As a part of an ongoing effort to maintain you knowledgeable about our newest work, this weblog submit summarizes some current publications from the SEI within the areas of giant language fashions for cybersecurity, software program engineering and acquisition with generative AI, zero belief, giant language fashions in nationwide safety, capability-based planning, provide chain threat administration, generative AI in software program engineering and acquisition, and quantum computing.

These publications spotlight the most recent work of SEI technologists in these areas. This submit features a itemizing of every publication, creator(s), and hyperlinks the place they are often accessed on the SEI web site.

Concerns for Evaluating Massive Language Fashions for Cybersecurity Duties
by Jeff Gennari, Shing-hon Lau, Samuel J. Perl, Joel Parish (OpenAI), and Girish Sastry (OpenAI)

Generative synthetic intelligence (AI) and huge language fashions (LLMs) have taken the world by storm. The flexibility of LLMs to carry out duties seemingly on par with people has led to fast adoption in a wide range of completely different domains, together with cybersecurity. Nonetheless, warning is required when utilizing LLMs in a cybersecurity context as a result of impactful penalties and detailed particularities. Present approaches to LLM analysis are likely to deal with factual data versus utilized, sensible duties. However cybersecurity duties usually require extra than simply factual recall to finish. Human efficiency on cybersecurity duties is commonly assessed partly on their potential to use ideas to reasonable conditions and adapt to altering circumstances. This paper contends the identical method is critical to precisely consider the capabilities and dangers of utilizing LLMs for cybersecurity duties. To allow the creation of higher evaluations, we determine key standards to think about when designing LLM cybersecurity assessments. These standards are additional refined right into a set of suggestions for the way to assess LLM efficiency on cybersecurity duties. The suggestions embody correctly scoping duties, designing duties primarily based on real-world cybersecurity phenomena, minimizing spurious outcomes, and making certain outcomes should not misinterpreted.
Learn the white paper.

The Way forward for Software program Engineering and Acquisition with Generative AI
by Douglas Schmidt (Vanderbilt College), Anita Carleton, James Ivers, Ipek Ozkaya, John E. Robert, and Shen Zhang

We stand at a pivotal second in software program engineering, with synthetic intelligence (AI) taking part in a vital position in driving approaches poised to reinforce software program acquisition, evaluation, verification, and automation. Whereas generative AI instruments initially sparked pleasure for his or her potential to cut back errors, scale adjustments effortlessly, and drive innovation, considerations have emerged. These considerations embody safety dangers, unexpected failures, and problems with belief. Empirical analysis on generative AI improvement assistants reveals that productiveness and high quality features rely not solely on the sophistication of instruments but in addition on job stream redesign and knowledgeable judgment.

On this webcast, SEI researchers discover the way forward for software program engineering and acquisition utilizing generative AI applied sciences. They study present functions, envision future prospects, determine analysis gaps, and talk about the vital talent units that software program engineers and stakeholders must successfully and responsibly harness generative AI’s potential. Fostering a deeper understanding of AI’s position in software program engineering and acquisition accentuates its potential and mitigates its dangers.

The webcast covers

• the way to determine appropriate use circumstances when beginning out with generative AI know-how
• the sensible functions of generative AI in software program engineering and acquisition
• how builders and resolution makers can harness generative AI know-how

View the webcast.

Zero Belief Trade Days 2024 Situation: Secluded Semiconductors, Inc.
by Rhonda Brown

Every accepted presenter on the SEI Zero Belief Trade Days 2024 occasion develops and proposes an answer for this situation: An organization is working a chip manufacturing facility on an island the place there could also be lack of connectivity and cloud companies for brief or prolonged intervals of time. There are various concerns when addressing the challenges of a zero belief implementation, together with various views and philosophies. This occasion gives a deep examination of how resolution suppliers and different organizations interpret and handle the challenges of implementing zero belief. Utilizing a situation locations boundaries on the zero belief house to yield richer discussions.

This yr’s occasion focuses on the Industrial Web of Issues (IIoT), legacy methods, sensible cities, and cloud-hosted companies in a producing setting.
Learn the white paper.

