ABET Cybersecurity Continual Course Improvements for Secure Software Development

This is an innovative practice full paper. The need to develop software securely cannot be over-emphasized. The changing legal and regulatory international and local landscape for software requirements is astounding. For example, the European Union's General Data Protection Regulation (GDPR), the United States' Health Insurance Portability and Accountability Act (HIPAA), the Chinese Cybersecurity laws, and the credit card industry's Payment Card Industry Data Security Standard (PCI-DSS) are all upholding higher standards for system development and deployment. Such legal and regulatory changes of necessity require modifications and updating in software development methods that must be incorporated into cybersecurity software development courses to properly prepare students for successfully working in the field. To address these and other changes within the computing field, the Accreditation Board for Engineering (ABET) recently proposed preliminary cybersecurity accreditation criteria for which fewer than 20 universities have both applied and become ABET Cybersecurity accredited. The accreditation requires maintaining continuous course improvement in the core courses including a secure software development course. This research first reports on important topics incorporated into a senior-level secure software development for cybersecurity majors. Our research then analyses student Institutional Review Board (IRB) approved surveys to learn which course components could benefit from continuous course improvements. We apply machine learning to help build categories for ABET continual improvement. Finally, we share lessons learned and plans for future work.