U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Infusing Software Assurance (SwA) into Introductory Computer Science Curricula

Published: May 28, 2012 | Last revised: May 14, 2013

Author(s): Elizabeth K. Hawthorne SDLC Life Cycles: Cross-Cutting Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

According to the Software Assurance Curriculum Project Volume IV: Community College Education report, “nearly every facet of modern society depends heavily on highly complex software systems. The business, energy, transportation, education, communication, government, and defense communities rely on software to function, and software is an intrinsic part of our personal lives. Software assurance is an important discipline to ensure that software systems and services function dependably and are secure” [1]. To move toward assured and dependable software in modern society, the ACM Committee for Computing Education in Community Colleges (CCECC) partnered with the SEI to produce the Software Assurance Curriculum Project Volume IV: Community College Education technical report [1]. This report, sponsored by the U.S. Department of Homeland Security (DHS) National Security Division (NCSD), includes a review of related curricula suitable to community colleges, outcomes and a body of knowledge, expected academic backgrounds of target audiences, and outlines of six undergraduate courses.

Introduction

According to the American Association for Community Colleges, the mission of the community college sector is diverse: preparing students for transfer into four-year institutions, helping working adults prepare for new careers, and offering noncredit programs that offer a range of knowledge and skills [2]. The target audience for the six courses outlined in Software Assurance Curriculum Project Volume IV is two-fold: 1) students planning to transfer into some type of baccalaureate degree program in computing and 2) students with prior undergraduate technical degrees who wish to become more specialized in software assurance.

The CCECC provided the content of the introductory Computer Science I-II-III course sequence [3] derived from the ACM/IEEE-CS CS2008 Interim Report [4] and augmented with software assurance topics. The CCECC also developed assessment rubrics [3] for these three introductory computer science courses, which are also included in the report. The report was informed by three years (2009, 2010, and 2011) of working group reports from the annual ACM conference on Innovation and Technology in Computer Science Education (ITiCSE) [5, 6, 7]. Recommendations from the 2010 Summit on Education in Secure Software (SESS), sponsored by the National Science Foundation, were influential as well, in particular Recommendation 4, “Integrate computer security content into existing technical (e.g., programming) and non-technical (e.g., English) courses to reach students across disciplines” [8].

In developing the first volume [9] of this four-part curricular series, the term software assurance (SwA) was defined and carried through all volumes as the “Application of technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures” [9]. The emphasis here is on the concomitant consequences of both technologies and processes.

Curricula Overview

An appropriate selection of courses for a specialty or concentration in Software Assurance (SwA) is recommended in this report as Computer Science I, II, and III, and more specialized courses such as Introduction to Computer Security, Secure Coding, and Introduction to Assured Software Engineering. These more specialized courses are not intended to be an exhaustive list of possibilities, but rather a set of courses that could reasonably be taken by students wishing to pursue further education in software assurance. Community colleges could easily offer a certificate program in SwA complementary to typical associate degrees in computer science, information systems, and information technology. This certificate option is part of the CCECC’s curriculum, assessment, and pedagogy online repository at www.capspace.org. Brief descriptions of the six community college courses outlined in Software Assurance Curriculum Project Volume IV are as follows [1]:

Computer Science I

This course is the first in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students develop fundamental programming skills, including secure coding awareness, human-computer interactions, and social responsibility.

Computer Science II

This course is the second in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students develop intermediate programming skills with an emphasis on algorithms, software development, and secure coding techniques, as well as gain an appreciation for ethical conduct.

Computer Science III

This course is the third in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students continue to develop programming skills focusing on data structures, algorithmic analysis, software engineering and software assurance principles, as well as giving emphasis to professionalism.

Introduction to Computer Security

This course provides an overview of the fundamentals of computer security. Topics include security standards, policies, and best practices; principles, mechanisms, and implementation of computer security and data protection; security policy, encryption, and authentication; access control and integrity models and mechanisms; network security; secure systems; programming and vulnerabilities analysis; principles of ethical and professional behavior; regulatory compliance and legal issues; information assurance; risk management and threat assessment; business continuity and disaster recovery planning; and security across the life cycle.

Secure Coding

This course covers security vulnerabilities of programming in weakly typed languages like C and in more modern languages like Java. Common weaknesses exploited by attackers are discussed, as well as mitigation strategies to prevent those weaknesses. Students practice programming and analysis of software systems through testing and static analysis. Topics covered include methods for preventing unauthorized access or manipulation of data, input validation and user authentication, memory management issues related to overflow and corruption, misuse of strings and pointers, and inter-process communication vulnerabilities.

Introduction to Assured Software Engineering

This course covers the basic principles and concepts of assured software engineering; system requirements; secure programming in the large; modeling and testing; object-oriented analysis and design using the unified modeling language (UML); design patterns; frameworks and application programming interfaces (APIs); client-server architecture; user interface technology; and the analysis, design and programming of extensible software systems.

Suggested Options

Below are two possible sequencing options for the six courses given the suggested prerequisite structure. Other options are also possible to meet local program needs.

