Development and Transition of the SEI Software Assurance Curriculum

https://www.sei.cmu.edu/about/divisions/software-solutions-division/
https://www.sei.cmu.edu/about/divisions/software-solutions-division/

Posted: July 13, 2017 | By: Dr. Carol C. Woody, Nancy R. Mead

Another aspect of the need for cybersecurity education occurs in educational institutions. Based on our collective experience in software engineering education, we know it can be very difficult to start a new program or track from scratch, and we want to assist organizations and faculty members who wish to undertake such an endeavor. Our objective is to support their needs, while recognizing that there are many implementation strategies.

Recognizing that software assurance is not exactly the same as software engineering or information security, one of our first tasks was to review existing definitions of software assurance.

We evolved from a definition that was in wide use [CNSS 2009] to one that we thought was a better fit for the curriculum work: “Software assurance (SwA) is the application of technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures” [Mead 2010a].

This definition emphasizes the importance of both technologies and processes in software assurance, notes that computing capabilities may be acquired through services as well as new development, acknowledges the need for correct functionality, recognizes that security capabilities must be appropriate to the threat environment, and identifies recovery from intrusions and failures as an important capability for organizational continuity and survival.

While information security is important, academic programs in information security typically focus on system administrator activities for operational systems, whereas our focus was on systems under development. Software engineering provides ample excellent foundational material, and all the curriculum development team members have a software engineering background. However, we recognized that the development of assured software needs to go beyond good software engineering practice, and indeed the resulting curriculum reflects this.

Want to find out more about this topic?

Request a FREE Technical Inquiry!