icon-carat-right menu search cmu-wordmark

CERT Cybersecurity Engineering and Software Assurance Professional Certificate

Software-reliant systems are acquired, built, deployed, and maintained through a coordinated set of activities referred to as a lifecycle. When implementing software-reliant systems, desired capabilities and performance parameters have historically received much more attention-and funding-than requirements for quality attributes. Yet quality attributes such as security, reliability, and adaptability largely determine a system's suitability for use in its target environment.

In the case of defense and critical infrastructure systems--or for any software-reliant networked system--this target environment includes a highly contested cyberspace. All but the simplest deployed systems are networked and therefore interact with many other systems, some of which are not trustworthy. The environment continually changes, with new systems joining and existing systems evolving. Systems that aren't designed, operated, and sustained with security in mind provide fertile ground for adversaries to insert and exploit vulnerabilities and malicious code, compromising critical mission operations. Consequences may include billions in unforeseen costs, mission failure, exposed sensitive data, destruction of property, and even loss of life.

The CERT Cybersecurity Engineering and Software Assurance Professional Certificate program targets software-reliant systems engineering and acquisition activities to infuse an awareness of cybersecurity and an approach to identifying security requirements, engineering risk, supply chain risk early in the lifecycle. To learn more about the CERT Cybersecurity Engineering and Software Assurance Professional Certificate, please see: CERT Cybersecurity Engineering and Software Assurance Professional Certificate

The CERT Cybersecurity Engineering and Software Assurance Professional Certificate program is comprised of the following five eLearning courses, which provide 15 hours of instruction and 16 exercise opportunities to apply and help each student hone an array of skills. After the learners complete the coursework, they take a cumulative examination, described below, to assess their understanding of the subject matter.

Software Assurance Methods in Support of Cybersecurity Engineering Course
This course introduces the CERT Cyber Security Engineering and Software Assurance curriculum and covers the areas critical to software assurance: security requirements, risk analysis, software supply chain assurance, mission thread analysis and measurement. This training will introduce managers, engineers and acquirers to the concepts and resources available now for their use to address software security assurance across the acquisition and development lifecycles.

SQUARE Workshop
This workshop provides (1) an overview of the popular techniques for identifying security requirements and (2) specific instructions about the Security Quality Requirements (SQUARE) Method. Identifying functional requirements, or end-user requirements, occurs early in the software development lifecycle; identifying security requirements occurs later in that lifecycle, if at all. To prevent and minimize security vulnerabilities, the SQUARE Method can be performed at the same time as functional requirements and security requirements are identified.

This workshop teaches the SQUARE Method through a series of guided exercises that apply the method's nine steps. The workshop includes the SQUARE Workshop Student Workbook, which explains each SQUARE step in detail and provides instructor guidance to reach the optimal solution.

This workshop presents five hours of instruction on security requirements engineering and the SQUARE Methodology. Students should prepare to spend an additional five hours performing the associated exercises. Additional resource materials are available for download with the course.

This course is also offered as instructor-led training at customer sites.

Security Engineering Risk Analysis (SERA) Tutorial
This tutorial describes the Security Engineering Risk Analysis (SERA) method, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems across the lifecycle and supply chain. The majority of the most dangerous cybersecurity weaknesses are related to system design. The SERA method focuses on addressing these design weaknesses as early in the lifecycle as possible; doing so corrects those weaknesses before the system is deployed.

This tutorial teaches the SERA method as applied to software engineering and guides the student to perform each activity as it relates to the analysis. Through a series of exercises in the accompanying SERA Tutorial Workbook, students perform the SERA method to the acquisition of a critical emergency system.

The tutorial presents two hours of video instruction related to the SERA method. Students should prepare to spend an additional two hours performing the tutorial exercises.

Supply Chain Risk Management Course
Most organizations purchase products and services that become part of their hardware, service, and software supply chain; consequently, they inherit cybersecurity risks from these third-party components. Organizations must use sound supply chain risk management processes and practices to address the growing concern of these inherited cybersecurity risks.

This course explores the complex, multi-layered information and communication technologies that are related to an organization's supply chain and focuses specifically on the software supply chain. A critical early step in addressing supply chain cybersecurity is for organizations to develop an acquisition strategy that defines supply-chain-related actions.

This course presents one and a half hours of instruction on effective acquisition security risk management and explores three cases that illustrate a variety of supply chain relationships and vulnerabilities.

Advanced Threat Modeling Course
In this course, students take a deep dive into the threat modeling techniques that were introduced as part of risk assessment in the SQUARE Workshop. In this Advanced Threat Modeling course, the STRIDE Methodology is expanded, and three additional threat modeling techniques are taught, including the most recently developed threat modeling method.

This course presents two hours and 20 minutes of instruction and four exercises that apply the threat modeling methods in different scenarios. The course includes the Advanced Threat Modeling Student Workbook, which provides step-by-step instructions for applying the threat models and instructor guidance to lead to an optimal solution.

