Sponsored Project: A Core Cybersecurity Course Development
Project Title: A Core Cybersecurity Course Development: Secure Programming in an Immersive Learning Environment
The 1 year project, sponsored by National Security Agency (NSA), will develop an immersive learning based curriculum on Software Security & Secure Programming. A pilot course will be offered to PNW CIT/CS senior students and graduate students in summer 2017. Through the education and training of the proposed course curriculum, students are expected to be proficient with the secure software programming knowledge, skills, and abilities.
Three objectives will be achieved.
- Identify topics suitable for the software security and secure programming course, and align them with NICE NCWF KSAs.
- Design and implement course modules with simulated programming cases and interactive hands-on labs. Specifically, re-programmable software programs will be developed for each selected topic to allow students to acquire knowledge and skills. A GUI based game will be developed to integrate software programs into a single package. Game play and lectures will be seamlessly embedded into class activities to facilitate knowledge acquisition.
- Assess the effectiveness of the immersive learning secure programming curriculum developed in this project through a pilot course at PNW in summer 2017.
Through the sharing and dissemination of the course material to the CAE community and other higher institutions, this project can broaden the participation of cybersecurity and software security education which can contribute the development of a cybersecurity-aware citizenry that are capable of advancing national economic prosperity and security.
Basic knowledge and skills of computer programming and object oriented programming.
What Will Students Benefit?
Be proficient with the secure programming knowledge, skills, & abilities that are required by the NIST defined work roles “Software developer” & “Secure Software Assessor”.
|KSAs||NCWF KSA Description|
|K0001||Knowledge of computer networking concepts and network security methodologies|
|K0004||Knowledge of cybersecurity principles|
|K0005||Knowledge of cyber threats and vulnerabilities|
|K0007||Knowledge of authentication, authorization, and access control methods|
|K0016||Knowledge of computer programming principles such as object-oriented design|
|K0039||Knowledge of cybersecurity principles and methods that apply to software development|
|K0085||Knowledge of system and application security threats and vulnerabilities|
|K0140||Knowledge of secure coding techniques|
|K0152||Knowledge of software related information technology (IT) security principles and methods|
|S0001||Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems|
|S0014||Skill in software debugging|
|S0019||Skill in creating programs that validate and process multiple inputs|
|S0022||Skill in designing countermeasures to identified security risks|
|S0060||Skill in writing code in a currently supported programming language (Java)|
|S0138||Skill in using PKI encryption and digital signatures (SSL)|
|S0149||Skill in developing applications that can handle errors, exceptions, and application faults and logging|
|A0007||Ability to tailor code analysis for application-specific concerns|
|A0047||Ability to develop secure software according to secure software deployment methodologies/practices|
Topics & Modules:
|Course Module||Selected Course Topics||KSAs|
|Software Security Fundamentals with Programming Demonstrations||Security goals (confidentiality, integrity, availability, accountability, non-repudiation), cryptography basics (symmetric/asymmetric key encryption techniques and standards), access control (models, matrix, ACL), security programming techniques including SSL/HTTPS programming, encryption programming, authentication, and access control||
|Software Security Design Principles, Threats, and Countermeasures||Software security design principles (least privilege, resource encapsulation, abstract, modularity, simplicity, defense in depth, secure by default and fail safe), software vulnerabilities and threats (buffer overflow, SQL/code injection, XSS security), design-in security, software requirement security specifications (error handling, quality assurance, validation and fraud checking)||
|Secure Programming Fundamentals||Input validation, normalization, and sanitization, proper data declaration and initialization, safe use of expressions (return values, pointers, equality comparisons), secure and privacy sensitive exception handling, numeric type & operations (integer overflow, bitwise and arithmetic operations, zero division and modularization, floating points data operations)||
|Secure Object Oriented Software Programming||OOAD software design principles (inheritance, encapsulation, abstract, polymorphism), control of class clone, extensibility, and mutability, control of overridden methods, security check methods, and object comparison methods, and argument passing||
|Secure Network, File IO & Concurrent Programming||Multi-thread programming, race conditions, mutual exclusion and synchronization through lock and semaphore, deadlock avoidance, control shared file access and file resource release, control multi-thread network programming, security issues of serialization/deserialization of data objects crossing networks||
|Software Programming Platform Security||Secure code and operation check through security manager, access controller, secure class loading, code signing, package sealing, and bytecode verification. Data security protection through SSL/HTTPS programming||
Lead Instructor: Dr. Michael Tu, PhD in Computer Science, Assistant Professor of CIT
Co-Instructor: Dr. Shuhui Yang, PhD in Computer Science, Associate Professor of CS