The Development of a Graduate Curriculum for Software Assurance

Mark Ardis, Stevens Institute of TechnologyNancy Mead, Software Engineering Institute

Acknowledgments (1/2) We thank the Department of Homeland

Security (DHS) National Cyber Security Division (NCSD) for their support

We thank our curriculum co-authors: Julia H. Allen, Software Engineering Institute Thomas B. Hilburn, Embry-Riddle Aeronautical

University Andrew J. Kornecki, Embry-Riddle Aeronautical

University Richard Linger, Software Engineering Institute James McDonald, Monmouth University

2

Acknowledgments (2/2) Some of these slides are from Jeff Williams of

OWASP

3

Outline

4

1. Motivation2. Sources3. Process4. Core Body of Knowledge5. Curriculum Architecture6. Course Outlines and Syllabi7. Outreach and Future Plans

Motivation "The business of security for government

agencies is growing by an enviable 9 percent a year"--- NYTimes August 4, 2011

5

What if the software world was only…

100 apps written by 100 developers at 100 companies

Sources for MSwA Recommendations GSwE2009 – Graduate Software Engineering Other Curricula

MSE 1989 – Original Graduate Software Engineering

SE 2004 – Undergraduate Software Engineering CE 2004 – Undergraduate Computer Engineering CS 2010 – Undergraduate Computer Science

SWEBOK – Software Engineering Body of Knowledge

Textbook by Allen, Mead et al. Build Security In (BSI) Website

10

Process

11

Core Body of Knowledge 3-level outline of topics Associated student outcome expectations in

terms of Bloom's Taxonomy Top Level:

1. Assurance Across Life Cycles2. Risk Management3. Assurance Assessment4. Assurance Management5. System Security Assurance6. System Functionality Assurance7. System Operational Assurance

12

Curriculum Architecture

13

MSwE with SwA Specialization

Information Sciences with SwA Specialization

15

Course Outlines and Syllabi Course Syllabi:

Assurance Management System Operational

Assurance Assured Software

Analytics Assured Software

Development 1 Assured Software

Development 2 Assured Software

Development 3 Assurance Assessment System Security

Assurance

Course Outlines Undergraduate

courses 4 software assurance

courses 1 capstone project

course Community College

courses 3 foundation CS

courses 3 security courses

16

Getting Started with MSwA Courses Implementation options:

add 1-2 courses that supplement an existing program (e.g., Master of Software Engineering, Master of Information Systems)

build on strengths of faculty and supplement existing courses

build on local industry needs take advantage of resources

mentoring offered by SwA curriculum team other artifacts (e.g., MSwA course outlines, master bibliography)

consider starting with a course that does not require prerequisites within the program, such as Assured Software Development 1 or System Operational Assurance

add 1-2 courses each year to build up to a complete MSwA or specialization within another degree program

Resources http://www.cert.org/mswa/

MSwA Reference Curriculum document undergraduate course outlines MSwA course outlines and syllabi 2-Year college course outlines master bibliography curriculum overview seminar VTE workshop from CSEET 2010

Contact Information

Nancy R. Mead, Ph.D.

Senior Technical StaffCERT® ProgramSoftware Engineering InstituteCarnegie Mellon UniversityEmail: nrm@sei.cmu.edu

U.S. mail:

Software Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA

Mark A. Ardis

Distinguished Service ProfessorSchool of Systems and EnterprisesStevens Institute of TechnologyEmail: mark.ardis@stevens.eduWWW: personal.stevens.edu/~mardis

U.S. mail:

Stevens Institute of TechnologyCastle Point on HudsonHoboken, NJ 07030USA