We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJolie Emens
Modified over 2 years ago
© 2012 Carnegie Mellon University Panel: Growing the Skills Required for Trustworthy Software Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Carol Woody, Ph.D. Date 12/5/12
2 © 2012 Carnegie Mellon University Who Needs Training & Education Builders Designers Engineers Coders Testers Decision Makers Program Management Stakeholders Executives Acquirers
3 © 2012 Carnegie Mellon University Software Assurance (SwA) Curriculum Project
4 © 2012 Carnegie Mellon University SwA Curriculum Sponsorship and Goals Sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Goals develop software assurance curricula define transition strategies for future implementation
5 © 2012 Carnegie Mellon University SwA Curriculum Project Objectives Improve the state of software assurance education Develop a Master of Software Assurance Reference Curriculum (Volume I) Identify educational offerings at other levels Undergraduate (Volume II) MSwA Syllabi (Volume III) Community College (Volume IV) Integration with IS Curricula (Technical Note)
6 © 2012 Carnegie Mellon University Purpose of MSwA Curriculum Foundational material includes (but not limited to) Software Assurance Curriculum Body of Knowledge (SwACBK) work done by the SEI in support of DHS Build Security In (BSI) website Graduate Software Engineering 2009 (GSwE 2009) Curriculum Guidelines for Graduate Degree Programs in Software Engineering VOLUME I
7 © 2012 Carnegie Mellon University Body of Knowledge (BoK) Organization: BoK knowledge areas knowledge units knowledge topics, with associated Bloom cognitive levels Assurance Process and Management Assurance Across Life Cycles Risk Management Assurance Assessment Assurance Management Assurance Product and Technology System Security Assurance Assured Software Analytics System Operational Assurance
8 © 2012 Carnegie Mellon University Architectural Structure of an MSwA2010 Degree Program Preparatory Materials Computing Foundations Software Engineering Security Engineering MSwA Core Assurance Across Life Cycles Risk Management Assurance Assessment Assurance Management System Security Assurance Assured Software Analytics System Operational Assurance Electives Courses Related to Assurance in Selected Domains Capstone ExperienceProject
9 © 2012 Carnegie Mellon University Outcomes of MSwA Curriculum Work Outcomes specify the knowledge, skills, and capabilities that graduates of an MSwA program can expect when they complete the program represent the minimum capabilities that should be expected of professionals in the area of software assurance when they complete a masters degree program provide a model for curriculum content, organization, expected curriculum outcomes support those who assess software assurance programs
10 © 2012 Carnegie Mellon University Professional Society Recognition IEEE Recognition The MSwA curriculum was recognized by the IEEE Computer Society. Its notification follows: At the meeting of the IEEE Computer Society Board of Governors it was passed: MOVED, that the IEEE Computer Society Board of Governors recognizes the SEI CMU/SEI-2010-TR-005 Reference Curriculum as appropriate for a Masters Program in Software Assurance for a period of 5 years beginning in 1 August Statement: The curriculum recommendation could contain a statement similar to The IEEE Computer Society recognizes this curriculum recommendation as appropriate for a Masters Program in Software Assurance, signifying that the Society considers it suitable for its stated purpose. If the curriculum recommendation is appropriate as a model for similar efforts, the statement should indicate that designation. IEEE published an article about its recognition of the MSwA curriculum at ACM Recognition The MSwA curriculum was also recognized by the Association for Computing Machinery (ACM) Education Board. This is identical to the IEEE recognition.
