Embed Size (px)
Citation preview
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 1
Secure Software Engineering inHigher Education andProfessional Societies
Samuel T. Redwine, Jr.James Madison University
Software AssuranceObject Management GroupFebruary 15, 2006
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 2
Overview
• Secure Software Assurance• Higher Education Activities• Professional Society Activities
– Organizations– Publications– Events
• Conclusion
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 3
Secure Software Assurance
• Assurance• Justified Confidence• Assurance Case• Uses of Assurance Case• Body of Knowledge
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 4
Assurance
• “Assurance” is used in severalways, but underlying conceptis to reduce uncertainty
• To rationally decide to usesoftware in dangeroussituation one needs– The software– Justified confidence in it
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 5
Justified Confidence
• To have one’s uncertaintyreduced so have justifiedconfidence in a security claimneed convincing– Evidence– Arguments that tie evidence to
claim• Implies valid evidence and
argumentsTogether these make the “assurance case”
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 6
Uses of Assurance Case
• Planned assurance case helpsdetermine development planand activities
• For developer: assurance casecontents (so far) need to beadequate at each step– Especially release
• Assurance case helps decidepurchase and use
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 7
Secure Software AssuranceBOK• Body of knowledge document out
for review (until Feb. 21st)– At buildsecurityin website under
Additional Resources– (https://buildsecurityin.us-
cert.gov/portałresources/)• Identifies knowledge and gives
references• Approximately 225 pages• To be issued in March• Government, industry, and
academic involvement
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 8
Higher Education Status
• Depending on how one counts onecan identify between two andtwenty-two institutions that teachsecure software engineering
• Few regular software securitycourses or programs offered
• Secure Software Assurance body ofknowledge out for review
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 9
Higher Education Activities
• Naval Post Graduate School– Number of Masters theses
• James Madison University– Secure Software Engineering Masters
• Carnegie Mellon University– CyLab– Computer Science Department– Software Engineering Institute
• Northeastern University– Engineering Secure Software
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 10
Example Single Topic Courses
• Purdue– Secure Programming
• George Mason University– Secure Programming
• Princeton– Secure Internet Programming
• Columbia– Programming-heavy Network
Security
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 11
Textbooks
• Only one of the major SoftwareEngineering textbooks treatssecurity– Sommerville 7th edition treats critical
systems (and safety) at length andsecurity briefly but explicitly in thiscontext
• None of the many SoftwareQuality Assurance texts I haveexamined treat security in morethan passing
Software security books:•Gasser 1988 last introductory text to emphasize high security•Few professional books go much beyond programming
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 12
Funding for Curricula
• Microsoft has given a numberof modest awards to improveeducation in TrustworthyComputing and SoftwareEngineering
• Federal funding has beenquite modest
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 13
Professional Society Activities
• Organizations– ACM Risks Forum– IEEE CS TCSE Committee on Secure
Software Engineering– NDIA committee on software
assurance• Publications
– ACM Trans. Info and System Security– IEEE Trans. Dependability and
Security– IEEE Security and Privacy magazine
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 14
Events
• IEEE InternationalSymposium on SecureSoftware Engineering March13-15 in Arlington VA
• Software Engineering forSecure Systems Workshop
• Workshop on Secure SoftwareEngineering Education andTraining
Also: DHS Software Assurance Forum, NIST Workshops on tools andmetrics, and NDIA Software Assurance events
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 15
Professional Examinations
• Canadian Council of ProfessionalEngineers has an elective SoftwareEngineering examination onSecurity/Safety
• British Computer Society exams mentionsecurity under networking and distributedsystems topics (not SwE)
• IEEE Computer Society Certified SoftwareDevelopment Professional exam does notcurrently cover security– SWEBOK Guide should add “soon”
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 16
Conclusion
• Must have Software andJustified Confidence
• Higher education effortslimited but growing
• Professional societypublications and events exist
• Secure Software Assurancebody of knowledge out forreview