Term 1

Term 2

Term 3

Term 4

CS I

CS II

CS III

Secure Coding

Discrete Structures

Calculus I

Introduction to Computer Security

Assured Software Engineering

Table 1: Option 1 for Typical Course Sequencing

Term 1

Term 2

Term 3

Term 4

CS I

CS II

CS III

Secure Coding

Discrete Structures

Calculus I

Assured Software Engineering

 
 

Introduction to Computer Security

  

Table 2: Option 2 for Typical Course Sequencing

The Computer Science I–II–III course sequence, typical at community colleges as well as smaller four-year colleges, is the equivalent of the Computer Science I–II course sequence at other four-year colleges and universities. The depth of coverage of the topics in each course varies, as do the associated level of Bloom’s Taxonomy. In many areas, students need to be able to discuss and describe the topics, but in other areas they must be able to apply the techniques learned in the course to actual software projects.

As part of the outreach efforts, a well-attended birds-of-a-feather roundtable discussion was held at the 2012 SIGCSE conference in Raleigh, NC. All four volumes of the curriculum project [1, 9, 10, 11] were disseminated at this roundtable. “Security Injections,” developed by Towson University with funding by the National Science Foundation, surfaced as part of the discussion. For several years, Towson University has been developing checklist-based security injection modules for introductory computer science courses, with the goal of increasing students’ security awareness and ability to apply secure coding principles [12].

References

[1] Mead, Nancy R.; Hawthorne, Elizabeth K; & Ardis, Mark. Software Assurance Curriculum Project Volume IV: Community College Education (CMU/SEI-2011-TR-017). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr017.cfm

[2] American Association of Community Colleges (AACC). Students at Community Colleges. http://www.aacc.nche.edu/AboutCC/Trends/Pages/studentsatcommunitycolleges.aspx (2011).

[3] Association for Computing Machinery (ACM). Computing Curricula 2009: Guidelines for Associate-Degree Transfer Curriculum in Computer Science. ACM and IEEE Computer Society, 2009. http://www.acmccecc.org/committee/CommitteeFileUploads/2009ComputerScienceTransferGuidelines.pdf

[4] Association for Computing Machinery & IEEE Computer Society. Computer Science Curriculum 2008: An Interim Revision of CS2001. ACM and IEEE Computer Society, 2008. http://www.acm.org/education/curricula/ComputerScience2008.pdf.

[5] Copper, Stephen; Nickell, Christine; Piotrowski, Victor; Oldfield, Brenda; Abdallah, Ali; Bishop, Matt; Caelli, Bill; Dark, Melissa; Hawthorne, Elizabeth K.; Hoffman, Lance; Pérez, Lance C.; Pfleeger, Charles; Raines, Richard; Schou, Corey; & Brynielsson, Joel. “An exploration of the current state of information assurance education.” ACM SIGCSE Bulletin, Volume 41 Issue 4, (1999): 109 -125. DOI: 10.1145/1709424.1709457.

[6] Copper, Stephen; Nickell, Christine; Pérez, Lance C.; Oldfield, Brenda; Brynielsson, Joel; Gencer Gökce, As?m; Hawthorne, Elizabeth K.; Klee, Karl J.; Lawrence, Andrea; & Wetzel, Susanne. “Towards information assurance (IA) curricular guidelines.” ACM ITiCSE-WGR '10: Proceedings of the 15th annual conference reports on Innovation and technology in computer science education. 2010.DOI: 10.1145/1971681.1971686.

[7] Pérez, Lance C.; Cooper, Stephen; Hawthorne, Elizabeth K.; Wetzel, Susanne; Brynielsson, Joel; Gencer Gökce, Asim; Impagliazzo, John; Khmelevsky, Youry; Klee, Karl J.; Leary, Margaret; Philips, Amelia; Pohlmann, Norbert; Taylor, Blair; & Upadhyaya, Shambhu. “Information assurance education in two- and four-year institutions.” ACM ITiCSE-WGR '11: Proceedings of the 16th annual conference reports on Innovation and technology in computer science education. 2011. DOI: 10.1145/2078856.2078860.

[8] Taylor, B.; Bishop, M.; Burley, D.; Cooper, S.; Dodge, R.; & Seacord, R. “Teaching Secure Coding – Report from Summit on Education in Secure Software.” ACM SIGCSE’12: Proceedings of the 43rd ACM technical symposium on Computer Science Education. 2012. DOI: 10.1145/2157136.2157304.

[9] Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; Linger, Rick; & McDonald, James. Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr005.cfm

[10] Mead, Nancy R.; Hilburn, Thomas B.; & Linger, Rick. Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines (CMU/SEI-2010-TR-019). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr019.cfm

[11] Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; & Linger, Rick. Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi (CMU/SEI-2011-TR-013). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr013.cfm

[12] Taylor, B. & Kaza, S. “Security Injections: Modules to Help Students Remember, Understand, and Apply Secure Coding Techniques.” ACM ITiCSE-WGR '11: Proceedings of the 16th annual conference reports on Innovation and technology in computer science education. 2011. DOI: 10.1145/1999747.1999752.


Back to Top