behavior and how theories can be used to make the assurance process more effective. This paper describes an analysis of some of the challenges facing one portion of the Electrical Smart Grid in the United States - residential Demand Response DR systems.
In this paper, the authors describe a pattern in the amount of time it takes for that domain to be actively resolved on the Internet. The goal of SEI research is to create best practices for architecture and design of systems that take advantage of the cloud, leading to greater system quality from both a consumer and provider perspective.
In this paper, the authors describe a Security Information and Event Management signature for detecting possible malicious insider activity. SEI research will enable the Navy to to develop service-oriented systems that address information dominance priority requirements.
In this report, an update to its counterpart, the authors provide insight that interested organizations and governments can use to develop a national incident management capability. Acquisition practices for the project level that help you get started with CMMI for Acquisition practices without using the whole model. In this report, the authors provide sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.
Learn how to deliver software-reliant products faster and explore ways to use software architecture more effectively. Learn how to look into the initial steps suggested for delivering software-reliant products faster. This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions. In this report, the authors provide an overview of techniques used by malicious insiders to steal intellectual property.
This report describes results of independent research and development IRAD projects undertaken in fiscal year In this report, Matthew Heckathorn models the approach an attacker would take and provides detection or prevention methods to counter that approach. In this report, the authors present research to compute the behavior of software with mathematical precision and how this research has been implemented. These papers were presented at FloCon , where participants discussed dark space, web servers, spam, and the susceptibility of DNS servers to cache poisoning.
In this report, Michael Hanley demonstrates how a method for modeling insider crimes can create candidate technical controls and indicators. This report describes the AIM which helps an organization to implement high-performance, high-quality CMMI practices much more quickly than industry norms. In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices. In this report, the authors present a taxonomy of operational cyber security risks and its harmonization with other risk and security activities.
The network infrastructure for users such as emergency responders or warfighters is wireless, ad hoc, mobile, and lacking in sufficient bandwidth. This report documents the results from 18 experiments to investigate Adaptive Quality of Service, an approach to enable applications to fulfill their missions despite tactical network infrastructure limitations. ACE methods and the TSP provides an iterative approach for delivering high quality systems on time and within budget.
This report synthesizes presentations, discussions, and outcomes from the "Beyond Technology Readiness Levels for Software" workshop from August This report describes a model commonly used for developing and maintaining a competent cybersecurity workforce, explains some operational limitations associated with that model, and presents a new approach to cybersecurity workforce development.
This report summarizes a workshop on the analysis and evaluation of enterprise architectures that was held at the SEI in April of This paper presents the results of a series of experiments targeted at analyzing the performance impact of adding WS-Security, a common security standard used in IdM frameworks, to SOAP-based web services. Best practices in the model focus on activities for initiating and managing the acquisition of products and services to meet the needs of customers and end users.
This report explores the value of enhancing typical strategic planning techniques with the CSF method and scenario planning. This paper outlines a research agenda in bridging to the economic theory of mechanism design, which seeks to align incentives in multi-agent systems with private information and conflicting goals.
This paper seeks to help organizations understand cloud computing essentials, including drivers for and barriers to adoption, in support of making decisions about adopting the approach. The goal of the paper is to establish a baseline of terms for service-oriented systems. The purpose of this report is to examine a set of claims about cloud computing adoption.
The purpose of this report is to present an informal survey of technologies that are, or are likely to become, important for software-reliant systems of systems in response to current computing trends. In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework IMAF. In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.
In this report, the authors begin a dialogue and establish a foundation for measuring and analyzing operational resilience. This report documents ideas and recommendations for improving the overall acquisition process and presents the actions taken by project managers in several programs to develop, staff, and obtain approval for their systems.
This report describes key elements in systems thinking, provides an introduction to general systems archetypes, and applies these concepts to the software acquisition domain. This report presents the Building Assured Systems Framework BASF that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems. A set of measures was determined that allow analyses This report discusses the application of a set of measures to a data set of 41 TSP projects from an organization to identify their strengths and weaknesses.
Some basics of software product line practice, the challenges that make product line acquisition unique, and three basic acquisition strategies are all part of this white paper. In this paper, the authors describe issues encountered in designing and implementing YAF. In this paper, Rhiannon Weaver describes a population study of malware files under the CTLC framework and presents a simulation study as well as future work.
