According to the Software Assurance Curriculum Project Volume IV: Community College Education report, “nearly every facet of modern society depends heavily on highly complex software systems. The business, energy, transportation, education, communication, government, and defense communities rely on software to function, and software is an intrinsic part of our personal lives. Software assurance is an important discipline to ensure that software systems and services function dependably and are secure” . To move toward assured and dependable software in modern society, the ACM Committee for Computing Education in Community Colleges (CCECC) partnered with the SEI to produce the Software Assurance Curriculum Project Volume IV: Community College Education technical report . This report, sponsored by the U.S. Department of Homeland Security (DHS) National Security Division (NCSD), includes a review of related curricula suitable to community colleges, outcomes and a body of knowledge, expected academic backgrounds of target audiences, and outlines of six undergraduate courses.
According to the American Association for Community Colleges, the mission of the community college sector is diverse: preparing students for transfer into four-year institutions, helping working adults prepare for new careers, and offering noncredit programs that offer a range of knowledge and skills . The target audience for the six courses outlined in Software Assurance Curriculum Project Volume IV is two-fold: 1) students planning to transfer into some type of baccalaureate degree program in computing and 2) students with prior undergraduate technical degrees who wish to become more specialized in software assurance.
The CCECC provided the content of the introductory Computer Science I-II-III course sequence  derived from the ACM/IEEE-CS CS2008 Interim Report  and augmented with software assurance topics. The CCECC also developed assessment rubrics  for these three introductory computer science courses, which are also included in the report. The report was informed by three years (2009, 2010, and 2011) of working group reports from the annual ACM conference on Innovation and Technology in Computer Science Education (ITiCSE) [5, 6, 7]. Recommendations from the 2010 Summit on Education in Secure Software (SESS), sponsored by the National Science Foundation, were influential as well, in particular Recommendation 4, “Integrate computer security content into existing technical (e.g., programming) and non-technical (e.g., English) courses to reach students across disciplines” .
In developing the first volume  of this four-part curricular series, the term software assurance (SwA) was defined and carried through all volumes as the “Application of technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures” . The emphasis here is on the concomitant consequences of both technologies and processes.
An appropriate selection of courses for a specialty or concentration in Software Assurance (SwA) is recommended in this report as Computer Science I, II, and III, and more specialized courses such as Introduction to Computer Security, Secure Coding, and Introduction to Assured Software Engineering. These more specialized courses are not intended to be an exhaustive list of possibilities, but rather a set of courses that could reasonably be taken by students wishing to pursue further education in software assurance. Community colleges could easily offer a certificate program in SwA complementary to typical associate degrees in computer science, information systems, and information technology. This certificate option is part of the CCECC’s curriculum, assessment, and pedagogy online repository at www.capspace.org. Brief descriptions of the six community college courses outlined in Software Assurance Curriculum Project Volume IV are as follows :
Computer Science I
This course is the first in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students develop fundamental programming skills, including secure coding awareness, human-computer interactions, and social responsibility.
Computer Science II
This course is the second in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students develop intermediate programming skills with an emphasis on algorithms, software development, and secure coding techniques, as well as gain an appreciation for ethical conduct.
Computer Science III
This course is the third in a three-course sequence that provides students with a foundation in computer science. Using a high level programming language, students continue to develop programming skills focusing on data structures, algorithmic analysis, software engineering and software assurance principles, as well as giving emphasis to professionalism.
Introduction to Computer Security
This course provides an overview of the fundamentals of computer security. Topics include security standards, policies, and best practices; principles, mechanisms, and implementation of computer security and data protection; security policy, encryption, and authentication; access control and integrity models and mechanisms; network security; secure systems; programming and vulnerabilities analysis; principles of ethical and professional behavior; regulatory compliance and legal issues; information assurance; risk management and threat assessment; business continuity and disaster recovery planning; and security across the life cycle.
This course covers security vulnerabilities of programming in weakly typed languages like C and in more modern languages like Java. Common weaknesses exploited by attackers are discussed, as well as mitigation strategies to prevent those weaknesses. Students practice programming and analysis of software systems through testing and static analysis. Topics covered include methods for preventing unauthorized access or manipulation of data, input validation and user authentication, memory management issues related to overflow and corruption, misuse of strings and pointers, and inter-process communication vulnerabilities.
Introduction to Assured Software Engineering
This course covers the basic principles and concepts of assured software engineering; system requirements; secure programming in the large; modeling and testing; object-oriented analysis and design using the unified modeling language (UML); design patterns; frameworks and application programming interfaces (APIs); client-server architecture; user interface technology; and the analysis, design and programming of extensible software systems.
Below are two possible sequencing options for the six courses given the suggested prerequisite structure. Other options are also possible to meet local program needs.
