Addressing the Shortfall of Secure Software Developers through Community College Education
The (ISC)2 Global Information Security Workforce Study (GISWS) forecasts a shortfall of 1.5 million cybersecurity professionals by 2020. Government sources also project critical shortages of cybersecurity professionals. This predicted shortfall is troubling because the growing number and sophistication of cyber attacks threatens our infrastructure, which is increasingly software dependent. This blog post--derived from the paper Meeting Industry Needs for Secure Software Development, which I coauthored with Girish Seshagiri and Julie Howar--describes a collaboration involving industry, government, and academia to address this shortfall by developing a two-year degree program at a community college in secure software development.
SEI's Software Assurance Curriculum
The federal government is facing a shortage of cybersecurity professionals that puts our national security at risk, according to recent research. "As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training, and hiring these cybersecurity professionals takes time," the research states.
The growing number of cyber attacks represents a pervasive threat to critical infrastructure and other essential software-dependent systems. Defective software is insecure and a source of cybersecurity vulnerabilities that attackers exploit. We can no longer assume that software defects will be found and fixed once a product has been delivered.
In September 2013, Girish Seshagiri met with industry, government, and academic stakeholders in Peoria, Illinois, and proposed an initiative to create software developer jobs and make the Peoria area a national center of excellence for producing software that is secure from cyber attacks. He proposed using the German apprenticeship model to create a skilled workforce that is trained, apprenticed, mentored, and certified in secure software production. The initiative would partner with the school districts to encourage graduating high school seniors to pursue software development careers in the Peoria area. Seshagiri contacted me and I proposed applying the SEI's Software Assurance Curriculum recommendations for community colleges to ensure a more skilled workforce.
As described in a recent blog post, the SEI's Software Assurance Curriculum Project developed a series of software assurance curriculum recommendations, along with a software assurance competency model, and numerous additional educational resources and artifacts. A number of universities and training organizations have adapted various aspects of the SEI's curriculum work. Courses and tracks based on the curriculum recommendations have been developed and offered by Carnegie Mellon University, Stevens Institute of Technology, The U.S. Air Force Academy, University of Detroit Mercy, University of Houston, and (ISC)2. In addition, the Polytechnic University of Madrid designed a Master of Software Assurance degree program based on the SEI's recommendations.
Seshagiri's proposal resulted in implementing the SEI's recommendations at the community college level. As part of this effort, Seshagiri partnered with the Central Illinois Center of Excellence for Secure Software (CICESS) and Illinois Central College (ICC) to develop a two-year degree program in secure software development, incorporating the German apprenticeship model. Illinois Central College has been pleased with the success of the program, which now is in its second year. In 2015 there was an initial cohort of 20 students, and in Fall 2016, a second cohort of 30 students.
Seshagiri's goal is to implement similar programs across the United States. The U.S. Department of Labor is supportive of the apprenticeship model. Other community colleges have made inquiries about implementing the program, and, of course, our goal at the SEI is to transition our SwA curriculum recommendations into degree program offerings.
The Case for the German Apprenticeship Model
In many countries, including the United States, there is a mismatch between the kinds of jobs offered and the qualification profiles that job seekers attain from college education. This mismatch, known as the "skills gap," is too high and poses significant adverse consequences to employers and job seekers alike.
Over the last several decades, the German dual model has successfully helped match jobs and skills. Dual apprenticeship programs are popular not only in Germany, but also in Switzerland, Austria, and several other European countries. In this context, dual means that in addition to time spent in a vocational school, theoretical training is complemented by relevant practical training and experience at a partnering company. The apprentices receive a salary as they gain work-related skills.
Apprenticeships allow businesses to meet the growing demand for skilled workers and lead workers to higher wages and better employment outcomes. Moreover, apprenticeships are a smart public investment. A recent study in Washington State found that for every dollar in state investment in apprenticeships, taxpayers received $23 in net benefits--a return that far exceeds that of any other workforce-training program in the state.
One of the key elements to the success of the software assurance curriculum project is that it had already identified a set of courses to support such a program at the community college level. In 2012, under my leadership of the SEI's software assurance curriculum project, a suite of six courses was proposed that could form part of a two-year degree program in software assurance. The first three courses modify existing courses from the Association for Computing Machinery Committee for Computing Education in Community Colleges (ACM CCECC) to add a security emphasis. The other three courses are more specialized. In the report, we include prerequisites, syllabi, sources, and Bloom's taxonomy levels for each course:
- Computer Science I--This course is the first in a three-course sequence that provides students with a foundation in computer science. Students develop fundamental programming skills using a programming language that supports an object-oriented approach, secure coding awareness, human-computer interactions, and social responsibility.
- Computer Science II--This course is the second in a three-course sequence that provides students with a foundation in computer science. Students develop intermediate programming skills using a programming language that supports an object-oriented approach, with an emphasis on algorithms, software development, secure coding techniques, and ethical conduct.
- Computer Science III--This course is the third in a three-course sequence that provides students with a foundation in computer science. Students develop advanced programming skills using a programming language that supports an object-oriented approach, with an emphasis on data structures, algorithmic analysis, software engineering principles, software assurance checklists, and professionalism.