In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track. In this report, the authors specify 1 a framework that documents best practice for risk management and 2 an approach for evaluating a program's risk management practice in relation to the framework.
In this report, the authors describe seven courses for an undergraduate curriculum specialization for software assurance. In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting. In this report, the authors present COVERT, an automated framework for finding buffer overflows in C programs using software verification tools and techniques. In this paper, Nancy Mead how a systematic approach to security requirements engineering helps to avoid problems.
In this report, the authors explore how the SQUARE process can be adapted for privacy requirements engineering in software development. This report describes a series of ongoing research efforts that investigate the role of interdependence in the acquisition of major defense acquisition programs. In this paper, Phil Groce describes the Rayon visualization toolkit, developed to augment network analytic information and improve analytic operations. In this paper, Ed Stoner describes techniques for detecting certain types of malicious traffic.
In this report, the authors provide insight that interested organizations and governments can use to develop a national incident management capability. In this report, the authors describe the Survivability Analysis Framework, which is used to evaluate critical operational capabilities. This report synthesizes presentations and discussions from a workshop to discuss product line practices and operational accomplishments. This report describes results from two recent surveys conducted by the Software Engineering Institute SEI to collect information about the measurement and analysis activities of software systems development organizations.
This paper explains a formal overload-resilience metric called ductility. In this paper, Grady Campbell - delivered at the 7th Acquisition Research Symposium - argues that a new approach to acquisition is needed that recognizes that hiding uncertainty is detrimental to success. This paper describes the characteristics of edge systems and the edge organizations in which these systems operate, and make initial recommendations about how such systems and organizations can be created to serve the needs of users at the edge.
This report highlights the mutual benefits of combining systematic reuse approaches from product line development with flexible approaches for implementing business processes in a service oriented architecture. In this report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
The purpose of this report is to facilitate better elicitation of high-pedigree quality attribute requirements. Toward this end, we want to be able to elicit business goals reliably and understand how those business goals influence quality attribute requirements and architectures. This report describes how AADL support an instantiation of a reference architecture, address architectural themes, and provide a foundation for the analysis of performance elements and system assurance concerns.
In this report, Rhiannon Weaver describes a method for identifying network behavior that may be a sign of coming internet-wide attacks. In this report, the authors describe a managed string library for the C programming language. This report explores the questions: Can Agile be used in the DoD environment? If so, how? In this report, the authors present the as-if infinitely ranged AIR integer model, a mechanism for eliminating integral exceptional conditions. This report examines how data rights issues were addressed in the TSAT program.
It also reviews concerns posed by the use of commercial software in the TSAT program's Space Segment, and data rights concerns for software incorporated in the GPS program. This report focuses on both qualitative and quantitative ways of determining the current state of SWP software performance in terms of both test coverage and confidence for SOA-based SoS environments. This paper, extracted from the CERT Research Report, describes planned research tasks in the field of software security. This paper, extracted from the CERT Research Report, describes planned research tasks in the field of cyber assurance.
In this paper, the authors discuss how system engineers are uncertain about how to determine the impact of software on overall system. This report describes the agenda of an SEI-led group that was formed to explore the business, engineering, and operations aspects of service-oriented architecture. This report makes 65 recommendations for improving testing in service-oriented environments. It covers testing functionality and testing for interoperability, security, performance, and reliability qualities.
In this report, Carol Sledge identifies challenges and successful approaches to achieving system of systems SoS interoperability. In this paper, Vincenzo Iozzo describes how to effectively fuzz with no knowledge of the user-input and the binary. In this paper, Rhiannon Weaver estimates the number of active machines per hour infected with the Conficker-C worm using a probability model.
In this paper, the authors present the as-if infinitely ranged AIR integer model, which provides a mechanism for eliminating integral exceptional conditions. In this report, the authors focus on cases in which the insider was employed by a trusted business partner of the victim organization.
This technical note identifies and describes the characteristics that have been used in various definitions of the term system of systems. When problems are detected in programs, everyone needs to listen and work together towards a solution. Shooting the messenger only delays the process, and hurts program morale. In this paper, Peter Feiler describes the AADL, an industry standard for modeling and analyzing the architecture of software-reliant systems. This report summarizes the results from the second and third high maturity measurement and analysis workshops.