Introduction to Computer Security
Assured Software Engineering
Table 1: Option 1 for Typical Course Sequencing
Assured Software Engineering
Introduction to Computer Security
Table 2: Option 2 for Typical Course Sequencing
The Computer Science I–II–III course sequence, typical at community colleges as well as smaller four-year colleges, is the equivalent of the Computer Science I–II course sequence at other four-year colleges and universities. The depth of coverage of the topics in each course varies, as do the associated level of Bloom’s Taxonomy. In many areas, students need to be able to discuss and describe the topics, but in other areas they must be able to apply the techniques learned in the course to actual software projects.
As part of the outreach efforts, a well-attended birds-of-a-feather roundtable discussion was held at the 2012 SIGCSE conference in Raleigh, NC. All four volumes of the curriculum project [1, 9, 10, 11] were disseminated at this roundtable. “Security Injections,” developed by Towson University with funding by the National Science Foundation, surfaced as part of the discussion. For several years, Towson University has been developing checklist-based security injection modules for introductory computer science courses, with the goal of increasing students’ security awareness and ability to apply secure coding principles .
 Mead, Nancy R.; Hawthorne, Elizabeth K; & Ardis, Mark. Software Assurance Curriculum Project Volume IV: Community College Education (CMU/SEI-2011-TR-017). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr017.cfm
 American Association of Community Colleges (AACC). Students at Community Colleges. http://www.aacc.nche.edu/AboutCC/Trends/Pages/studentsatcommunitycolleges.aspx (2011).
 Association for Computing Machinery (ACM). Computing Curricula 2009: Guidelines for Associate-Degree Transfer Curriculum in Computer Science. ACM and IEEE Computer Society, 2009. http://www.acmccecc.org/committee/CommitteeFileUploads/2009ComputerScienceTransferGuidelines.pdf
 Association for Computing Machinery & IEEE Computer Society. Computer Science Curriculum 2008: An Interim Revision of CS2001. ACM and IEEE Computer Society, 2008. http://www.acm.org/education/curricula/ComputerScience2008.pdf.
 Copper, Stephen; Nickell, Christine; Piotrowski, Victor; Oldfield, Brenda; Abdallah, Ali; Bishop, Matt; Caelli, Bill; Dark, Melissa; Hawthorne, Elizabeth K.; Hoffman, Lance; Pérez, Lance C.; Pfleeger, Charles; Raines, Richard; Schou, Corey; & Brynielsson, Joel. “An exploration of the current state of information assurance education.” ACM SIGCSE Bulletin, Volume 41 Issue 4, (1999): 109 -125. DOI: 10.1145/1709424.1709457.
 Copper, Stephen; Nickell, Christine; Pérez, Lance C.; Oldfield, Brenda; Brynielsson, Joel; Gencer Gökce, As?m; Hawthorne, Elizabeth K.; Klee, Karl J.; Lawrence, Andrea; & Wetzel, Susanne. “Towards information assurance (IA) curricular guidelines.” ACM ITiCSE-WGR '10: Proceedings of the 15th annual conference reports on Innovation and technology in computer science education. 2010.DOI: 10.1145/1971681.1971686.
 Pérez, Lance C.; Cooper, Stephen; Hawthorne, Elizabeth K.; Wetzel, Susanne; Brynielsson, Joel; Gencer Gökce, Asim; Impagliazzo, John; Khmelevsky, Youry; Klee, Karl J.; Leary, Margaret; Philips, Amelia; Pohlmann, Norbert; Taylor, Blair; & Upadhyaya, Shambhu. “Information assurance education in two- and four-year institutions.” ACM ITiCSE-WGR '11: Proceedings of the 16th annual conference reports on Innovation and technology in computer science education. 2011. DOI: 10.1145/2078856.2078860.
 Taylor, B.; Bishop, M.; Burley, D.; Cooper, S.; Dodge, R.; & Seacord, R. “Teaching Secure Coding – Report from Summit on Education in Secure Software.” ACM SIGCSE’12: Proceedings of the 43rd ACM technical symposium on Computer Science Education. 2012. DOI: 10.1145/2157136.2157304.
 Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; Linger, Rick; & McDonald, James. Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr005.cfm
 Mead, Nancy R.; Hilburn, Thomas B.; & Linger, Rick. Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines (CMU/SEI-2010-TR-019). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr019.cfm
 Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; & Linger, Rick. Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi (CMU/SEI-2011-TR-013). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr013.cfm
 Taylor, B. & Kaza, S. “Security Injections: Modules to Help Students Remember, Understand, and Apply Secure Coding Techniques.” ACM ITiCSE-WGR '11: Proceedings of the 16th annual conference reports on Innovation and technology in computer science education. 2011. DOI: 10.1145/1999747.1999752.
Copyright © Carnegie Mellon University 2005-2012.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at email@example.com.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.
THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.