The Development of a Graduate Curriculum for Software Assurance

1. The Development of a Graduate Curriculum for Software Assurance Mark Ardis, Stevens Institute of TechnologyNancy Mead, Software Engineering Institute

2. Acknowledgments (1/2) • We thank the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) for their support • We thank our curriculum co-authors: • Julia H. Allen, Software Engineering Institute • Thomas B. Hilburn, Embry-Riddle Aeronautical University • Andrew J. Kornecki, Embry-Riddle Aeronautical University • Richard Linger, Software Engineering Institute • James McDonald, Monmouth University

3. Acknowledgments (2/2) • Some of these slides are from Jeff Williams of OWASP

4. Outline • Motivation • Sources • Process • Core Body of Knowledge • Curriculum Architecture • Course Outlines and Syllabi • Outreach and Future Plans

5. Motivation • "The business of security for government agencies is growing by an enviable 9 percent a year" --- NYTimes August 4, 2011

6. What if the software world was only… 100 apps written by 100 developers at 100 companies

7. 83 apps have a serious vulnerability

8. 100 apps contain codeof unknown origin

9. 90 apps use unpatched libraries with known flaws

10. Sources for MSwA Recommendations • GSwE2009 – Graduate Software Engineering • Other Curricula • MSE 1989 – Original Graduate Software Engineering • SE 2004 – Undergraduate Software Engineering • CE 2004 – Undergraduate Computer Engineering • CS 2010 – Undergraduate Computer Science • SWEBOK – Software Engineering Body of Knowledge • Textbook by Allen, Mead et al. • Build Security In (BSI) Website

11. Process

12. Core Body of Knowledge • 3-level outline of topics • Associated student outcome expectations in terms of Bloom's Taxonomy • Top Level: • Assurance Across Life Cycles • Risk Management • Assurance Assessment • Assurance Management • System Security Assurance • System Functionality Assurance • System Operational Assurance

13. Curriculum Architecture

14. MSwE with SwA Specialization

15. Information Sciences with SwA Specialization ?

16. Course Outlines and Syllabi • Course Syllabi: • Assurance Management • System Operational Assurance • Assured Software Analytics • Assured Software Development 1 • Assured Software Development 2 • Assured Software Development 3 • Assurance Assessment • System Security Assurance • Course Outlines • Undergraduate courses • 4 software assurance courses • 1 capstone project course • Community College courses • 3 foundation CS courses • 3 security courses

17. Getting Started with MSwA Courses • Implementation options: • add 1-2 courses that supplement an existing program (e.g., Master of Software Engineering, Master of Information Systems) • build on strengths of faculty and supplement existing courses • build on local industry needs • take advantage of resources • mentoring offered by SwA curriculum team • other artifacts (e.g., MSwA course outlines, master bibliography) • consider starting with a course that does not require prerequisites within the program, such as Assured Software Development 1 or System Operational Assurance • add 1-2 courses each year to build up to a complete MSwA or specialization within another degree program

18. Resources • http://www.cert.org/mswa/ • MSwA Reference Curriculum document • undergraduate course outlines • MSwA course outlines and syllabi • 2-Year college course outlines • master bibliography • curriculum overview seminar • VTE workshop from CSEET 2010

19. Contact Information