secure software engineering in higher education and …sysa.omg.org/docs/swa_jmu.pdf ·...
TRANSCRIPT
![Page 1: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/1.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 1
Secure Software Engineering inHigher Education andProfessional Societies
Samuel T. Redwine, Jr.James Madison University
Software AssuranceObject Management GroupFebruary 15, 2006
![Page 2: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/2.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 2
Overview
• Secure Software Assurance• Higher Education Activities• Professional Society Activities
– Organizations– Publications– Events
• Conclusion
![Page 3: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/3.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 3
Secure Software Assurance
• Assurance• Justified Confidence• Assurance Case• Uses of Assurance Case• Body of Knowledge
![Page 4: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/4.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 4
Assurance
• “Assurance” is used in severalways, but underlying conceptis to reduce uncertainty
• To rationally decide to usesoftware in dangeroussituation one needs– The software– Justified confidence in it
![Page 5: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/5.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 5
Justified Confidence
• To have one’s uncertaintyreduced so have justifiedconfidence in a security claimneed convincing– Evidence– Arguments that tie evidence to
claim• Implies valid evidence and
argumentsTogether these make the “assurance case”
![Page 6: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/6.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 6
Uses of Assurance Case
• Planned assurance case helpsdetermine development planand activities
• For developer: assurance casecontents (so far) need to beadequate at each step– Especially release
• Assurance case helps decidepurchase and use
![Page 7: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/7.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 7
Secure Software AssuranceBOK• Body of knowledge document out
for review (until Feb. 21st)– At buildsecurityin website under
Additional Resources– (https://buildsecurityin.us-
cert.gov/portałresources/)• Identifies knowledge and gives
references• Approximately 225 pages• To be issued in March• Government, industry, and
academic involvement
![Page 8: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/8.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 8
Higher Education Status
• Depending on how one counts onecan identify between two andtwenty-two institutions that teachsecure software engineering
• Few regular software securitycourses or programs offered
• Secure Software Assurance body ofknowledge out for review
![Page 9: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/9.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 9
Higher Education Activities
• Naval Post Graduate School– Number of Masters theses
• James Madison University– Secure Software Engineering Masters
• Carnegie Mellon University– CyLab– Computer Science Department– Software Engineering Institute
• Northeastern University– Engineering Secure Software
![Page 10: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/10.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 10
Example Single Topic Courses
• Purdue– Secure Programming
• George Mason University– Secure Programming
• Princeton– Secure Internet Programming
• Columbia– Programming-heavy Network
Security
![Page 11: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/11.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 11
Textbooks
• Only one of the major SoftwareEngineering textbooks treatssecurity– Sommerville 7th edition treats critical
systems (and safety) at length andsecurity briefly but explicitly in thiscontext
• None of the many SoftwareQuality Assurance texts I haveexamined treat security in morethan passing
Software security books:•Gasser 1988 last introductory text to emphasize high security•Few professional books go much beyond programming
![Page 12: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/12.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 12
Funding for Curricula
• Microsoft has given a numberof modest awards to improveeducation in TrustworthyComputing and SoftwareEngineering
• Federal funding has beenquite modest
![Page 13: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/13.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 13
Professional Society Activities
• Organizations– ACM Risks Forum– IEEE CS TCSE Committee on Secure
Software Engineering– NDIA committee on software
assurance• Publications
– ACM Trans. Info and System Security– IEEE Trans. Dependability and
Security– IEEE Security and Privacy magazine
![Page 14: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/14.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 14
Events
• IEEE InternationalSymposium on SecureSoftware Engineering March13-15 in Arlington VA
• Software Engineering forSecure Systems Workshop
• Workshop on Secure SoftwareEngineering Education andTraining
Also: DHS Software Assurance Forum, NIST Workshops on tools andmetrics, and NDIA Software Assurance events
![Page 15: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/15.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 15
Professional Examinations
• Canadian Council of ProfessionalEngineers has an elective SoftwareEngineering examination onSecurity/Safety
• British Computer Society exams mentionsecurity under networking and distributedsystems topics (not SwE)
• IEEE Computer Society Certified SoftwareDevelopment Professional exam does notcurrently cover security– SWEBOK Guide should add “soon”
![Page 16: Secure Software Engineering in Higher Education and …sysa.omg.org/docs/swa_jmu.pdf · 2009-01-26 · Engineers has an elective Software Engineering examination on Security/Safety](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4a23e674c5811b4e4795b2/html5/thumbnails/16.jpg)
3/21/06 Copyright © 2006 Samuel T. Redwine, Jr. 16
Conclusion
• Must have Software andJustified Confidence
• Higher education effortslimited but growing
• Professional societypublications and events exist
• Secure Software Assurancebody of knowledge out forreview