Development and Transition of the SEI Software Assurance Curriculum

https://www.sei.cmu.edu/about/divisions/software-solutions-division/
https://www.sei.cmu.edu/about/divisions/software-solutions-division/

Posted: July 13, 2017 | By: Dr. Carol C. Woody, Nancy R. Mead

Collaboration Between the SEI and SPAWAR SD

SPAWAR in San Diego contacted the SEI to discuss their interest in in-house training. Their ultimate goal was to develop and acquire software that was better able to resist cyber attacks. After several conversations and meetings, and a review of the SwA curriculum work, SPAWAR SD concluded that their needs could best be served by modifying and delivering the existing Assured Software Development I course. This course delivered the fundamentals of incorporating assurance practices, methods, and technologies into software development and acquisition lifecycle processes and models, and provided rigorous methods for software assurance requirements engineering in support of development and acquisition; using threat identification, characterization, and modeling; performing assurance risk assessment; and evaluating misuse/abuse cases.

The materials that were intended to support a one-semester academic course would be modified and compressed into a two-week workshop offering. Support for SPAWAR sponsorship of this activity was obtained, and the work was executed over a six-month period, culminating in a workshop offered at SPAWAR SD in August 2016. The attendees were technical leaders and in-house instructors at SPAWAR SD, and the full set of workshop materials was provided for their internal use in training.

After joint review of the materials, it was decided that some of the theoretical research topics needed for an academic audience would not be useful to SPAWAR practitioners, so these were replaced with SEI materials intended for immediate use. In addition, videos from the SEI’s online courses were provided as part of the package for SPAWAR staff to use as collateral material.

Class participants connected to all aspects of the SPAWAR acquisition and development lifecycle, including development, project management, quality control, enterprise and software assurance, supply chain coordination, and testing. This broad base provided an opportunity for class discussions to cover all aspects of current software assurance and security practices to identify key opportunities for improvement in applying the course lessons. Class content was composed of a mix of lectures, selected videos, case studies, and discussion.

The results for SPAWAR were immediate:

  • Class participants identified 10 immediate actions that they could take to improve existing practices for SwA.
  • Class discussions generated five pages of ideas for additional SwA improvements.
  • Partnerships among participating disciplines were established with plans for a more integrated approach.
  • Analysis of available evidence provided a prioritized list of where SPAWAR needed to focus immediate attention.
  • SPAWAR management, in their review of the project, confirmed the success of the engagement as excellent in timeliness, quality, and value.

Want to find out more about this topic?

Request a FREE Technical Inquiry!