Asee peer logo

Integrating Secure Development Practices Into A Software Engineering Course

Download Paper |

Conference

2006 Annual Conference & Exposition

Location

Chicago, Illinois

Publication Date

June 18, 2006

Start Date

June 18, 2006

End Date

June 21, 2006

ISSN

2153-5965

Conference Session

Software Engineering Teaching Methods and Practice

Tagged Division

Software Engineering Constituent Committee

Page Count

11

Page Numbers

11.792.1 - 11.792.11

DOI

10.18260/1-2--1339

Permanent URL

https://peer.asee.org/1339

Download Count

121

Request a correction

Paper Authors

biography

James Walden Northern Kentucky University

visit author page

Dr. James Walden received his Ph.D. from Carnegie Mellon University in 1997. He worked at Intel Corporation as a software engineer, with a focus on security sensitive applications, before becoming a Visiting Professor of Computer Science and Engineering at the University of Toledo in 2003. He is a member of the computer science faculty at Northern Kentucky University.

Dr. Walden has taught software engineering and computer security to both undergraduate and graduate students. His research interests focus on both of those subjects and particularly their intersection: software security, the science and engineering of designing, implementing, and testing secure software systems.

visit author page

biography

Rose Shumba Indiana University of Pennsylvania

visit author page

Dr. Rose Shumba received her Ph.D. from Birmingham University in 1995. She is a professor in the department of computer science at Indiana University of Pennsylvania, where she teaches courses in both computer security and software engineering.

visit author page

Download Paper |

Abstract
NOTE: The first page of text has been automatically extracted and included below in lieu of an abstract

Integrating Secure Development Practices into a Software Engineering Course

Abstract

Many security incidents arise from flaws in the code or design of software systems. CERT reported over 5000 software vulnerabilities in 2005. These vulnerabilities are the result of inadequate con- sideration of security during the development process. However, typical software engineering courses and textbooks do not address security issues. In response to this problem, software engi- neering courses with an integrated coverage of security have been introduced at two universities. Information security has been integrated into every phase of the software life-cycle. Teams in both courses developed web application software, requiring them to address common web application security issues such as access control and injection flaws. Students have come out of the courses with a better appreciation of the need for software security and a basic understanding of how to develop secure software. However, finding the time required to cover software security effectively remains a considerable challenge, especially as both institutions only offer a single semester of software engineering.

Introduction

Application software has become highly interconnected as the Internet and wireless networking have grown in importance. While security flaws were previously exposed only to users sitting in front of the computer, the Internet allows attackers from around the world to exploit security vulnerabilities in networked applications. Even embedded systems like cell phones are vulnerable to remote attacks.1 This increased exposure to attack has greatly increased the importance of software security. CERT reported over 5000 software vulnerabilities in 2005.2 These flaws result from inade- quate consideration of security during requirements analysis, design, implementation, and testing of software systems. This lack of consideration is often the result of security being viewed as an add-on feature. This viewpoint typically leads to the “penetrate-and-patch” methodology, where security issues are dealt with by issuing a patch after the software product has been released. The scale of this problem results from the fact that many developers aren’t aware of the im- portance of security or don’t know how to build secure applications. Typical software engineering courses and textbooks pay little attention to security issues. In order to significantly reduce the number of vulnerabilities, security must be taught as part of the foundation of the development process in the software engineering curriculum. Software engineering courses with an integrated coverage of security have been introduced at two universities. Security issues have been integrated into every phase of the software life-cycle from requirements through testing. Both approaches use a threat model to document and drive security concerns throughout the development process. Students analyze the risk of each threat documented in the threat model, then use the evaluations to design appropriate security measures such as access control and encryption. Implementation is guided by checklists and verified with code reviews. Finally, students test their systems against the threats they’ve analyzed to verify their software’s security properties.

Walden, J., & Shumba, R. (2006, June), Integrating Secure Development Practices Into A Software Engineering Course Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--1339

ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2006 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015