Transitioning from Software to Software Assurance
Options include certifications, college classes, and on-the-job training
By NANCY MEAD, JULIA ALLEN, AND BETH HAWTHORNE
If you’re an experienced software developer, how can you change or shift your career in the direction of software assurance to take advantage of the growing need for professionals in this area?
One approach is to attend a college program. Community colleges can provide preparation, such as that described in a Software Engineering Institute report . Although the students attending community colleges are quite diverse, the courses outlined in this document are intended to provide students with fundamental skills for continuing with undergraduate-level education or supplementary education for students with prior undergraduate technical degrees who wish to become more specialized in software assurance.
The report outlines an appropriate selection of courses for a software assurance specialty that includes Computer Science I, II, and III and more specialized courses such as Introduction to Computer Security, Secure Coding, and Introduction to Assured Software Engineering. These are not intended to be an exhaustive list of possible courses but rather a set of courses that could reasonably be taken by students wishing to pursue further education in software assurance.
Some may want to attend a four-year program. Carnegie Mellon University, Stevens Institute of Technology, University of Detroit Mercy, and University of Houston have incorporated software assurance into their academic programs. The US Air Force Academy and Rochester Institute of Technology are doing the same; and others will in the future.
Software security training and certification
Several reputable organizations offer software security training, though most courses and certifications focus on secure coding with minimal treatment of earlier life-cycle phases (ISC2 is the exception). Software engineers interested in expanding their skill sets to include software assurance and security may want to consider courses from these organizations:
• SANS software security courses include Web application security, secure coding, software security testing, application penetration testing, and ethical hacking as well as language-specific secure software development training. SANS courses help you prepare to become a Global Information Assurance Certification (GIAC) secure software programmer (GSSP) in Java, .NET, and C.
• Courses offered by the Electronic Commerce (EC) Council include preparation to become a Certified Secure Programmer and Certified Secure Application Developer. These certifications are intended for programmers responsible for designing and building secure Windows and web-based applications in .NET and Java.
• The International Information Systems Security Certification Consortium (ISC2) offers both in-person and online seminars to prepare for certification as an ISC2 Certified Secure Software Lifecycle Professional (CSSLP). Courses cover secure software concepts, requirements, design, implementation/coding, testing, acceptance, deployment, operations, maintenance, and disposal.
• The CERT® Program at Carnegie Mellon University’s Software Engineering Institute offers a four-day course in Secure Coding in C and C++ that includes a detailed explanation of common programming errors in C and C++ that can lead to software vulnerabilities.
If you would like to work on your own to gain skills needed to develop more secure software, there are reputable guidelines describing software security practices. Many of these guidelines cover the entire SDLC:
• The Building Security In Maturity Model (BSIMM) describes 12 practices organized into four domains: governance, intelligence, SSDL (secure software development lifecycle) touchpoints, and deployment. It was created by observing and analyzing real-world data from 42 leading software security initiatives.
• Microsoft’s Security Development Lifecycle (SDL) is a software development and security assurance process consisting of security practices grouped into seven phases: training, requirements, design, implementation, verification, release, and response.
• The Software Assurance Forum for Excellence in Code (SAFECode’s) Fundamental Practices for Secure Software Development 2nd Edition  provides a set of secure development practices that have been effective in improving software security in real-world implementations by the eight SAFECode members across their diverse development environments.
• The Open Web Application Security Project’s (OWASP) Software Assurance Maturity Model (SAMM) describes 12 practices organized into four domains: governance, construction, verification, and deployment. Parts of the SAMM were one basis for BSIMM, thus the similarities in structure and coverage.
• Carnegie Mellon University Software Engineering Institute’s Master of Software Assurance Reference Curriculum  provides guidelines for a well-rounded education on key security and assurance topics, including assurance across life cycles, risk management, assurance assessment, assurance management, system security assurance, system functionality assurance, and system operational assurance.
• Security Quality Requirements Engineering (SQUARE) method instructional materials provide a set of 5 lectures with notes, a tutorial, and workshop materials that describe how to consider software security issues as software requirements are being developed.
Another effective approach is to work with a small team of like-minded software engineers and developers in your organization to jump start a software security effort. Some first steps to consider include
• inviting software security experts to give a series of brown bag lunch presentations and demonstrations
• experimenting with running static analysis tools on existing code to see what vulnerabilities they identify and investigating their root cause. Some tools may enable you to identify the life-cycle phase where the vulnerability-inducing defects were inserted and the limitations to your current process that allowed them to escape into a later life-cycle phase
• volunteering to work with your IT operations staff on incidents caused by exploitation of vulnerabilities with a root cause in software development, and identifying what software security practices may have allowed them to be found and mitigated.
Training offered by professional societies
As part of its mission to support the needs of those in the computing industry, the IEEE Computer Society has developed a number of education and training products for its members (see www.ieee-elearning.org). The IEEE Computer Society is developing a series of courses primarily for experienced software developers who wish to expand their expertise into the field of software security. The Computer Society courses will examine subjects such as the development of secure software requirements, secure software architecture, testing secure software, implementing secure software, and the management of secure software. The course series will be based on the IEEE Computer Society Guide to the Software Engineering Body of Knowledge (SWEBOK)  and will trace the life cycle of software development from the perspective of software security in an insecure world. Courses will begin coming online in the latter part of 2012, with all five available by mid-2013.
In addition to the software assurance curriculum initiatives [2, 4], the “on the job” training sources cited above, and the IEEE Computer Society security courses, there are many other resources, which support software assurance careers. Here are some examples:
• The Association for Computing Machinery (ACM) offers a set of software security courses (courses in a variety of topics such as Forensics Start to Finish, Firewall and Intrusion Detection, and Attacks and Security).
• IEEE Computer Society’s Technical Committee on Security and Privacy sponsors two annual symposia: one on Security and Privacy and one on Computer Security Foundations.
• There are a number of publications by the ACM, the IEEE, the Association for Information Systems (AIS), and other professional organizations that present current information on software assurance theory and practice (e.g., IEEE Systems Journal Special Issue on Security and Privacy in Complex Systems, 2012).
Specialists in software assurance can play almost any role in the software development life cycle. They can be requirements engineers, software architects or module designers, programmers, test engineers, quality assurance engineers. They can be project managers or play a role in software maintenance, operation, or acquisition.
 Occupational Outlook Handbook, 2010-11 Edition, Bureau of Labor Statistics, (http://www.bls.gov/oco/ accessed 12/14/2011)
 Mead, N. R., et al, Software Assurance Curriculum Project Volume IV: Community College Education (CMU/SEI-2011-TR-017, ESC-TR-2011-017), Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
 Simpson, Stacy, editor, Fundamental Practices for Secure Software Development, 2nd ed. SAFECode, 2011. (http://www.safecode.org/publications/safecode_dev_practices0211.pdf accessed 2/15/2012)
 Mead, N. R., et al, Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005/ESD-TR-2010-005). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
 Abran, Alain and Moore, James W, executive editors, Guide to the Software Engineering Body of Knowledge, Los Alamitos, CA: IEEE Computer Society, 2004.
(10 April, 2012. Mark Ardis, Tom Hilburn, Andrew Kornecki, Remzi Seker, and Carol Sledge contributed to this article.)