The report examines the application of the life-cycle architecture milestone to the software and computing elements of the former Future Combat Systems program. In this paper, the authors propose the use of secure coding standards in the development of software for surface combatants and submarines. This plan is a government-provided customizable document that is part of the acquisition's government reference library. This technical note proposes a structured approach for reviewing architecture documentation that is centered on the documentation's stakeholders and engages them in a guided manner so as to ensure that the documentation will be ultimately useful to them.
This report presents the criteria used during a MAID evaluation that serve as a checklist to rate the quality of an organization's measurement and analysis practices and the quality of the measurement information that results from the implementation of those practices. This white paper explores the idea that subway maps provide a good, common example of architecture documentation and that they might be instructive about good software architecture documentation.
This white paper describes SEI investigation into ways to provide justified confidence that a system of systems will behave as needed in its actual and evolving usage environments. This paper provides a framework for evaluating a system from several perspectives for a comprehensive picture of progress and quality.
This report describes the fundamental concepts of process performance models PPMs and describes how they can be created using data generated by projects following the TSP. This report introduces key concepts of the SAVI paradigm and discusses the series of development scenarios used in a POC demonstration to illustrate the feasibility of improving the quality of software-intensive aircraft systems.
The software community has been slow to use data to measure software quality. This paper discusses the reasons for this problem and describes a way to use process measurements to assess product quality. When time and budget are tight, it's tempting to follow the "happy path" in testing.
But be careful: it may be a path that brings your program great unhappiness. This April whitepaper focuses on the problems of underspending, which can result in funds being shifted from one acquisition program to another. This report examines the reasons why some programs fail and studies the factors that lead to program success. This special report provides a bibliography of books, articles, and other literature concerning the PSP and TSP methodologies.
In this report, the authors explore how to enable manufacturers and federal regulators gain confidence in software-dominated medical devices. This report describes the data model as an architectural style in an effort to help architects apply this style to create data model architectural views. In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.
This paper summarizes the comparison performed between the CMMI and the regulations and standards that drive software intensive medical device product development. This report contains a series of observations and their associated lessons learned from a large, multi-segment, software-intensive system.
This guidebook defines the structure and format of the mentor and provisional coach relationship, and explains the process steps and evaluation criteria for becoming an SEI-Certified TSP Coach or Mentor Coach. The Personal Software Process PSP body of knowledge BOK provides guidance to software professionals who are interested in using proven-effective, disciplined methods to improve their personal software development process.
This report describes a technique for formulating the production strategy of a production system. Tactics are fundamental elements of software architecture that an architect employs to meet a system's quality requirements. This report describes an updated set of tactics that enable the architect to build availability into a system. In this paper, the authors describe general observations about, and a preliminary system dynamics model of, insider crime based on our empirical data.
One of the most intractable problems in software is getting engineers to consistently use effective methods. The Software Engineering Institute has worked on this problem for a number of years and has developed effective methods for addressing it. In this paper, the authors describe the purpose of Communications: to develop, deploy, and manage communications to support resiliency activities and processes. This technical note provides guidance on how to contractually incorporate architecture evaluations in an acquisition.
This report describes a collaboration between the SEI and Ericsson Research and Development to build a business case using high maturity measurement approaches that require limited measurement effort. The findings suggest that Q Methodology may prove helpful in isolating many of the non-technical latent cost factors associated with system integration and interoperability.
In this report, the authors focus on employees, contractors, and business partners who stole intellectual property to benefit a foreign entity. This paper provides an introduction to the CSA approach, provides behavioral requirements for security attributes, and discusses possible application of the CSA approach.
This report summarizes the findings of a study conducted for the Army to find and describe software measurement practices that are being used successfully. Organizations can make the available SOA governance frameworks more effective in their organizations using the scenario-based tailoring technique introduced in this technical note.
Bachmann et al present their work on a design assistant called ArchE that provides third-party researchers with an infrastructure to integrate their own quality-attribute models. The report defines and communicates software engineering and management events necessary to support the successful acquisition of software-intensive systems. In this paper, the authors present an example to show the value a dependability case adds to a traditional hazard analysis.
The paper discusses risk detection and mitigation metrics and design check lists for real time and embedded systems. This paper discusses the application of assurance cases as a means of building confidence that the software design of a complex system of systems will actually meet the operational objectives set forth in the project's top-level requirements. Planning for a long development period doesn't always solve acquisition scheduling problems. Sometimes it makes them worse.
This April whitepaper is one in a short series of acquisition failures. This paper focuses on the problems of underspending, which can result in funds being shifted from one program to another. In this report, the authors provide advice for those making a business case for building software assurance into software products during software development.
