SEI Podcasts

As recently as December 2025, the Carnegie Mellon University Software Engineering Institute (SEI’s) CERT Coordination Center (CERT/CC) documented a UEFI-related vulnerability in certain motherboard models, illustrating that early-boot firmware behavior continues to present security challenges despite requiring local physical access to exploit. While CERT/CC reported seven UEFI vulnerabilities in 2025, that number remains small compared to reported vulnerabilities in other software. However, the consequences of a potential UEFI attack are often more serious...

SEI Podcasts

In February 2026, Paul Nielsen announced that he will transition out of his role as director and chief executive officer of the Software Engineering Institute (SEI) at Carnegie Mellon University. During Nielsen’s tenure, the SEI has marked major institutional milestones that underscore its enduring role in strengthening the security, resilience, and reliability of the nation’s software- and AI-intensive systems. The institute recently celebrated 40 years of innovation and saw its contract renewed, which paved the way for CMU to operate the SEI for another five years. In our latest SEI...

SEI Podcasts

Cybersecurity staffing shortages are a major concern in the government given the increasingly sophisticated cyber attacks on the nation’s critical infrastructure. In the FY2023 National Defense Authorization Act (NDAA), Congress tasked the Pentagon with finding flexible options to address cyber staffing needs. The Pentagon commissioned the SEI to conduct an independent study to assess the feasibility and advisability of creating a civilian cybersecurity reserve (CCR) that could harness cyber expertise from the private sector to mobilize a mission-ready workforce capable of operating in...

SEI Podcasts

While Stanford University found that AI investments, optimism, and accessibility are rising, a recent MIT report suggests that 95 percent of organizations are realizing no returns on their generative AI investments. Research from Accenture found that only 8 percent of companies are scaling AI at an enterprise level and embedding the technology into core business strategy to maximize value. Mismatched expectations, misaligned applications, and poorly executed or untested implementation practices—not the technology itself—often keep organizations from realizing immediate value from an...

SEI Podcasts

In October 2025, CyberPress  a critical security vulnerability in the Redis Server, an open-source in-memory database that allowed authenticated attackers to achieve remote code execution through a  flaw in the Lua scripting engine. In 2024, another prominent temporal memory safety flaw was found in the Netfilter subsystem in the Linux kernel: . Bugs related to temporal memory safety, such as use-after-free and double-free vulnerabilities, are challenging issues in C and C++ code. In this podcast from the Carnegie Mellon University Software Engineering Institute...

SEI Podcasts

On November 7, the Department of War released an acquisition transformation strategy that seeks to remove bureaucratic hurdles and streamline acquisition processes to enable even more rapid adoption of technologies, including artificial intelligence. Getting AI into the hands of warfighters requires disciplined AI Engineering. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, lead of human-centered research in the SEI’s AI Division, and Brigid O’Hearn, the SEI’s lead of software modernization policy for the Department of War, sit down with...

SEI Podcasts

Organizations, including the U.S. military, are increasingly adopting cloud deployments for their flexibility and cost savings. The shared security model utilized by cloud service providers removes some of the adopting organization's responsibility for system administration and security. But it leaves them on the hook for monitoring hosted applications and resources. Cloud flow logs are a valuable source of data for supporting these security responsibilities and attaining situational awareness. The SEI has a long history of supporting flow log collection and analysis, including tools for...

SEI Podcasts

From early 2022 through late 2024, a group of threat actors publicly known as APT28 exploited known vulnerabilities, such as CVE-2022-38028, to remotely and wirelessly access sensitive information from a targeted company network. This attack did not require any hardware to be placed in the vicinity of the targeted company’s network as the attackers were able to execute remotely from thousands of miles away. With the ubiquity of Wi-Fi, cellular networks, and Internet of Things (IoT) devices, the attack surface of communications-related vulnerabilities that can compromise data is extremely...

SEI Podcasts

Modern data analytic methods and tools—including artificial intelligence (AI) and machine learning (ML) classifiers—are revolutionizing prediction capabilities and automation through their capacity to analyze and classify data. To produce such results, these methods depend on correlations. However, an overreliance on correlations can lead to prediction bias and reduced confidence in AI outputs.  Drift in data and concept, evolving edge cases, and emerging phenomena can undermine the correlations that AI classifiers rely on. As the U.S. government increases its use of AI...

SEI Podcasts

How can you ever know whether an LLM is safe to use? Even self-hosted LLM systems are vulnerable to adversarial prompts left on the internet and waiting to be found by system search engines. These attacks and others exploit the complexity of even seemingly secure AI systems.   In our latest podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Schulker and Matthew Walsh, both senior data scientists in the SEI’s CERT Division, sit down with Thomas Scanlon, lead of the CERT Data Science Technical Program, to discuss their work on System Theoretic...