11 © 2012 Carnegie Mellon University SwA Undergraduate Course Outlines Background Corollary activity to MSwA curriculum development. Course outlines include description, prerequisites, syllabus (list of topics and Blooms levels), course delivery features, suggestions on assessment, references. Background sources include SwACBK, MSwA Curriculum (Volume I). Other sources include the following: CS2008 outlines Carnegie Mellon University outlines James Madison University outlines University of California, Davis outlines Purdue University outlines VOLUME II
12 © 2012 Carnegie Mellon University SwA Undergraduate Courses Computer Science I (with SwA emphasis) Computer Science II (with SwA emphasis) Introduction to Computer Security Software Security Engineering Secure Programming Special Topics in Information Assurance and Security Software Quality Assurance Software Assurance Analytics Software Assurance Capstone Project
13 © 2012 Carnegie Mellon University MSwA Course Syllabi Supports the development of a set of courses to be used in a master of software assurance curriculum. Available at VOLUME III
14 © 2012 Carnegie Mellon University Community College Report An ACM committee on two-year degree programs, led by Elizabeth Hawthorne, partnered with the SEI team. The report includes discussion of existing curricula related to software security that are suitable for community colleges target audience course outlines identification of resources VOLUME IV
15 © 2012 Carnegie Mellon University Community College Courses Target audience: Students planning to transfer to a four- year program, students with prior undergraduate technical degrees who wish to become more specialized in software assurance Courses: Computer Science I, II, and III Introduction to Computer Security Secure Coding Introduction to Assured Software Engineering
16 © 2012 Carnegie Mellon University Executive Overview of Software Assurance
17 © 2012 Carnegie Mellon University Executive Course Description Audience: PEOs, procurement officers, and others involved in software acquisition. Goal: Prepare executives to make informed decisions when acquiring or overseeing development of a security-critical software system Contents: Wide spectrum of pertinent issues to helps executives and managers understand and address decisions related to security impacts.
18 © 2012 Carnegie Mellon University Course Content Summary Software Assurance in Acquisition Assurance Management Software Security Fundamentals Security in Detail Software Assurance Risk Management Conclusion
19 © 2012 Carnegie Mellon University Software Assurance in Acquisition Why Is this Important? Risks and Threats Critical System Compromises and Failures Concepts of Confidentiality, Integrity, Availability, and Authentication Principles of Software Assurance In-House Versus Acquired Pros and Cons Cloud Component Considerations System Evolution Upgrades Activity: Discuss case studies and examples showing issues related to upgrading systems. Emphasize emergent behaviors, compliance to policies, etc.
20 © 2012 Carnegie Mellon University Assurance Management Ownership Issues Own It, Rent It; Build vs. Buy What Is Cloud? Is Cloud Suitable for You? Assurance Management Making a Business Case for Assurance Compliance with Laws, Regulations, Standards, Policies and Best Practices Case Studies Decision Making Strategies Activity: Use examples of software as service and present cost-benefit analyses in relation to risks associated with hosting the applications versus outsourcing them. Use case studies to have managers identify the areas of their business in which they could use Cloud services. Activity: Make the business case for assurance using ROI, risk analysis, etc. Use case studies to show how assurance practices can be integrated into regular acquisition activities. Present decision making strategies to satisfy the constraints the projects have to meet, including meeting standards and regulations.
21 © 2012 Carnegie Mellon University Software Security Fundamentals 1 Life-Cycle Models Traditional Models, Such as Waterfall Newer Models, Such as Agile and Iterative Development Security and Software Assurance Aspects of Software Development Activities Software Requirements Engineering Software Architecture and Design Methods and Standards Software Coding Methods and Standards Testing Methods and Standards Maintenance, Operation, and Retirement Techiques/Strategies Activity: Present some examples that show the fragile nature of software and the impracticality of having fault-free software. The failure of Ariane 5s first test flight and the loss of the Mars Climate Orbiter are well documented cases.
22 © 2012 Carnegie Mellon University Software Security Fundamentals 2 Basic Concepts of Security Confidentiality (C) Integrity (I) Availability (A) Balancing the C–I–A Triangle Authentication Principles (Saltzer & Schroeder vs. Software Assurance Principles Work) Activity: Engage students in discussion. How will they address these basic concepts in their acquisition? Especially, how will they balance the CIA triangle. (It may be helpful to point out the relationship between availability and reliability.) When would multiple mechanisms for authentication be advisable?
23 © 2012 Carnegie Mellon University Security in Detail 1 Threats and Attack Vectors Assets Resources Vulnerability of the Organization as a Result of the Threat Attack Scenarios Security Policy and Its Importance Access Control and Accountability Awareness of Applicable Policies and Standards Security from an ROI Perspective Business Case Hard Business Decisions Security Supply Chain What Is It? How to Build Security into the Supply Chain Activity: Use examples and case studies to emphasize the classification of assets and how to identify which ones would be more likely to be attacked. Provide examples of insider threats. This section will prepare users for compartmentalizing risks. Activity: Expand on examples that an acquirer or those who oversee development should consider.
24 © 2012 Carnegie Mellon University Security in Detail 2 Security from an ROI Perspective Business Case Hard Business Decisions Security Supply Chain What Is It? How to Build Security into the Supply Chain Linkage to the Supply Chain Course Activity: Use case studies to show the impact of security-related technologies; include examples of compromised critical infrastructure. Activity: Provide examples of how they would address the security supply chain as acquirers or as those overseeing development.
