June 18, 2006
June 18, 2006
June 21, 2006
Software Engineering Constituent Committee
11.792.1 - 11.792.11
Integrating Secure Development Practices into a Software Engineering Course
Many security incidents arise from ﬂaws in the code or design of software systems. CERT reported over 5000 software vulnerabilities in 2005. These vulnerabilities are the result of inadequate con- sideration of security during the development process. However, typical software engineering courses and textbooks do not address security issues. In response to this problem, software engi- neering courses with an integrated coverage of security have been introduced at two universities. Information security has been integrated into every phase of the software life-cycle. Teams in both courses developed web application software, requiring them to address common web application security issues such as access control and injection ﬂaws. Students have come out of the courses with a better appreciation of the need for software security and a basic understanding of how to develop secure software. However, ﬁnding the time required to cover software security effectively remains a considerable challenge, especially as both institutions only offer a single semester of software engineering.
Application software has become highly interconnected as the Internet and wireless networking have grown in importance. While security ﬂaws were previously exposed only to users sitting in front of the computer, the Internet allows attackers from around the world to exploit security vulnerabilities in networked applications. Even embedded systems like cell phones are vulnerable to remote attacks.1 This increased exposure to attack has greatly increased the importance of software security. CERT reported over 5000 software vulnerabilities in 2005.2 These ﬂaws result from inade- quate consideration of security during requirements analysis, design, implementation, and testing of software systems. This lack of consideration is often the result of security being viewed as an add-on feature. This viewpoint typically leads to the “penetrate-and-patch” methodology, where security issues are dealt with by issuing a patch after the software product has been released. The scale of this problem results from the fact that many developers aren’t aware of the im- portance of security or don’t know how to build secure applications. Typical software engineering courses and textbooks pay little attention to security issues. In order to signiﬁcantly reduce the number of vulnerabilities, security must be taught as part of the foundation of the development process in the software engineering curriculum. Software engineering courses with an integrated coverage of security have been introduced at two universities. Security issues have been integrated into every phase of the software life-cycle from requirements through testing. Both approaches use a threat model to document and drive security concerns throughout the development process. Students analyze the risk of each threat documented in the threat model, then use the evaluations to design appropriate security measures such as access control and encryption. Implementation is guided by checklists and veriﬁed with code reviews. Finally, students test their systems against the threats they’ve analyzed to verify their software’s security properties.
Walden, J., & Shumba, R. (2006, June), Integrating Secure Development Practices Into A Software Engineering Course Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--1339
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2006 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015