Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi

Abstract : Modern society depends on software systems of ever-increasing scope and complexity in virtually every sphere of human activity, including business, finance, energy, transportation, education, communication, government, and defense. Because the consequences of failure can be severe, dependable functionality and security are essential. As a result, software assurance is emerging as an important discipline for the development, acquisition, and operation of software systems and services that provide requisite levels of dependability and security. This report, the third volume in the Software Assurance Curriculum Project sponsored by the U.S. Department of Homeland Security, provides sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum. That curriculum, detailed in Volume I, Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005), presents a body of knowledge from which to create a Master of Software Assurance degree program, as both a stand-alone offering and as a track within existing software engineering and computer science master's degree programs. Volume II, Undergraduate Course Outlines (CMU/SEI-2010-TR-019), presents seven course outlines that could be used in an undergraduate curriculum specialization for software assurance. This volume is part of our transition plan for assisting educators who wish to implement a Master of Software Assurance degree program, specialization, or certificate program. In addition to application in a standard university program, these syllabi may also be useful for educators developing courses for industry practitioners. Each syllabus contains the following components: a catalog description, the course prerequisites and corequisites, expected student outcomes, a list of topics, a set of primary and secondary sources, descriptions of assignments and in-class activities, and a suggested schedule.

[1]  Rance Cleaveland,et al.  A Software Architectural Approach to Security by Design , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[2]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[3]  B. Bloom,et al.  Taxonomy of Educational Objectives. Handbook I: Cognitive Domain , 1966 .

[4]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[5]  Ieee Standard,et al.  Adoption of ISO/IEC 15939:2007— Systems and Software Engineering— Measurement Process , 2009 .

[6]  Xavier Leroy,et al.  Computer Security from a Programming Language and Static Analysis Perspective , 2003, ESOP.

[7]  Mario R. Barbacci,et al.  Quality Attribute Workshops , 2001 .

[8]  Tsutomu Ishida,et al.  Metrics and Models in Software Quality Engineering , 1995 .

[9]  Jörgen Hansson,et al.  Architectural Modeling to Verify Security and Nonfunctional Behavior , 2010, IEEE Security & Privacy.

[10]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[11]  John B. Goodenough,et al.  Evaluating and Mitigating Software Supply Chain Security Risks , 2010 .

[12]  Mario Piattini,et al.  A comparison of software design security metrics , 2010, ECSA '10.

[13]  Jonathan Jacky,et al.  The Way of Z: Practical Programming with Formal Methods , 1996 .

[14]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[15]  Approved December IEEE Recommended Practice for Software Acquisition , 1994 .

[16]  Cmmi Product Team CMMI for Services, Version 1.2 , 2011 .

[17]  Chris Eagle,et al.  The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler , 2008 .

[18]  Andreas Golze,et al.  Optimize Quality for Business Outcomes: A Practical Approach to Software Testing, 3rd Edition , 2008 .

[19]  Malcolm Munro,et al.  Understanding service-oriented software , 2004, IEEE Software.

[20]  Jan Jürjens,et al.  From goal‐driven security requirements engineering to secure design , 2010, Int. J. Intell. Syst..

[21]  Suzanne Garcia,et al.  CMMI Survival Guide: Just Enough Process Improvement , 2006 .

[22]  Winfried E. Kühnhauser,et al.  Software Architectural Design Meets Security Engineering , 2009, 2009 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems.

[23]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[24]  Nicola Zannone The Si* Modeling Framework: Metamodel and Applications , 2009, Int. J. Softw. Eng. Knowl. Eng..

[25]  Jason Grembi Secure Software Development: A Security Programmer's Guide , 2008 .

[26]  Gary Stoneburner,et al.  SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A , 2004 .

[27]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[28]  Nikolai Mansourov,et al.  System Assurance: Beyond Detecting Vulnerabilities , 2010 .

[29]  Cmmi Product Team CMMI for Development, Version 1.2 , 2010 .

[30]  Hamid Bagheri,et al.  Injecting security as aspectable NFR into Software Architecture , 2007, 14th Asia-Pacific Software Engineering Conference (APSEC'07).

[31]  Gary McGraw,et al.  Software security and SOA: danger, Will Robinson! , 2006, IEEE Security & Privacy Magazine.

[32]  Peter Mell,et al.  Guide to Malware Incident Prevention and Handling , 2005 .

[33]  James Stevens,et al.  The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management , 2004 .

[34]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[35]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[36]  John Mylopoulos,et al.  Computer-aided Support for Secure Tropos , 2007, Automated Software Engineering.

[37]  Timothy Grance,et al.  Computer Security Incident Handling Guide | NIST , 2004 .

[38]  John Viega,et al.  19 Deadly Sins of Software Security , 2005 .

[39]  Marianne Swanson,et al.  Contingency Planning Guide for Federal Information Systems , 2010 .

[40]  M. Pursley Report Documentation Page Form Approved Omb No. 0704-0188 Please Do Not Return Your Form to the above Address. 1. Report Date (dd-mm-yyyy) Final Technical Report Receiver Statistics for Cognitive Radios in Dynamic Spectrum Access Networks Onr , 2007 .

[41]  Clifford Berg High-Assurance Design: Architecting Secure and Reliable Enterprise Applications , 2005 .

[42]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[43]  Nancy R. Mead,et al.  Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum , 2010 .

[44]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[45]  Christopher J. Alberts,et al.  Integrated Measurement and Analysis Framework for Software Security , 2010 .

[46]  Barry Boehm,et al.  Evaluating the Software Design of a Complex System of Systems , 2010 .

[47]  Paul Clements,et al.  ATAM: Method for Architecture Evaluation , 2000 .

[48]  Marianne Swanson,et al.  Managing Risk from Information Systems - Second Public Draft | NIST , 2008 .

[49]  S. Rehman,et al.  Research on software design level security vulnerabilities , 2009, SOEN.

[50]  Emmanuel Aroms NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems Revision 1 , 2012 .

[51]  Jeffrey A. Ingalsbe,et al.  Threat Modeling: Diving into the Deep End , 2008, IEEE Software.

[52]  Gary Stoneburner,et al.  Engineering principles for information technology security (a baseline for achieving security) :: recommendations of the National Institute of Standards and Technology , 2001 .

[53]  Harlan D. Mills,et al.  Structured programming - theory and practice , 1979, The systems programming series.

[54]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[55]  Linda M. Northrop,et al.  CMMI Distilled : A Practical Introduction to Integrated Process Improvement , 2022 .

[56]  Barton P. Miller,et al.  An empirical study of the robustness of MacOS applications using random testing , 2007, OPSR.

[57]  Melissa Dark,et al.  An information security ethics education model , 2008 .

[58]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[59]  Christopher J. Alberts,et al.  Risk Management Framework , 2010 .

[60]  HallAnthony,et al.  Correctness by Construction , 2002 .

[61]  Gary McGraw,et al.  The Building Security in Maturity Model ({BSIMM}) , 2009 .

[62]  Mark Merkow,et al.  Secure and Resilient Software Development , 2010 .

[63]  Richard Turner,et al.  CMMI Distilled: A Practical Introduction to Integrated Process Improvement , 2001 .

[64]  Joint Task Force Recommended Security Controls for Federal Information Systems and Organizations , 2009 .

[65]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[66]  Richard C. Linger,et al.  Computational Evaluation of Software Security Attributes , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[67]  John V. Harrison,et al.  Making the Business Case for Software Assurance , 2009 .