1 / 17

Summit on Education in Secure Software: Summary Findings

Summit on Education in Secure Software: Summary Findings. Matt Bishop, University of California, Davis Diana Burley, George Washington University Steve Cooper, Stanford University Ron Dodge, United States Military Academy Blair Taylor, Towson University

fola
Download Presentation

Summit on Education in Secure Software: Summary Findings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Summit on Education in Secure Software:Summary Findings Matt Bishop, University of California, Davis Diana Burley, George Washington University Steve Cooper, Stanford University Ron Dodge, United States Military Academy Blair Taylor, Towson University This project is supported by the National Science Foundation under grant DUE-1039564. Any opinions, findings, conclusions, or recommendations expressed are those of the authors and do not necessarily reflect the views of the National Science Foundation. SIGCSE 2012

  2. SESS Motivation • Increasing reliance on software • Drives financial, medical, government, and critical infrastructure systems such as transportation, energy, networking, and telecommunications • Increased connectivity • Number and severity of attacks that exploit software vulnerabilities is increasing • Writing reliable, robust, and secure programs will substantially improve the ability of systems and infrastructure to resist such attacks • Education plays a critical role in addressing cybersecurity challenges of the future • Designing curricula that integrate principles and practices of secure programming into educational programs Supported through National Science Foundation Award #1039564

  3. SESS Structure and Participants • Two-part conference • Teleconference September 2010 • Meeting October 2010 • Participants • 60 invited participants representing stakeholder groups: academic, industry, government, certification and training. Supported through National Science Foundation Award #1039564

  4. Importance of robust coding • The breadth of people who will affect, or be affected by, software, requires an understanding of robust software principles and practices • The most appropriate method for teaching this material, and more importantly what resources are necessary to teach it, has not been well explored • Multiple constituency groups have a role to play Supported through National Science Foundation Award #1039564

  5. SESS Objectives • To engage cybersecurity stakeholders from academia, government, industry, and certification and training groups in a discussion about teaching secure programming • To use that discussion as the basis of a collaborative effort to improve existing approaches • To outline a comprehensive agenda for secure software education Supported through National Science Foundation Award #1039564

  6. The Roadmaps (and potholes) • Roadmap structure • Educational goals • Teaching methods • Resource requirements • Challenges • The Groups • Computer science professionals • Non-computer science professionals • Computer science undergraduate students • Non-computer science undergraduate students • Community college students • K-12 students Supported through National Science Foundation Award #1039564

  7. Summary Findings • Understanding security, especially during design, requires a holistic approach • Understanding and being able to identify common and emerging attach vectors is a critical component of security • Well-tested principles and frameworks of software development can inhibit attacks • All frameworks have weaknesses and subtleties • Part of secure programming is using strategic approaches to overcome these weaknesses • Users of tools that aid in secure programming must know how to use those tools and understand their limitations Supported through National Science Foundation Award #1039564

  8. Recommendations • Increase the number of faculty who understand the importance of secure programming principles • Provide faculty support for the inclusion of security content • Establish professional development opportunities for faculty/educators • Integrate compute security content into existing technical and non-technical courses • Require at least one computer security course for all college students Supported through National Science Foundation Award #1039564

  9. Recommendations • Encourage partnerships and collaborative curriculum development that leverages industry/government • Promote collaborative problem solving and solution sharing across organizational boundaries • Use innovative teaching methods to strengthen the foundation of computer security knowledge • Develop metrics to assess progress toward meeting the educational goals • Highlight the role that computer security professionals should play in key business decision making processes Supported through National Science Foundation Award #1039564

  10. ITiCSE Working Group 2009 • Stephen Cooper, Christine Nickell, Victor Piotrowski, Brenda Oldfield, Ali Abdallah, Matt Bishop, Bill Caelli, Melissa Dark, E. K. Hawthorne, Lance Hoffman, Lance C. Pérez, Charles Pfleeger, Richard Raines, Corey Schou, and Joel Brynielsson. 2010. An exploration of the current state of information assurance education. SIGCSE Bull. 41, 4 (January 2010), 109-125. Supported through National Science Foundation Award #1039564

  11. ITiCSE Working Group 2010 • Stephen Cooper, Christine Nickell, Lance C. Pérez, Brenda Oldfield, Joel Brynielsson, AsımGencerGökce, Elizabeth K. Hawthorne, Karl J. Klee, Andrea Lawrence, and Susanne Wetzel. 2010. Towards information assurance (IA) curricular guidelines. In Proceedings of the 2010 ITiCSE working group reports (ITiCSE-WGR '10), Alison Clear and Lori Russell Dag (Eds.). ACM, New York, NY, USA, 49-64 • Defining the space of Information Security education • Exploring what constitutes undergraduate secure coding education Supported through National Science Foundation Award #1039564

  12. ITiCSE WG 2010 (continued) • Identifying student learning outcomes, and levels of mastery • Secure coding topics • Data protection • Input/Output vulnerabilities • Runtime vulnerabilities • Communication vulnerabilities • Reuse Supported through National Science Foundation Award #1039564

  13. ITiCSE Working Group 2011 • Lance C. Pérez, Stephen Cooper, Elizabeth K. Hawthorne, Susanne Wetzel, Joel Brynielsson, AsimGencerGökce, John Impagliazzo, YouryKhmelevsky, Karl Klee, Margaret Leary, Amelia Philips, Norbert Pohlmann, Blair Taylor, and ShambhuUpadhyaya. 2011. Information assurance education in two- and four-year institutions. In Proceedings of the 16th annual conference reports on Innovation and technology in computer science education - working group reports (ITiCSE-WGR '11), Liz Adams and Justin Joseph Jurgens (Eds.). ACM, New York, NY, USA, 39-53. Supported through National Science Foundation Award #1039564

  14. One last slide • #1022557Building a serious game to teach secure coding in introductory programming • http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=1022557 (NSF – 1022557) Supported through National Science Foundation Award #1039564

  15. Other • CS2013 • http://ai.stanford.edu/users/sahami/CS2013/strawman-draft/cs2013-strawman.pdf Supported through National Science Foundation Award #1039564

  16. Conclusion • Structural enablers • Cultural shift among industry stakeholders • Identification of measurable objectives and corresponding measurement methods • Development of national licensure programs • Cultural shift among faculty • Alignment of expectations for university education and realistic constraints in the system • Resources • Security Injections @ Towson www.towson.edu/securityinjections (DUE-0817267) • SEED at Syracuse (http://www.cis.syr.edu/~wedu/seed/index.html) (DUE-0618680) • https://buildsecurityin.us-cert.gov/bsi/home.html • http:/nob.cs.ucdavis.edu/secure-exer Supported through National Science Foundation Award #1039564

  17. Questions/Contact Information • Questions? • For additional information or copies of the report: • Diana Burley – dburley@gwu.edu • Matt Bishop – bishop@cs.ucdavis.edu “A paradigm shift that adjusts the current emphasis from “students as customers” to “society as customers” will support holistic and comprehensive curricular reform.” (Burley & Bishop, 2011) Supported through National Science Foundation Award #1039564

More Related