- Introduction to Computer Security--This course provides an overview of the fundamentals of computer security. Topics include security standards, policies, and best practices; principles, mechanisms, and implementation of computer security and data protection; security policy, encryption, and authentication; access control and integrity models and mechanisms; network security; secure systems; programming and vulnerabilities analysis; principles of ethical and professional behavior; regulatory compliance and legal issues; information assurance; risk management and threat assessment; business continuity and disaster recovery planning; and security across the lifecycle.
- Secure Coding--This course covers security vulnerabilities of programming in weakly typed languages like C and in more modern languages like Java. Common weaknesses exploited by attackers are discussed, as well as mitigation strategies to prevent those weaknesses. Students practice programming and analysis of software systems through testing and static analysis. Topics covered include methods for preventing unauthorized access or manipulation of data, input validation and user authentication, memory management issues related to overflow and corruption, misuse of strings and pointers, and inter-process communication vulnerabilities.
- Introduction to Assured Software Engineering--This course covers the basic principles and concepts of assured software engineering; system requirements; secure programming in the large; modeling and testing; object-oriented analysis and design using the unified modeling language (UML); design patterns; frameworks and application programming interfaces (APIs); client-server architecture; user interface technology; and the analysis, design, and programming of extensible software systems.
ICC in East Peoria, Illinois, is a comprehensive community college in the Illinois Community College system. The school has a close working relationship with many local employers in central Illinois, particularly in the applied sciences. Its programs include automotive technology; heating, ventilation, and air conditioning (HVAC); welding; and diesel.
In the information systems programs at ICC, these partnerships usually come in the form of student internships and work-study opportunities at the college. Apprenticeship programs with the employers involved in the CICESS had not been considered in prior years.
ICC's information systems programs consist of three areas of study: science, web, and networking. Most of the students in the computer science programs are enrolled in one of the two Associate of Science (AS) transfer programs: computer science with a technical emphasis or computer science with a business emphasis. These were the programs first presented to the CICESS as an option for students to achieve their two-year degree prior to transferring to a four-year institution.
The employers involved with the CICESS were struggling to define the point at which a student would be prepared to work as an apprentice. In a traditional apprenticeship program, students would be employable from the beginning of their training and become more productive and able to work autonomously as time goes on. Due to the nature of the work of computer programming, these knowledge-management apprentices would be exposed to information of a much more sensitive nature and would need an established set of skills prior to starting.
A typical Associate of Science transfer degree requires students to take general education classes in English, communication, math, science, and the social sciences. Technical courses in their field of study are included, but only to a limited degree. The typical computer science students would graduate in two years with only six to nine credit hours in computer science. The employers involved with the CICESS needed student apprentices who could program after the first semester of classes.
ICC faculty presented the option of the Applied Science degree in which students would take approximately 42 credit hours of technical computer science and database courses and only 18 credit hours in general education. ICC had an existing AAS degree in computer science and database development that seemed to fit employer needs more closely. The goal of the CICESS was to provide apprenticeships in secure software development, however, so the current curriculum needed to include concepts relating to computer security and software assurance.
At this point the ICC faculty members began integrating the SEI Software Assurance (SwA) curriculum with their own. The SwA curriculum recommendations for community colleges consisted of the six courses described earlier. ICC faculty consulted with employers to determine which SwA courses were needed in addition to the SEI recommended courses.
Employers felt that students needed a good foundation in SQL, C#, and mobile applications in addition to the programming and security courses. In addition to 19 hours of general education courses, the new AAS degree in secure software development consists of the following program requirements:
In the fall of 2015, the first class of 20 students began taking courses in ICC's secure software development. Of that initial group of students, 12 are currently enrolled in apprenticeship programs with various employers.
Lessons Learned and Looking Ahead
As a new group of 30 students prepares to begin classes at ICC this fall, we have identified some areas where we can improve our program. First and foremost, access to executives is needed to secure a commitment to a program of this type. CICESS expected that it would be easier to get support from large employers than small or mid-size employers, but that turned out not to be the case. To address this issue, we realized that more access to decision makers at employers was needed, including
- human resource executives
- chief information officers
- chief information security officers
Another lesson learned was that better communication, a strong message, and a timeline need to be communicated to, and understood by, the employers as they go through the hiring process.
Not all companies and organizations are interested in the same sequence of courses. One of the largest roadblocks CICESS encountered in recruiting employers is that the ICC program is taught with Java as the primary language, which did not meet their needs. We need to look at alternatives going forward. For example, more .NET courses and PHP could be offered by ICC.
CICESS is also working to convene a meeting of the Community College Consortium to develop an action plan for a fall 2016 launch in other Illinois locations to begin statewide scaling up of CICESS apprenticeships.
We also realized some unexpected bonuses:
- We were pleased with the caliber of the cohort in terms of positive attitude, motivation, and work readiness.
- We received moral support and participation in our meetings from representatives of many organizations, including Department of Homeland Security, Department of Labor, National Institute for Standards & Technology, National Security Agency, and (ISC)2.
- The apprenticeship program and the CICESS partnership is gaining membership and interest from businesses in the Peoria area. Some of those same organizations and others plan to send current employees to ICC to brush up their skills in secure software development. ICC is developing a certificate program to answer this need.
We welcome your feedback on this work in the comments section below.
Read the paper Meeting Industry Needs for Secure Software Development.