Development of a Master of Software Assurance Reference Curriculum

Development of a Master of Software Assurance Reference Curriculum

Nancy R. Mead, Julia H. Allen, Mark Ardis, Thomas B. Hilburn, Andrew J. Kornecki, Rick Linger, James McDonald
Copyright: © 2010 |Pages: 17
DOI: 10.4018/jsse.2010100102
(Individual Articles)
No Current Special Offers


Modern society is deeply and irreversibly dependent on software systems of remarkable scope and complexity in areas that are essential for preserving this way of life. The security and correct functioning of these systems are vital. Recognizing these realities, the U. S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) enlisted the resources of the Software Engineering Institute at Carnegie Mellon University to develop a curriculum for a Master of Software Assurance degree program and define transition strategies for implementation. In this article, the authors present an overview of the Master of Software Assurance curriculum project, including its history, student prerequisites and outcomes, a core body of knowledge, and curriculum architecture from which to create such a degree program. The authors also provide suggestions for implementing a Master of Software Assurance program.
Article Preview


As is typical in a project of this nature, a good bit of time is spent deciding how to tackle the project. The team members all had expertise in software engineering. In addition, some had experience in curriculum design, software assurance, or both. However, many decisions had to be made at the outset to get the project off the ground. One of our challenges was to decide how we would operate as a team with members in geographically dispersed locations. Not all of the team members had worked together before, but we quickly coalesced into an effective unit. For the most part, we held weekly telecoms, and occasional face-to-face work sessions when we needed a concentrated block of time. This worked remarkably well.

At the outset, we needed to define software assurance, examine recent curriculum and body of knowledge efforts to see which ones would apply, identify the audience for our work, and highlight ways in which our work was unique.

One of our first tasks was to examine existing definitions of software assurance, select a candidate definition from the literature, and assess whether it met our needs. Initially we selected the definition of the Committee on National Security Systems, as this definition was in wide use and used by our Department of Homeland Security sponsor:

Software assurance (SwA) is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. (Committee on National Security Systems, 2009)

As we got further into the project, we found that the definition needed to be extended slightly for our purposes:

Software assurance (SwA) is the application of technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures (Mead et al., 2010a).

The extended definition emphasizes the importance of both technologies and processes in software assurance, notes that computing capabilities may be acquired through services as well as new development, acknowledges the need for correct functionality, recognizes that security capabilities must be appropriate to the threat environment, and identifies recovery from intrusions and failures as an important capability for organizational continuity and survival.

After examining the earlier Master of Software Engineering curriculum documents (Ardis & Ford, 1989; Ford, 1991), we concluded that the Graduate Software Engineering 2009 (GSwE2009) Curriculum Guidelines for Graduate Degree Programs in Software Engineering (Pyster, 2009) was the most relevant recent curriculum work to build on. We also drew on work done by Carnegie Mellon University’s Software Engineering Institute in support of the U.S. Department of Homeland Security Build Security In website (DHS, 2010a). We found that both the Software Assurance Curriculum Body of Knowledge (SwACBK) (DHS, 2010b) and the SWEBOK (IEEE-CS, 2004) were relevant as well.

We then considered the audience, and quickly concluded that the primary audience for the MSwA2010 curriculum is faculty who are responsible for designing, developing, and maintaining graduate programs that have a focus on software assurance knowledge and practices. However, we expect that the document will be read by other educators and trainers with an interest in this area, as well as industry and government executives and practitioners.

Finally, we identified what was different about this curriculum compared to traditional software engineering and computer science programs. Areas of special emphasis and unique properties that distinguish this curriculum (shown in italics) from others are the following:

  • • software and services

  • • development and acquisition

  • security and correct functionality

  • software analytics

  • system operations

  • auditable evidence

  • organizational continuity

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing