Dan Shoemaker

A Comparison of the Software Assurance Common Body of Knowledge to Common Curricular Standards

This paper summarizes the relationship between the specifications of the software assurance common body of knowledge (CBK) and the curricula of software engineering, computer science, and information systems. It identifies where various CBK elements fit within each curriculum and it provides recommendations for additional study based on those findings.

Foundations for Software Assurance

Our societys growing dependence on software makes the need for effective software assurance imperative. Motivation to address software assurance requires, at a minimum, an understanding of what to do, how to go about it, and why it is needed. Two key foundation elements are principles for software assurance and a curriculum to educate those who must address this need. This paper highlights efforts underway to address both of these elements.

Ensuring Cost Efficient and Secure Software through Student Case Studies in Risk and Requirements Prioritization

This paper presents a discussion of educational case studies used in security requirements assessment and requirements prioritization. Related to this, it introduces risk understanding as an added dimension to the requirements prioritization process. It should be self-evident that the final product should incorporate the requirements with the greatest value. Nevertheless, in a time when security is a preeminent concern it should also be clear that risk elements should also be considered. As such, activities to reconcile risk with value are always essential. However, since risk and value considerations are different, and sometimes opposed to each other, this paper presents a new process that will help decision makers reconcile these two factors within a single approach. This new process may also be incorporated into security requirements education and prioritization.

An Immersion Program to Help Students Understand the Impact of Cross Cultural Differences in Software Engineering Work

Globalization and the attendant demands on multicultural teams have placed new emphasis on ensuring that software engineering students understand the real impacts of social and cultural differences on software engineering work. Cultural differences have specific impacts because our own values are innate. This blind spot can be an extreme hazard when it comes to delivering software that functions properly, is on time and on budget.This paper will present the details of an educational program designed to sensitize software engineers to cultural differences by cultural immersion. It will explain how the program addressed four areas of software engineering work that are susceptible to cross cultural influences, 1) process primitives, 2) abstract representation, 3) oversight and control and 4) optimization.

Teaching Security Requirements Engineering Using SQUARE

This paper details the validation of a comprehensive teaching model for security requirements engineering which ensures that security is built into the software from its inception. It centers on the employment of the SQUARE method for secure software requirements engineering, which was developed at Carnegie Mellon University. The effectiveness of the SQUARE method, its learning system and the initial results of using it in student case studies and in a practical, higher education classroom application are reported.

Making Cybersecurity Effective: The Five Governing Principles for Implementing Practical IT Governance and Control

Abstract With any complex project deployment, a clearly understood and reliable infrastructure can only be substantiated through a rational and explicit planning process. This planning process is often described as information technology (IT) governance. Governance-based control infrastructures are valuable and can provide the basis for control over every form of organizational resource. Given the level of sophistication of malicious agents, an information and communication technology management control system with even one hole in it is a business catastrophe waiting to happen. Strong executive sponsorship is the prerequisite for effective IT governance and the proper way to establish information security is to engineer an array of interlocking best practices, from a commonly accepted model of best practice. Organizations must define substantive policies, assign roles and responsibilities, educate employees and describe and enforce accountability. This paper presents an understanding and mastery of five strategic principles of cybersecurity best practices based on the Framework for Improving Critical Infrastructure Cybersecurity (CSF).

Getting Secure Software Assurance Knowledge into Conventional Practice: Three Educational Initiatives

This paper describes three educational initiatives in support of software assurance education. The first project attempted to identify and document any knowledge, from any source, that could be related to the assurance of software. The second initiative focuses on the development of a master of software assurance reference curriculum. The third initiative implements the reference curriculum as two tracks within a Master of Science in Software Engineering program.

A Governance Framework for ICT Supply Chain Risk Management

Abstract This article proposes a unified model of best practice for information and communications technologies (ICT) supply chain risk management (SCRM). Ensuring proper ICT–SCRM governance is an important national priority because of the vulnerability of current supply chains to attack by nation-states and other adversaries. This article presents a comprehensive control framework based on lifecycle practices, which is designed to address ICT product integrity concerns in the global marketplace. Hence that general is skilful in attack whose opponent does not know what to defend. —Sun Tzu ( Giles, 1910 ), 496 BC

Defining the Discipline of Secure Software Assurance: Initial Findings from the National Software Assurance Repository

Defect free software is a critical national priority. Yet, we still do not fully understand the shape of the field that underlies the process of producing, sustaining and acquiring secure software. Specifically, there is no common agreement on the knowledge requirements for the field, nor is there even full agreement about the activities that legitimately comprise the process itself. Recognizing this, the Department of Defense, through the National Security Agency, has begun a three-year study to characterize the form and contents of the discipline of software assurance. This type of rigorous study is a necessary first step in formulating an academic study of the field. It is also a pre-requisite to formulating the practical steps necessary to achieve a secure software base. The first phase of the project, which has just been completed, created a database containing the known empirical, theoretical, critical/analytic and methodological knowledge elements of the field. This report utilizes that database to characterize the current state of secure software assurance work and suggest future directions.

A Study of the Impact on Students Understanding Cross Cultural Differences in Software Engineering Work

This is a follow-up to our previous study that presented the details of a program to sensitize students to cultural differences by cultural immersion. In this paper, we studied the impact on the student’s participation in the program with respect to culture and their perspectives on diversity and global business practices in the cross-cultural world of software engineering.