CERT Cybersecurity Engineering and Software Assurance Professional Certificate Examination
This examination provides an objective validation of the student's knowledge and understanding of the cybersecurity engineering, risk management, and threat modeling concepts presented in the required courses. The examination consists of 58 multiple choice questions. Students proceed through the examination at their convenience over four hours. Students must achieve a passing score of 80%.

Students must successfully complete all program components to earn the CERT Cybersecurity Engineering and Software Assurance Professional Certificate.

Audience

  • Software acquirers and developers
  • Software and system assurance managers
  • Systems engineers
  • Software engineers

Objectives

Objectives for each course and the program examination are described below.

Software Assurance Methods in Support of Cybersecurity Engineering Course

  • introduces methods to support cybersecurity in the context of current software realities, the software landscape, and principles of software assurance
  • explains the cybersecurity lifecycle in relation to requirements engineering, assured design, assured software development, and software quality models
  • discusses mission assurance and introduce the Security Engineering Risk Analysis
  • applies software assurance to acquisition and supply chain risk management
  • introduces metrics used with software assurance and under research
  • prepares the student for deeper learning in security risk analysis, security requirements engineering, supply chain risk management, and threat analysis

SQUARE Workshop

  • explains the challenges of security requirements engineering
  • teaches how to identify security requirements
  • explores how identification methods for functional requirements may not work for security requirements
  • introduces methods of security risk analysis, security requirements elicitation, and security requirements identification
  • explains the SQUARE method for security requirements engineering

Security Engineering Risk Analysis (SERA) Tutorial

  • reviews risk management concepts as applied to software engineering and systems engineering
  • explains the SERA method of risk analysis as applied to software engineering
  • applies the SERA steps to a realistic system acquisition scenario
  • builds skills in identifying and addressing cybersecurity weakness in the design phase of the development lifecycle

Supply Chain Risk Management Course

  • identifies gaps in current supply chain risk management
  • explores different types of supply chain relationships
  • guides the development an acquisition strategy to drive supply chain structure

Advanced Threat Modeling Course

  • explains the role of threat modeling in the security development lifecycle
  • helps students learn how to apply the four threat models to a system
  • explains how to assess new threat modeling methods to apply in a system environment

Topics

  • Software Assurance for Development
  • Mission Assurance
  • Software Assurance Risk Metrics
  • Security Requirements Risk Analysis (SERA) for Mission Assurance
  • Security Quality Requirements (SQUARE) Analysis for Development
  • Software Assurance for Acquisition
  • Security Quality Requirements (SQUARE) Analysis for Acquisition
  • Software Supply Chain Risk Management
  • Supply Chain Structure Acquisition Strategy
  • Threat Modeling
  • Threat Modeling Techniques

Materials

Once registered, learners will be granted 24-hour-a-day access to the courses material for 12 months. During the 12 months, students can proceed through the courses at their convenience and review and repeat individual sections as often as needed. The course slides, transcripts of each lecture, and related technical reports are available to download.

Additional Information:

Each course provides video-recorded training sessions (described below) that are presented by SEI CERT instructors. The instructor demonstrations included with the courses explore and reinforce concepts taught and how they can be successfully applied in real-world situations.

Software Assurance Methods in Support of Cybersecurity Engineering Course

  • 20 video training sessions with transcripts

SQUARE Workshop

  • 33 video training sessions with transcripts
  • 8 application exercises
  • Comprehensive Student Workbook containing exercise guidance, expert solutions, and all references

Security Engineering Risk Analysis Course

  • 12 video training sessions with transcripts
  • 4 application exercises
  • Comprehensive Student Workbook containing exercise guidance, expert solutions, and all references

Supply Chain Risk Management

  • 5 video training sessions with transcripts

Advanced Threat Modeling Course

  • 10 video training sessions with transcripts
  • 4 application exercises
  • Comprehensive Student Workbook containing exercise guidance, expert solutions, and all references

The curriculum and materials are based on the book titled Cyber Security Engineering: A Practical Approach for Systems and Software Assurance (SEI Series in Software Engineering) by Nancy Mead and Carol Woody.

Prerequisites

Students are required to have the following:

  • a basic understanding of software assurance
  • familiarity with the challenges of system security risk

To access the SEI Learning Portal, your computer must have the following:

  • For optimum viewing, we recommend using the following browsers: Microsoft Edge, Mozilla Firefox, Google Chrome, Safari
  • These browsers are supported on the following operating systems: Microsoft Windows 8 (or higher), OSX (Last two major releases), Most Linux Distributions
  • Mobile Operating Systems: iOS 9, Android 6.0
  • Microsoft Edge, Firefox, Chrome and Safari follow a continuous release policy that makes difficult to fix a minimum version. For this reason, following the market recommendation we will support the last 2 major version of each of these browsers. Please note that as of January 2018, we do not support Safari on Windows.

 

IMPORTANT NOTICE:

Carnegie Mellon University/Software Engineering Institute offices will be closed for winter break, December 21, 2024-January 1, 2025. SEI course registrations received during this period will be confirmed and enrollment completed upon our return on January 2, 2025.

Course Questions?

Email: course-info@sei.cmu.edu
Phone: 412-268-7388

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.