Complex software systems affect nearly every aspect of our lives, in areas such as defense, government, energy, communication, transportation, manufacturing, and finance. Protecting these systems against vulnerabilities and attacks is critical, so there is a growing demand for skilled professionals who can build security and correct functionality into software and systems under development. Yet there are few software assurance programs or tracks that focus on developing assured software and, consequently, not enough professionals to meet the growing demand.
Software Assurance Curriculum Project
Seeing the need for advanced education in software assurance and education for acquirers of assured software, the Department of Homeland Security (DHS) directed the SEI in 2009 to develop a curriculum for a Master of Software Assurance (MSwA) degree program. CERT researchers collaborated on the software assurance curriculum with a team of educators from Embry-Riddle Aeronautical University, Monmouth University, and Stevens Institute of Technology. The focus of the software assurance curriculum project is to
- identify a core body of knowledge that educational institutions can use to develop Master of Software Assurance (MSwA) degree programs
- mentor universities in developing standalone MSwA degree programs and tracks within existing software engineering and computer science master’s degree programs
- promote an undergraduate curriculum specialization for software assurance
- address community college needs
The foundation upon which this work rests includes the Graduate Software Engineering 2009 (GSwE2009) Curriculum Guidelines for Graduate Degree Programs in Software Engineering , work on the DHS Security Build Security In website by Carnegie Mellon University’s Software Engineering Institute , the Software Assurance Curriculum Body of Knowledge (SwACBK) , and the authors’ discussions and professional experience.
MSwA 2010 Reference Curriculum
The course structure for the MSwA 2010 Reference Curriculum supports the DHS objective of increasing the cyber security workforce by producing more educated graduates of software master’s degree programs. This effort, in fact, directly contributes to accomplishing the goal of the National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) Formal Cybersecurity Education Track initiative—namely “to bolster formal cybersecurity education programs encompassing kindergarten through 12th grade, higher education and vocational programs” (source: http://csrc.nist.gov/nice/aboutUs.htm).
The MSwA Reference Curriculum is the first curriculum developed that focuses on assuring the functionality, dependability, and security of software and systems . While reference curricula exist, including the SEI’s groundbreaking software engineering curriculum, no reference curriculum existed that is focused solely on software assurance prior to the development of the MSwA.
The curriculum provides guidelines for a well-rounded education on key security and assurance topics, including assurance across life cycles, risk management, assurance assessment, assurance management, system security assurance, system functionality assurance, and system operational assurance.
Highlights of the curriculum include
- educational outcomes for students who graduate from a program based on the curriculum
- prerequisites expected of students entering an MSwA program
- curriculum architecture for both a standalone degree program and track (see Figure 1)
Figure 1: Architecture of an MSwA Degree Program
- a core body of knowledge that includes the fundamental topics to be taught in the curriculum
- implementation guidelines for educational institutions interested in establishing a program or track based on the curriculum
The MSwA curriculum has been formally recognized by the two leading computing professional societies, the IEEE Computer Society and its partner the Association for Computing Machinery (ACM) Education Board, as appropriate for a master’s program in software assurance. This formal recognition signifies to the educational community that the MSwA Reference Curriculum is suitable for creating graduate programs or tracks in software assurance. The IEEE Computer Society and ACM have developed several computing curricula and are community leaders in curricula development.
Additional SwA Curriculum Project Results
In addition to the MSwA reference curriculum, undergraduate software assurance (SwA) course outlines  were developed. These courses are intended to provide students with fundamental skills for either entering the field directly or continuing with graduate-level education.
Sample course outlines for the core courses in the MSwA Reference Curriculum were developed. These were later replaced by more detailed syllabi . In addition, a master bibliography and selected lecture material and other materials to support faculty teaching software assurance are available on the CERT website at http://www.cert.org/mswa/.
To promote incorporation of software assurance information into formal degree programs, the MSwA curriculum offers flexible options. Educational institutions may choose from the following:
- implement the full reference curriculum to establish a standalone master’s program in software assurance
- tailor the materials to offer a software assurance track within an existing graduate program in a related area, such as software engineering or information systems (see Figure 2)
Figure 2: Architecture of a Master of Software Engineering Program with Software Assurance Specialization
- use the available undergraduate course outlines to prepare students for a career or additional graduate study in the field of software assurance
Additionally, managers or trainers within organizations may be able to use information from the curriculum to enhance the software assurance capabilities of their existing workforce.
