The Growing Demand for Software Assurance
Varied opportunities available for experienced software professionals
BY TOM HILBURN AND NANCY MEAD
As computing professionals, we know the critical and central role software plays in our lives and work. The size and complexity of programs continue to grow, as well as the number of their application domains. Unfortunately, there are often serious problems in software dependability, with issues of availability, reliability, safety, and security. The extensive use of the Internet and distributed computing has made software security an increasingly prominent and serious problem.
Software systems contain errors and vulnerabilities; and they are regularly subject to attack and compromise, with potentially severe consequences for organizations and individuals. Reports about viruses, denial of service, password hacking, and corruption of programs and data are common.
The field of software assurance deals with helping to assure that software systems carry out their intended purpose; in particular, it deals with ensuring that software is secure. For the purpose of this article, we use the following definition of software assurance:
Application of technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures .
Software assurance professional roles
The Occupational Outlook Handbook, 2010-11 Edition (Bureau of Labor Statistics)  highlights the increased need, in the coming decade, for software engineers with software assurance capabilities. The handbook states, "Concerns over ‘cyber security' should result in the continued investment in software that protects computer networks and electronic infrastructure. The expansion of this technology over the next 10 years will lead to an increased need for software engineers to design and develop secure applications and systems, and to integrate them into older systems."
Specialists in software assurance can play almost any role in the software development life cycle: as a requirements engineer, a software architect or module designer, a programmer, a test engineer, a quality assurance engineer, a project manager, or a role in software maintenance, operation, or acquisition. To serve in such roles, software engineers need to possess one or more of the following competencies:
• The ability to incorporate assurance technologies and methods into life-cycle processes and development models for new or evolutionary system development and for system or service acquisition
• The ability to perform risk analysis and tradeoff assessment and to prioritize security measures
• The ability to analyze and validate the effectiveness of assurance operations and create auditable evidence of security measures
• The ability to make a business case for software assurance, lead assurance efforts, understand standards, comply with regulations, plan for business continuity, and keep current in security technologies
• The ability to incorporate effective security technologies and methods into new and existing systems
• The ability to verify new and existing software system functionality for conformance to requirements and to help identify malicious content
• The ability to monitor and assess system operational security and respond to new threats.
Building a software assurance career
As one might expect, a career in software assurance requires software engineering knowledge, experience, and some degree of capability as described in the above competencies list. Unfortunately, there are too few experienced professionals with the breadth and depth of software assurance that is needed to meet today's security challenges.
Recognizing these realities, the US Department of Homeland Security (DHS) National Cyber Security Division (NCSD) enlisted the resources of the Software Engineering Institute (SEI) at Carnegie Mellon University to develop curriculum materials in software assurance and define strategies to implement it. A team of SEI software security professionals and academicians has developed a master's reference curriculum in software assurance  that includes preparation in all the above competencies. Details about the curriculum and other materials [3, 4, 5] are available at http://www.cert.org/mswa/.
The following are some of the principal features of the reference curriculum:
• The curriculum is based on a set of outcomes, including the competencies listed in the previous section. These outcomes are based on research and study of industry needs, other software development curricula, and the latest developments in software security engineering.
• The curriculum specifies recommended preparatory knowledge in computing fundamentals, software engineering, and security engineering.
• The curriculum outcomes are expanded into a detailed body of knowledge that describes the curriculum content.
• A set of course syllabi are included, which embody the curriculum outcomes and cover the body of knowledge.
Schools that have integrated software assurance into course offerings include Carnegie Mellon University, Stevens Institute of Technology, University of Detroit Mercy, and University of Houston. The US Air Force Academy and Rochester Institute of Technology are in the process of integrating topics. We believe that completing a graduate program based on such a curriculum, along with appropriate experience and practice in applying the software assurance principles, methods, and tools, is an excellent way to advance one's career in software assurance. However, even if pursuing a graduate program is not feasible, we believe that a careful study of the reference curriculum can provide guidance and direction on how to progress in this field.
Another activity supporting software assurance professional advancement is an effort by the IEEE Computer Society, through its Education Activities Board, to develop a series of training and education products, primarily for the benefit of experienced software developers who wish to expand their expertise into the field of software security. Development has begun on a set of secure software development courses. The five-course series will examine topics such as the development of secure software requirements; secure software architecture; testing secure software; implementing secure software, and the management of secure software. The courses will begin coming online in the latter part of 2012, with all five available by mid-2013. CW
(10 April, 2012. Julia Allen, Mark Ardis, Beth Hawthorne, Andrew Kornecki, and Carol Sledge also contributed to this article. Part II will explore transitioning into a software assurance career.)
 Mead, N. R., et al, Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005/ESD-TR-2010-005). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
 Occupational Outlook Handbook, 2010-11 Edition, Bureau of Labor Statistics, (http://www.bls.gov/oco/ accessed 12/14/2011)
 Mead, N. R., et al, Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines (CMU/SEI-2010-TR-019, ESC-TR-2010-019), Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
 Mead, N. R., et al, Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi (CMU/SEI-2011-TR-013, ESC-TR-2011-013), Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
 Mead, N. R., et al, Software Assurance Curriculum Project Volume IV: Community College Education (CMU/SEI-2011-TR-017, ESC-TR-2011-017), Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.