25 © 2012 Carnegie Mellon University Software Assurance Risk Management Risk Management Concepts Risk Management Process Standards, Regulations, and Best Practices Government and Industry-Specific Standards Documented Organizational Policies and Their Importance Activity: Survey the concepts of risk management and process. Emphasize the existence of organizational policies that help to mitigate risks.
26 © 2012 Carnegie Mellon University Conclusion Importance of Software Assurance for Acquirers Build/Buy Decision Business Case Supply Chain Risk Management Software Assurance Risk Management The Way Forward
27 © 2012 Carnegie Mellon University Supply Chain Risk Management
28 © 2012 Carnegie Mellon University Supply Chain Risk Management (SCRM) SCRM for ICT acquisitions considers two kinds of malicious actions. Malicious supply chain events: counterfeits & tampering Malicious system events: a system weakness provides access to sensitive information, reduces the availability of an essential service, or affects data integrity. Introductory Course available on FEDVTE September 2012 SCRM Awareness Course under development Sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD)
29 © 2012 Carnegie Mellon University Copyright 2012 Carnegie Mellon University. This material is based upon work supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS- IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at *These restrictions do not apply to U.S. government entities.
CSEP Copyright (c) 2007 by INCOSE, subject to the restrictions the copyright slide, INCOSE Copyright Notice. Certification of SEs, 14 August Certification.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
MFG Assessment Application: Assessment Criteria and Metrics 1 Performance assessment criteria and metrics may be used as the basis for determining the.
©2005 CSMSlide 1 Certification for Systems Engineering Professionals Overview CSEP Preparation Program.
The IIAs Authoritative Guidance The IPPF & the professional practice of internal auditing Practical PracticalImplications.
Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals.
1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP.
IPMA Executive Summary - October 31, 2002 IPMA Executive Summit The Enterprise Architecture of the HR/Payroll Systems October 31, 2002 FINAL NOTES AND.
Federal Information System Controls Audit Manual (FISCAM)
Quality developments in VET An overview of the work of the European Forum on Quality in VET.
Operational Concepts and the Case for Use Cases Unifying UML with Systems Engineering Raymond W Jorgensen Rockwell Collins, Inc.
Page 1 Sketching a Strengthened Approach to Public Financial Management Work Public Expenditure Working Group February 2004 Presented by : Odile Keller.
1 Seminar 4A - Effective Security Practices Eoghan Casey, Security Consultant Jack Suess, CIO, UMBC EDUCAUSE Mid-Atlantic Regional Conference - Baltimore,
1 Implementation of Application Portfolio Management Overview July 2006.
Faculty Development: Promotion and Tenure (P&T) University of Kentucky Heidi M. Anderson, Office of Provost Catherine Martin, College of Medicine Jimmi.
Principles of Information Security, 3rd Edition 2 Explain what contingency planning is and how incident response planning, disaster recovery planning,
1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.
© John Beveridge CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007.
CSDP Preparation Course Module I: Business Practices and Engineering Economics.
Using Learning Outcomes and Assessment Criteria Peter Noakes Department of Electronic Systems Engineering University of Essex.
Federal Aviation Administration NAS Enterprise Information System Security (NEISS) Vic Patel, FAA ICAP, ACP WG-I May 28 th – 30 th 1.
How Safe is Your States Data? Virginias Common-Sense approach to Assessing Security.
Systems Analysis and Design 8 th Edition Chapter 7 Development Strategies.
School Board Audit Committee Training Module 1 Roles, Responsibilities and Relationships 1.
Manage an IT Project. Aim This presentation is prepared to support and give a general overview of the ‘How to Manage and IT Project’ Guide and should.
Dr. Randall Rhodes, Assistant Dean, College of Liberal Arts and Sciences Robert Smith, Assistant VP for Planning, Assessment, and Institutional Research.
The New 2011 Yellow Book: … What You Need to Know Now The views expressed by the presenters do not necessarily represent the views,
1 Auditing Standards Update NASACT Conference August 14, 2012 James R Dalkin.
IP Audit "We're in an object-oriented, outsourced, and open-sourced world, and organizations are anxious to take steps to ensure that the software they.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Process Improvement IS301 – Software.
© 2016 SlidePlayer.com Inc. All rights reserved.