Nancy Mead

Dr. Nancy R. Mead

is a Fellow of the Software Engineering Institute (SEI), and an Adjunct Professor of Software Engineering at Carnegie Mellon University. Her research areas are security requirements engineering and software assurance curricula. The Nancy Mead Award for Excellence in Software Engineering Education is named for her.

Prior to joining the SEI, Mead was a senior technical staff member at IBM Federal Systems, where she spent most of her career in the development and management of large real-time systems. She also worked in IBM's software engineering technology area and managed IBM Federal Systems' software engineering education department. She has developed and taught numerous courses on software engineering topics, both at universities and in professional education courses.

Mead has more than 150 publications and invited presentations. She is a Life Fellow of the IEEE, a Distinguished Member of the ACM, and was named the 2015 Distinguished Educator by IEEE TCSE. Dr. Mead received her PhD in mathematics from the Polytechnic Institute of New York.

Email: nrmead@ieee.org

DVP term expires December 2023

Presentations

Threat Modeling Research and Machine Learning

This talk will focus on recent threat modeling research as it relates to machine learning. After briefly revisiting our prior threat modeling research, new results from a 2018 student project on machine learning will be discussed. In this project, students assessed the robustness of machine learning models against adversarial examples. Recently, we have been considering the use of machine learning to identify attacker types in specific domains. So, on the one hand, we examined whether machine learning models are vulnerable to attack, and on the other hand, whether machine learning can help to identify attacker types.

Using Malware Analysis to Identify Overlooked Security Requirements (MORE)

Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering. In our CERT research, it was thought that malware analysis reports (found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements. If such requirements could be identified, they could be incorporated into future systems that were similar to those that were successfully attacked. A process was defined, and then a CMU project was sponsored to develop a tool. The hope was that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases. It turned out to not be so simple. This talk will describe our initial research results, and the research remaining to be done in both the requirements and architecture areas.

Lessons Learned from Industry/Government/Academic Collaborations in Educating Secure Software Developers

This talk focuses on the challenges and successes of trying to introduce secure software development educational materials into higher education curricula. Curriculum topics were originally selected from standard Software Assurance and the NIST NICE “Securely Provision” areas. Recently we have also focused on the CyBOK (Cyber Body of Knowledge) and identified relevant case studies for classroom use. Our experience reflects the challenges of student preparation, making space for the topics in standard curricula, and faculty with the needed background and resources to teach the material. Through collaboration, success can be achieved in this important area.