In this article, we discuss the development and transition of the Software Engineering Institute’s (SEI’s) Software Assurance Curriculum. The Master of Software Assurance Reference Curriculum, developed under U.S. Department of Homeland Security (DHS) sponsorship, was endorsed by the Association for Computing Machinery (ACM) and IEEE Computer Society. Additional curriculum recommendations were made at the undergraduate and community college levels. Subsequently, a transition effort was undertaken that included more than 20 papers, keynote talks, and presentations. The Securely Provision section of the National Initiative for Cybersecurity Education (NICE) curriculum is based on the software assurance (SwA) curriculum work that preceded it. Transition of the SwA Curriculum also included faculty workshops, a LinkedIn group, transition to graduate programs, and course development. The SEI maintains a website on the SwA Curriculum Project that includes all of the documentation, donated course materials, and courses developed in-house. An important partnership between the SEI, the Central Illinois Center of Excellence for Secure Software (CICESS), and Illinois Central College (ICC) resulted in the creation of a two-year degree program in Secure Software Development. That program incorporated an apprenticeship model and the SEI’s software assurance curriculum recommendations at the community college level. Subsequently, a one-semester course on assured software development at the master’s level was modified and repurposed for delivery to the Space and Naval Warfare Systems Command, San Diego (SPAWAR SD). The SPAWAR SD audience included trainers and developers. In the future, we hope to continue our transition efforts with additional collaborations and course development.
The Need for SwA Education
Although software is ubiquitous in modern systems, the complexity of software and software-intensive systems poses inherent risk. This complexity, along with our reliance on these systems, suggests that attackers need to take down only the most vulnerable component to have far-reaching and damaging effects on the larger system. In this environment, attackers no longer need to possess technical sophistication. Due to the growing supply of shared attack strategies, an unsophisticated attacker can easily acquire and launch a sophisticated attack.
On the bright side, in recent years considerable research has been done to explore ways of developing assured software that is resistant to attack and capable of recovering from one. However, much of that research has not made its way into software engineering practice, nor is it routinely taught at our universities.
To address this disconnect between research, education, and the practical development of assured software, the U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) enlisted the Carnegie Mellon Software Engineering Institute (SEI) to develop a curriculum for a Master of Software Assurance degree program and to define transition strategies for future implementation. The curriculum development team that was assembled included a mix of SEI staff members and university faculty, with editorial and administrative support provided by the SEI. The development team members, collectively, had a considerable background in software assurance research, software engineering research and practice, and software engineering education.
As noted in our curriculum report, the need for a master’s level program in this discipline has been growing for years [Mead 2010a]:
- A study by the nonpartisan Partnership for Public Service points out, “The pipeline of new talent [with the skills to ensure the security of software systems] is inadequate. . . . only 40 percent of CIOs [chief information officers], CISOs [chief information security officers] and IT [information technology] hiring managers are satisfied or very satisfied with the quality of applicants applying for federal cybersecurity jobs, and only 30 percent are satisfied or very satisfied with the number of qualified candidates who are applying” [PPP 2009].
- The need for cybersecurity education was emphasized in the New York Times when Dr. Nasir Memon, a professor at the Polytechnic Institute of New York University, was quoted as saying, “There is a huge demand, and a lot more schools have created programs, but to be honest, we’re still not producing enough students” [Drew 2009].
- In discussions with industry and government representatives, we have found that the need for more capacity in cybersecurity continues to grow. Anecdotal feedback from the development team members’ own students indicates that even a single course with a cybersecurity focus enhances their positioning in the job market. They felt that they were given job offers they would not have received otherwise.