SwA Education Adoption and Future Needs
Educational institutions have begun incorporating the curriculum into their offerings. One of the first, prior to the curriculum development work, was James Madison University. Stevens Institute of Technology now offers a master’s degree certificate in software assurance within their Master of Software Engineering Program. In Fall 2011, the US Air Force Academy incorporated secure programming considerations into course offerings and, using a cross-curricular approach, included security and software assurance topics in a number of computer science courses in its latest curriculum revision [7, 8].
The BSI article “Infusing Software Assurance (SwA) into Introductory Computer Science Curricula” focuses on community college courses for software assurance. The courses are intended to provide students with fundamental skills for continuing with graduate-level education or to provide supplementary education for students with prior undergraduate technical degrees who wish to become more specialized in software assurance.
A recent report  also describes ways of incorporating software assurance content into Master of Science in Information Systems (MSIS) Programs.
A report has been developed to address community college software assurance needs, including course outlines and supporting resources . Collaborators in this effort include Embry-Riddle Aeronautical University, Stevens Institute of Technology, and the ACM Two Year College Education Committee (TYCEC).
In order to fully transition the MSwA curriculum to educational institutions, there is a need to develop full course materials for the MSwA core courses, including slides, notes, homework assignments, exams, and readings. A corresponding one-semester certificate program should be developed to enhance the software assurance skills of government staff, especially acquisition personnel.
Additional Initiatives Related to Software Assurance Education
The Department of Defense, through the National Security Agency, initiated a study to characterize the form and contents of the discipline of software assurance. This type of rigorous study is a necessary first step in formulating an academic study of the field. It is also a pre-requisite to formulating the practical steps necessary to achieve a secure software base. The project created a database containing the known empirical, theoretical, critical/analytic and methodological knowledge elements of the field.
The Department of Homeland Security sponsors a pocket guide series. One of the pocket guides is on the subject of software assurance education.
Workforce Education and Training Working Group
The Department of Homeland Security Software Assurance (SwA) Workforce Education and Training Working Group is composed of members from industry, government, and academia and facilitates both existing and prospective (e.g., students and educational institutions) members of the workforce to improve their production of adequately secure software.
The articles in this content area are published articles describing software assurance education initiatives in more detail. View all articles.
 Integrated Software & Systems Engineering Curriculum (iSSEc) Project. Graduate Software Engineering 2009 (GSwE2009) Curriculum Guidelines for Graduate Degree Programs in Software Engineering, Version 1.0. Stevens Institute of Technology, 2009.
 Department of Homeland Security (DHS) Software Assurance (SwA). Build Security In. https://buildsecurityin.us-cert.gov/bsi/home.html (2010).
 Department of Homeland Security (DHS) Software Assurance (SwA) Workforce Education and Training Working Group. Software Assurance CBK/Principles Organization. https://buildsecurityin.us-cert.gov/bsi/dhs/927-BSI.html (2010).
 Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; Linger, Rick; & McDonald, James. Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005, ESC-TR-2010-005). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr005.cfm
 Mead, Nancy R.; Hilburn, Thomas B.; & Linger, Rick. Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines (CMU/SEI-2010-TR-019, ESC-TR-2010-019). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr019.cfm
 Mead, Nancy R.; Allen, Julia H.; Ardis, Mark; Hilburn, Thomas B.; Kornecki, Andrew J.; & Linger, Rick. Master of Software Assurance Course Syllabi. Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr013.cfm
 Hadfield, S.; Schweitzer, D.; Gibson, D.; Fagin, B.; Carlisle, M.; Boleng, J.; & Bibighaus, D. “Defining, Integrating, and Assessing a Purposeful Progression of Cross-Curricular Initiatives into a Computer Science Program.” Proceedings of the 41st ASEE/IEEE Frontiers in Education Conference. October 2011.
 Hadfield, S. “Integrating Software Assurance and Secure Programming Concepts and Mindsets into an Undergraduate Computer Science Program.” Presented at Department of Homeland Security Software Assurance Forum. March 29, 2012.
 Shoemaker, Dan; Mead, Nancy R., & Ingalsbe, Jeff. Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems (CMU/SEI-2011-TN-004, ESC-TN-2011-004). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tn004.cfm
 Mead, Nancy R.; Hawthorne, Elizabeth K.; Ardis, Mark. Software Assurance Curriculum Project Volume IV: Community College Education (CMU/SEI-2011-TR-017). Software Engineering Institute, Carnegie Mellon University, 2011. http://www.sei.cmu.edu/library/abstracts/reports/11tr017.cfm
Copyright © Carnegie Mellon University 2005-2012.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at firstname.lastname@example.org.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.
THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.