Software Security

Only available on StudyMode
  • Download(s) : 231
  • Published : July 14, 2012
Open Document
Text Preview
Proceedings of the 10th Colloquium for Information Systems Security Education University of Maryland, University College Adelphi, MD June 5-8, 2006

Software Security: Integrating Secure Software Engineering in Graduate Computer Science Curriculum Stephen S. Yau, Fellow, IEEE, and Zhaoji Chen Arizona State University, Tempe, AZ 85287-8809 {yau, zhaoji.chen@asu.edu}

Abstract – In addition to enable students to understand the theories and various analysis and design techniques, an effective way of improving students’ capabilities of developing secure software is to develop their capabilities of using these theories, techniques and effective tools in the security software development process. In this paper, the development and delivery of a graduate-level course on secure software engineering with the above objective at Arizona State University are presented. The developing process, stimulating techniques and tools used in this course, as well as lessons learned from this effort, are discussed. Index terms – Information assurance, software security, secure software engineering, graduate curriculum, course, theory, techniques, tools, course project, and lessons learned.

network-based security approaches, like firewalls and signature-based anti-spyware, have been shown ineffective to achieve secure software. Furthermore, fixing software after release is very costly. The later the security is addressed in the development cycle, the costlier it becomes: one dollar required to resolve an issue during the design phase grows into 60 to 100 dollars to resolve the same issue after the software is shipped [5]. It is obvious that a better way to achieve secure software is to incorporate security in the software starting from the beginning of the development process. However, because software developers tend to focus the cost and time on meeting well-specified functional requirements and leave security issues for maintenance in the infamous penetrate and patch manner [6], a large amount of unnecessary effort is put in fixing security defects through patches, service packs, or generating new versions after these defects have been exploited and caused problems. An effective way of developing secure software is to educate and train software developers on critical software security issues. Industry has already taken steps in this direction. For examples, Microsoft has launched its Trustworthy Computing Initiative, and IBM has started its SPADE (Security and Privacy Aware Development Environment) project. Beyond awareness, software developers should gain more software security knowledge and know how to follow the best practices of developing secure software through various educational and training programs. The knowledge of software security is multifaceted and applicable in a diverse way [7], involving security requirement engineering, design principles and guidelines, implementation risks, analysis techniques, and security testing. With proper course and laboratory material, universities should enable students to understand the theories and techniques as well as use effective tools for secure software development. Before this year, at Arizona State University (ASU), like many other universities, the Computer Science and

I. INTRODUCTION In this information era, information systems and networks often consist of software systems running on many interconnected computers with various capabilities, such as servers, desktops, laptops, PDAs, and even cell phones. In these systems, connectivity has become more important than ever before [1]. The pervasive connectivity has greatly enhanced our ability to fast share information and computing resources, but it has also greatly increased the chances for attackers to launch malicious attacks. The increasing complexity and extensibility of software systems further complicate the situation as they introduce more security breaches and make the information systems more vulnerable to failures and...
tracking img