This report summarizes a June architecture competence workshop where practitioners discussed key issues in assessing architecture competence in organizations. This report features a systemic approach for managing risk that takes into account the complex nature of distributed environments. This report is a synthesis of the presentations and discussions that took place during the U. Army Software Product Line Workshop. When projects attempt to please too many customers, complexity mounts, schedules slip, costs expand In this report, the authors focus on insider threat cases in which the insider had relationships with the internet underground community.
This report confirms that various architectural genres enjoy more commonalities than differences. Each one has its own important knowledge base, and openness among the various architectural tasks within an organization is growing in importance. This report communicates status, progress, lessons learned, and next steps for the Mexican TSP Initiative.
In this report, the authors describe the value of multi-view decision making, a set of practices that reflect the realities of complex development efforts. This report contains results from a survey of high maturity organizations conducted by the Software Engineering Institute SEI in The questions center on the use of process performance modeling in those organizations and the value added by that use. A model of best practices to improve the processes of service providers.
The Arcade Game Maker product line is an example product line created to support learning about and experimenting with software product lines in the classroom. In this paper, the authors present findings from examining insider crimes in a new way and add new practices that were not present in the second edition. An acquisition strategy is of great importance to those organizations that primarily acquire rather than develop.
In this report, the authors compare various approaches and tools used to capture and analyze evidence from computer memory. This paper presents a measurement-based approach that produces both a WCET Worst Case Execution Time estimate and a prediction of the probability that a future execution time will exceed a given estimate. In this report, the authors focus on persons who use programming techniques to commit malicious acts against their organizations.
This survey quantifies the relationship between the application of Systems Engineering SE best practices to projects and programs, and the performance of those projects and programs. This report describes the independent research and development IRAD projects that were conducted during fiscal year October through September This report outlines a workshop, in which leaders discussed high maturity practices and how to sustain momentum for improvement.
This report describes common errors in measurement and analysis and the need for a criterion-based assessment method that will allow organizations to evaluate key characteristics of their measurement programs. The report guides organizations that are starting a CMMI for development implementation and deciding to use the continuous representation.
The report offers guidance for how to decide what process areas to implement first. In this paper, the authors provide a bibliography of sources related to software engineering. In this paper, the authors describe one of the many potential topic areas involving the integration of business applications into a supporting IT security infrastructure.
In this paper, Jeff Janies introduces the existence plot as a visualization and discuss its use in gaining insight into a host's behavior. From the Acquisition Support Program, one in a series of short papers on acquisition patterns of failure. Acquisition Archetype: Underbidding the Contract.
Applying more pressure on staff can temporarily increase productivity, but burnout soon sets in. This technical note presents an investigation of the Business Process Execution Language, a popular BPM technology used to describe, analyze, execute, and monitor business processes. This report surveys the state of practice in service level agreement specification and offers guidelines on how to assure that services are provided with high availability, security, performance, and other required qualities.
Requirements documents, test procedures, and problem and change reports from a U. Army Software Engineering Center SEC were analyzed to identify, clarify, and begin categorizing recurring patterns of issues raised throughout the product life cycle. This paper describes the emerging technology of function extraction FX.
In this document, the authors preview a core set of activities and outputs that define a MAAP assessment. This document contains defined software project performance measures and influence factors that can be used by software development projects so that valid comparisons can be made between completed projects.
Software Engineering Institute. Technical Papers The SEI Digital Library houses thousands of technical papers and other documents, ranging from SEI Technical Reports on groundbreaking research to conference proceedings, survey results, and source code. Results per page 5 10 Householder Jonathan Spring This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure CVD can use to measure its effectiveness.
Download Security Vulnerabilities. Download Incident Management. Podnar Geoffrey B. Dobson Dustin D. Updyke This report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants. Download Cyber Workforce Development. Download Software Assurance. Householder Eric Hatleback This paper presents version 2. Download Software Architecture. Download Cyber Risk and Resilience Management.
Novak This paper reports on a high-level survey of a set of both actual and potential acquisition and policy implications of the use of Artificial Intelligence AI and Machine Learning ML technologies. Download Acquisition Support. Alberts Carol Woody, PhD This report examines the concept of threat archetypes and how analysts can use them during scenario development. Kambic Andrew P. Moore David Tobar The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
Emerging Technologies Six Areas of Opportunity December White Paper This study seeks to understand what the software engineering community perceives to be key emerging technologies. Maintainability December Technical Report Rick Kazman Philip Bianco James Ivers This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for maintainability. Download Measurement and Analysis. Snoke Timothy J.
