Software Security
Proceedings of the 10th Colloquium for Information Systems Security Education University of Maryland, University College Adelphi, MD June 5-8, 2006
Software Security: Integrating Secure Software Engineering in Graduate Computer Science Curriculum
Stephen S. Yau, Fellow, IEEE, and Zhaoji Chen Arizona State University, Tempe, AZ 85287-8809 {yau, zhaoji.chen@asu.edu}
Abstract – In addition to enable students to understand the theories and various analysis and design techniques, an effective way of improving students’ capabilities of developing secure software is to develop their capabilities of using these theories, techniques and effective tools in the security software development process. In this paper, the development and delivery of a graduate-level course on secure software engineering with the above objective at Arizona State University are presented. The developing process, stimulating techniques and tools used in this course, as well as lessons learned from this effort, are discussed. Index terms – Information assurance, software security, secure software engineering, graduate curriculum, course, theory, techniques, tools, course project, and lessons learned.
network-based security approaches, like firewalls and signature-based anti-spyware, have been shown ineffective to achieve secure software. Furthermore, fixing software after release is very costly. The later the security is addressed in the development cycle, the costlier it becomes: one dollar required to resolve an issue during the design phase grows into 60 to 100 dollars to resolve the same issue after the software is shipped [5]. It is obvious that a better way to achieve secure software is to incorporate security in the software starting from the beginning of the development process. However, because software developers tend to focus the cost and time on meeting well-specified functional requirements and leave security issues for maintenance in the infamous penetrate and patch manner
Software Security: Integrating Secure Software Engineering in Graduate Computer Science Curriculum
Stephen S. Yau, Fellow, IEEE, and Zhaoji Chen Arizona State University, Tempe, AZ 85287-8809 {yau, zhaoji.chen@asu.edu}
Abstract – In addition to enable students to understand the theories and various analysis and design techniques, an effective way of improving students’ capabilities of developing secure software is to develop their capabilities of using these theories, techniques and effective tools in the security software development process. In this paper, the development and delivery of a graduate-level course on secure software engineering with the above objective at Arizona State University are presented. The developing process, stimulating techniques and tools used in this course, as well as lessons learned from this effort, are discussed. Index terms – Information assurance, software security, secure software engineering, graduate curriculum, course, theory, techniques, tools, course project, and lessons learned.
network-based security approaches, like firewalls and signature-based anti-spyware, have been shown ineffective to achieve secure software. Furthermore, fixing software after release is very costly. The later the security is addressed in the development cycle, the costlier it becomes: one dollar required to resolve an issue during the design phase grows into 60 to 100 dollars to resolve the same issue after the software is shipped [5]. It is obvious that a better way to achieve secure software is to incorporate security in the software starting from the beginning of the development process. However, because software developers tend to focus the cost and time on meeting well-specified functional requirements and leave security issues for maintenance in the infamous penetrate and patch manner
References: [1] M. Howard and D. LeBlanc, “Writing Secure Code”, Microsoft Press, 2001. [2] CERT Coordination Center, CERT/CC statistics 19882005. Available at: http://www.cert.org/stats/cert_stats.html [3] National Institute of Standards and Technology, “Software Errors Cost U.S. Economy $59.5 Billion Annually” (NIST2002-10). Available at: http://www.nist.gov/public_affairs/releases/n02-10.htm [4] Gary McGraw, “Software Security”, IEEE Security & Privacy, vol. 2(2), 2004, pp. 80-83. [5] K.S. Hoo, A.W. Sudbury, and A.R. Jaquith, “Tangible ROI Through Secure Software Engineering”, Secure Business Quarterly, vol.1(2), 2001. [6] J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way?, Addison-Wesley, 2001 [7] S. Barnum and G. McGraw, “Knowledge for Software Security”, IEEE Security & Privacy, vol. 3(2), 2005, pp. 74-78. [8] NSA, “National IA Education & Training Program”, Available at: http://www.nsa.gov/ia/academia/cnsstesstandards.cfm [9] CSE591 Software Security at: http://enpub.fulton.asu. edu/iacdev/courses/CSE591s/home.html [10] G. Hoglund and G. McGraw, “Exploiting Software: How to break code”, Addison-Wesley, 2004 ISBN 1-933510-98-6/$15.00 © 2006 CISSE 130