Utilizing Massive Language Fashions within the Nationwide Safety Realm
By Shannon Gallagher

On the request of the White Home, the Workplace of the Director of Nationwide Intelligence (ODNI) started exploring use circumstances for big language fashions (LLMs) throughout the Intelligence Group (IC). As a part of this effort, ODNI sponsored the Mayflower Challenge at Carnegie Mellon College’s Software program Engineering Institute from Could 2023 via September 2023. The Mayflower Challenge tried to reply the next questions:

• How would possibly the IC arrange a baseline, stand-alone LLM?
• How would possibly the IC customise LLMs for particular intelligence use circumstances?
• How would possibly the IC consider the trustworthiness of LLMs throughout use circumstances?

On this SEI Podcast, Shannon Gallagher, AI engineering staff lead, and Rachel Dzombak, former particular advisor to the director of the SEI’s AI Division, talk about the findings and suggestions from the Mayflower Challenge and supply extra background details about LLMs and the way they are often engineered for nationwide safety use circumstances.
Hear/View the SEI Podcast.

Navigating Functionality-Primarily based Planning: The Advantages, Challenges, and Implementation Necessities
By Anandi Hira and William Nichols

Functionality-based planning (CBP) defines a framework that has an all-encompassing view of current skills and future wants for strategically deciding what is required and the way to successfully obtain it. Each enterprise and authorities acquisition domains use CBP for monetary success or to design a well-balanced protection system. The definitions understandably range throughout these domains. This paper endeavors to consolidate these definitions to supply a complete view of CBP, its potential, and sensible implementation of its ideas.
Learn the white paper.

Ask Us Something: Provide Chain Danger Administration
By Brett Tucker and Matthew J. Butkovic

In accordance with the Verizon Information Breach Report, Log4j-related exploits have occurred much less regularly over the previous yr. Nonetheless, this Frequent Vulnerabilities and Exposures (CVE) flaw was initially documented in 2021. The risk nonetheless exists regardless of elevated consciousness. Over the previous few years, the Software program Engineering Institute has developed steerage and practices to assist organizations cut back threats to U.S. provide chains. On this webcast, Brett Tucker and Matthew Butkovic, reply enterprise threat administration questions to assist organizations obtain operational resilience within the cyber provide chain. The webcast covers

• enterprise threat governance and the way to assess group’s threat urge for food and coverage because it pertains to and integrates cyber dangers into a world threat portfolio
• regulatory directives on third-party threat
• the agenda and subjects to be lined within the upcoming CERT Cyber Provide Chain Danger Administration Symposium in February

View the webcast.

The Measurement Challenges in Software program Assurance and Provide Chain Danger Administration
by Nancy R. Mead, Carol Woody, and Scott Hissam

On this paper, the authors talk about the metrics wanted to foretell cybersecurity in open supply software program and the way requirements are wanted to make it simpler to use these metrics within the provide chain. The authors present examples of doubtless helpful metrics and underscore the necessity for knowledge assortment and evaluation to validate the metrics. They assert that defining metrics, gathering and analyzing knowledge as an instance their utility, and utilizing commonplace strategies requires unbiased collaborative work to realize the specified outcomes.
Learn the white paper.

The Cybersecurity of Quantum Computing: 6 Areas of Analysis

By Tom Scanlon

Analysis and improvement of quantum computer systems continues to develop at a fast tempo. The U.S. authorities alone spent greater than $800 million on quantum data science analysis in 2022. Thomas Scanlon, who leads the info science group within the SEI CERT Division, was not too long ago invited to be a participant within the Workshop on Cybersecurity of Quantum Computing, co-sponsored by the Nationwide Science Basis (NSF) and the White Home Workplace of Science and Expertise Coverage, to look at the rising discipline of cybersecurity for quantum computing. On this SEI podcast, Scanlon discusses the way to create the self-discipline of cyber safety of quantum computing and descriptions six areas of future analysis in quantum cybersecurity.

Take heed to/view the podcast.