Secure Software Engineering Education: Knowledge Area, Curriculum and Resources

This paper reviews current efforts and resources in secure software engineering education, with the goal of providing guidance for educators to make use of these resources in developing secure software engineering curriculum. These resources include Common Body of Knowledge, reference curriculum, sample curriculum materials, hands-on exercises, and resources developed by industry and open source community. The relationship among the Common Body of Knowledge proposed by the Department of Homeland Security, the Software Engineering Institute at Carnegie Mellon University, and ACM/IEEE are discussed. The recent practices on secure software engineering education, including secure software engineering related programs, courses, and course modules are reviewed. The course modules are categorized into four categories to facilitate the adoption of these course modules. Available hands-on exercises developed for teaching software security are described and mapped to the taxonomy of coding errors. The rich resources including various secure software development processes, methods and tools developed by industry and open source community are surveyed. A road map is provided to organize these resources and guide educators in adopting these resources and integrating them into their courses

Program Facilitates CMMI Appraisals

A computer program has been written to facilitate appraisals according to the methodology of Capability Maturity Model Integration (CMMI). [CMMI is a government/industry standard, maintained by the Software Engineering Institute at Carnegie Mellon University, for objectively assessing the engineering capability and maturity of an organization (especially, an organization that produces software)]. The program assists in preparation for a CMMI appraisal by providing drop-down lists suggesting required artifacts or evidence. It identifies process areas for which similar evidence is required and includes a copy feature that reduces or eliminates repetitive data entry. It generates reports to show the entire framework for reference, the appraisal artifacts to determine readiness for an appraisal, and lists of interviewees and questions to ask them during the appraisal. During an appraisal, the program provides screens for entering observations and ratings, and reviewing evidence provided thus far. Findings concerning strengths and weaknesses can be exported for use in a report or a graphical presentation. The program generates a chart showing capability level ratings of the organization. A context-sensitive Windows help system enables a novice to use the program and learn about the CMMI appraisal process

Integrating the Capability Maturity Model for Software and the Quality Air Force Criteria

As defense budgets decrease and it is required to do more with less, the Air Force has chosen to use the Malcolm Baldrige National Quality Award (MBNQA) as the basis for implementing quality principles. The Air Force program is known as Quality Air Force (QAF), and the criteria are referred to as the QAF criteria DEPA95b. At about the same time the Department of the Air Force implemented QAF, the software leaders in the Air Force adopted the Capability Maturity Model for Software (CMM) as the internal standard for Air Force software organizations MOSE9l. Software organizations strapped with both sets of requirements struggle with how to implement both models. Many organizations implement redundant programs in an effort to satisfy both. This research uses signature and specification matching techniques gleaned from the software reuse domain to integrate the CMM and QAF criteria into a single set of requirements that correlate to both models

Technology development: A partnership that makes sense

Discussed here is an approach to how academic institutions, government entities, and industrial organizations can work effectively to utilize their relative strengths to more effectively meet common goals. The discussion relates to the University of Houston-Clear Lake (UHCL) Research Institute for Computing and Information Systems (RICIS) Program to bring about this type of triad in the Clear Lake area. It is concluded that the interfaces among these groups must remain independent to maintain a healthy counterbalance to their respective entities. However, each entity can and must understand the entire mechanism to exploit each interface to the fullest. Only through such cooperation can the continued technical success of the NASA/Clear Lake area be assured

Towards a Business Process Managment Maturity Model

Business Process Management (BPM) has been identified as the number one business priority by a recent Gartner study (Gartner, 2005). However, BPM has a plethora of facets as its origins are in Business Process Reengineering, Process Innovation, Process Modelling, and Workflow Management to name a few. Organisations increasingly recognize the requirement for an increased process orientation and require appropriate comprehensive frameworks, which help to scope and evaluate their BPM initiative. This research project aims toward the development of a holistic and widely accepted BPM maturity model, which facilitates the assessment of BPM capabilities. This paper provides an overview about the current model with a focus on the actual model development utilizing a series of Delphi studies. The development process includes separate studies that focus on further defining and expanding the six core factors within the model, i.e. strategic alignment, governance, method, Information Technology, people and culture

An agent-based approach to improving resource allocation in the Dutch youth health care sector

We show how agent-based simulation is used for analyzing different queuing strategies in the youth health care sector. The simulation model represents an authentic business case and is parameterized with actual market data. We discuss the differences between four queuing strategies which are based on push/pull allocation and centralized/decentralized queuing strategies. The model incorporates, among others, a withdrawal and return mechanism, a non-stationary Poisson arrival process, and a preference algorithm to include a care provider’s case preference. The investigated system accommodates extensive waiting lines which are currently solely judged on their length. We have identified that performance measurement in youth health care should not be focused on queue lengths alone, but should include a case difficulty parameter as well. The simulation results, together with contextual data obtained from stakeholder interviews, indicate that a push strategy with a centralized queue suites the sector best. Most related research in health care focuses on queuing theory which fails to address the complexity of the case. Our simulation approach incorporates additional complexities of the case at hand which turn out to be relevant for the queuing strategy decision. We validate the model and strategies by comparison with real market data and field expert discussions

Process Management Maturity Assessment

This paper outlines a Business Process Management implementation approach in a large international company. It introduces a Process Management Maturity Assessment (PMMA) which was developed to assess the implementation of Business Process Management. The maturity model is based on the assessment of nine categories which comprehensively cover all aspects which impact the success of Business Process Management. Some findings of the first assessment round are presented to illustrate the benefits of the PMMA approach

Agile Approach to Adding Assurance and Mitigating Overall Mission Risk for Orion Software on EM-1

Human-rated missions like Orion are becoming exceedingly complex in terms of software contribution to achieving mission objectives, and this creates a resource challenge for everyone whose job is to add assurance that the mission is going to fly safely. Orion IV&V has addressed this challenge by providing focused assurance results of critical mission capabilities prioritized by a dynamic assessment of risk level. Prior to this approach, Orion IV&V was evaluating areas of risk in much broader, and more static, terms. Due to the Agile software development cycle that Orion follows, IV&V findings were often reported months out of phase with the developer. As a result of evolving the approach to providing assurance on Orion, IV&V is able to incrementally deliver high-priority assurance data and more impactful issues more in phase with the developer activities, thereby increasing the value of the findings to the project. The agile IV&V approach employed by the Orion IV&V team strives to achieve a cadence of delivery that matches the pace of development. This agile approach provides increased flexibility for the assurance provider to become more efficient in reporting assurance conclusions and issues. This presentation will discuss the principles which drive the design of our approach, results to date, and aspirations for long-term performance

Mapping Maturity Characteristics into PSP

The Personal Software Process (PSP)sm is a technique designed to enable software engineers to improve their productivity and the quality of their work. PSP focuses on the habits of an individual producer and the ability of the individual to capture data that will help improve future performance. The Capability Maturity Model (CMM)sm is a framework that focuses on organizations and the processes that organizations can put in place to improve their ability to sustain high quality software production. This paper describes a mapping between CMM and PSP techniques across organizational activities with particular attention to the contribution that PSP might make to an organization’s maturity level