Appendix C. The Software Assurance Curriculum Project
The SEI established the Software Assurance Curriculum Project in 2009. The project has developed four documents that correlate well with the objective to enhance SwA curriculum guidance (see Table C.1).
The courses listed in Table C.1 go well beyond secure coding and SwA at the implementation level. They cover security issues throughout the life cycle, as part of requirements analysis, architecture and module design, implementation, testing, and operation and maintenance. The graduate level includes additional SwA topics in such traditional areas as management and process, requirements engineering, design, construction, testing, and sustainment. These areas include SwA topics such as security policy and security functionality requirements; attack methods to damage software; analysis of threats to software; appropriate countermeasures such as layers, access controls, privileges, intrusion detection, and encryption; and designing and planning for access control, privileges, and authentication.
Because no SwA body of knowledge existed, one of the project team’s first tasks was to establish one. After extensively reviewing software security reports, books, and articles and after surveys of and discussions with industry and government SwA professionals, the curriculum team developed the SwA Core Body of Knowledge (CorBoK). The CorBoK covers the spectrum of SwA practices involved in software system acquisition, development, operation, and evolution. It’s the source for the content of the courses listed for Volumes II, III, and IV in Table C.1. Table C.2 lists the CorBoK’s principal components and knowledge areas (KAs) and describes the principal MSwA student outcomes associated with each KA.
Based on the KAs, the project team created the MSwA Curriculum Architecture (see Table C.3). This architecture is compatible with software engineering master’s degree programs because software engineering courses can incorporate the SwA-specific topics. Note that the MSwA core and the capstone experience in Table C.3 list the courses in the Volume III document; in total, they cover all the knowledge areas listed in Table C.2. The architecture provides a structural basis for programs that deliver the outcomes described in Table C.2. Of course, programs may cover the SwA body of knowledge and the corresponding outcomes using a different organization and set of courses, as listed in Table C.3. Table C.3 also lists the three preparatory areas students need to pursue the MSwA: computing foundations, software engineering, and security engineering. Volume I describes these areas in detail.
