Curricula: Software Assurance Materials and Artifacts
Lecture materials and artifacts in the following categories are available for use in a software assurance program or track.
Security Quality Requirements Engineering (SQUARE) is a nine-step process to help organizations build security into the early stages of the production lifecycle.
It is increasingly important for software engineers to understand how to develop secure software. Because software systems are increasingly under attack, methods for developing secure systems need to be considered at each stage of development. This course focuses on methods and practices for the development of secure software systems, including lifecycle process models;risk management;requirements engineering;architecture and design;coding and testing;and governance and management. As time permits, acquisition of newly developed and COTS software will also be discussed. Students will acquire an understanding of the fundamental concepts for developing secure systems and access to resources for more detailed follow-up studies. Prerequisite: Prior software engineering or computer security course, or instructor permission. This course was taught by Dr. Nancy Mead at Carnegie Mellon University. Lectures, case studies, and homework assignments in a .zip file are available for download.
As connectivity grows, we must consider the large-scale, highly networked, software-dependent systems upon which all of our critical infrastructure relies, from phones to power, to water, to industries such as banking, medicine, and retail. Software assurance—confidence that software is free from vulnerabilities and functions as intended—is the term used to describe this context. Software Assurance for Executives video modules and slide sets provide information and guidance on all stages of the software assurance lifecycle, as well as emerging topics such as cloud computing and standards that support software assurance.
Insider threat information is important to cover in a software assurance program or track. You can attend a workshop to learn more or read some of the CERT Insider Threat Center's publications for more information.
The Secure Programming course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to software systems that are vulnerable to exploitation.
This course, taught by Dan Shoemaker at the University of Detroit Mercy, is rooted in the fundamental organizing principles and control techniques delineated by the ISO/IEEE 12207 and the ISO 15288 standards. These two standards array the basic elements of the software process into an infrastructure for the strategic management of software organizations. While they define the processes that underlie all forms of development, maintenance, and operation, they do not provide a specific approach for ensuring capable performance of software work. Since there are internationally recognized standards that serve this purpose, several are examined in-depth, including CMM, CMMI, ISO 15504 (SPICE), and the PSP/TSP. Course materials are available for download in ZIP format.
These course materials, developed by David A. Wheeler for his Secure Software Design and Programming graduate course (SWE-681/ISA-681) at George Mason University, include presentations (available under the Creative Commons CC-BY-SA license) and a book.
This seminar from Carnegie Mellon University Associate Professor Jonathan Aldrich enables attendees to
- understand the benefits of analysis and how it complements techniques like testing or inspection
- grasp the basics of static analysis technology
- know some analysis tools that are available and properties of others that are on the horizon
- evaluate current and future commercial analysis tools for use in their organization
- develop a plan for introducing analysis into their organization
Altran Praxis developed a case study for the National Security Agency that demonstrates correct software by construction using formal specification and verification. With the proper tools (which are available to academic users for free), you can compile and execute the implementation, which uses a subset of Ada. In addition, you can use the verification tools to check the formal proofs. For more information, go to the Altran Praxis website.
The University of Virginia provides links to several case studies that cover system safety case concepts in a variety of domains: Eurocontrol air navigation and airspace, electrical current limiting devices on power distribution networks, a geological repository for radioactive waste, and the London Underground railway system. The university site also provides link to several papers that cover dependability, survivability, and security.
Learn More About Secure Programming
An online demonstration version of the integer module of the secure coding course can be accessed on the Carnegie Mellon Open Learning Initiative website. You must register as a student to view the material by entering the course key seccode.
Resources are available to faculty who wish to build their courseware and curricula from our research and materials.