Householder Jeff Chrabaszcz Govini Trent Novelly This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible. Ellison This paper offers system defenders an overview of how threat modeling can provide a systematic way to identify potential threats and prioritize mitigations. Download Cybersecurity Engineering. Integrability February Technical Report Rick Kazman Philip Bianco James Ivers This report summarizes how to systematically analyze a software architecture with respect to a quality attribute requirement for integrability.
Householder Dan J. Klinedinst A penetration test serves as a lagging indicator of a network security operations problem. AI Engineering: 11 Foundational Practices September White Paper This initial set of recommendations can help organizations that are beginning to build, acquire, and integrate artificial intelligence capabilities into business and mission systems.
Machine Learning in Cybersecurity: A Guide September Technical Report Jonathan Spring Joshua Fallon April Galyardt This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems. Elias U. Department of Veteran Affairs This report, updated in October , examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud services.
Download Situational Awareness. Moore Allen D. That's a shame. It's time well spent. Thinking the testing team is responsible for assuring quality. Thinking that the purpose of testing is to find bugs. Not finding the important bugs.
Not reporting usability problems. No focus on an estimate of quality and on the quality of that estimate. Reporting bug data without putting it into context. Starting testing too late bug detection, not bug reduction.
A testing effort biased toward functional testing. Underemphasizing configuration testing. Putting stress and load testing off to the last minute. Not testing the documentation Not testing installation procedures. An overreliance on beta testing. Finishing one testing task before moving on to the next. Failing to correctly identify risky areas.
Sticking stubbornly to the test plan. Using testing as a transitional job for new programmers. Recruiting testers from the ranks of failed programmers. Testers are not domain experts. Not seeking candidates from the customer service staff or technical writing staff. Insisting that testers be able to program. A testing team that lacks diversity.
A physical separation between developers and testers. Believing that programmers can't test their own code. Programmers are neither trained nor motivated to test. Paying more attention to running tests than to designing them. Unreviewed test designs. Being too specific about test inputs and procedures.
Not noticing and exploring "irrelevant" oddities. Checking that the product does what it's supposed to do, but not that it doesn't do what it isn't supposed to do. Test suites that are understandable only by their owners. Testing only through the user-visible interface. Poor bug reporting. Adding only regression tests when bugs are found. Failing to take notes for the next testing effort. Attempting to automate all tests.
Expecting to rerun manual tests. Expecting regression tests to find a high proportion of new bugs. Embracing code coverage with the devotion that only simple numbers can inspire. Removing tests from a regression test suite just because they don't add coverage. Using coverage as a performance goal for testers. Abandoning coverage entirely. A good tester will always try to reduce the repro steps to the minimal steps to reproduce; this is extremely helpful for the programmer who has to find the bug.
Remember that the only person who can close a bug is the person who opened it in the first place. Anyone can resolve it, but only the person who saw the bug can really be sure that what they saw is fixed. There are many ways to resolve a bug. FogBUGZ allows you to resolve a bug as fixed , won't fix , postponed , not repro , duplicate , or by design.
Not Repro means that nobody could ever reproduce the bug. Programmers often use this when the bug report is missing the repro steps. You'll want to keep careful track of versions. Every build of the software that you give to testers should have a build ID number so that the poor tester doesn't have to retest the bug on a version of the software where it wasn't even supposed to be fixed.
If you're a programmer, and you're having trouble getting testers to use the bug database, just don't accept bug reports by any other method. If your testers are used to sending you email with bug reports, just bounce the emails back to them with a brief message: "please put this in the bug database. I can't keep track of emails. If you're a programmer, and only some of your colleagues use the bug database, just start assigning them bugs in the database.
Eventually they'll get the hint. If you're a manager, and nobody seems to be using the bug database that you installed at great expense, start assigning new features to people using bugs. A bug database is also a great "unimplemented feature" database, too. Avoid the temptation to add new fields to the bug database.
Every month or so, somebody will come up with a great idea for a new field to put in the database. It's very important not to give in to these ideas. If you do, your new bug entry screen will end up with a thousand fields that you need to supply, and nobody will want to input bug reports any more.