Secure Software Engineering Education: Knowledge Area, Curriculum and Resources

This paper reviews current efforts and resources in secure software engineering education, with the goal of providing guidance for educators to make use of these resources in developing secure software engineering curriculum. These resources include Common Body of Knowledge, reference curriculum, sample curriculum materials, hands-on exercises, and resources developed by industry and open source community. The relationship among the Common Body of Knowledge proposed by the Department of Homeland Security, the Software Engineering Institute at Carnegie Mellon University, and ACM/IEEE are discussed. The recent practices on secure software engineering education, including secure software engineering related programs, courses, and course modules are reviewed. The course modules are categorized into four categories to facilitate the adoption of these course modules. Available hands-on exercises developed for teaching software security are described and mapped to the taxonomy of coding errors. The rich resources including various secure software development processes, methods and tools developed by industry and open source community are surveyed. A road map is provided to organize these resources and guide educators in adopting these resources and integrating them into their courses

HoneyBug: Personalized Cyber Deception for Web Applications

Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work

Faculty Workshops for Teaching Information Assurance through Hands-On Exercises and Case Studies

Though many Information Assurance (IA) educators agree that hands-on exercises and case studies improve student learning, hands-on exercises and case studies are not widely adopted due to the time needed to develop them and integrate them into curriculum. Under the support of the National Science Foundation (NSF) Scholarship for Service program, we organized two faculty development workshops to disseminate effective hands-on exercises and case studies developed through multiple previous and ongoing grants. To develop faculty expertise in IA, the workshop covered a wide range of IA topics. This paper describes the hands-on exercises and case studies we disseminated through the workshops and reports our experiences of holding the faculty summer workshops. The evaluation results show that workshop participants demonstrated high levels of satisfaction with knowledge and skills gained in both the 2012 and 2013 workshops. Workshop participants also reported use of hands-on lab and case study materials in our follow-up survey and interviews. The workshops provided a valuable opportunity for IA educators to communicate and form collaborations in teaching and research in IA

sSCADA: Securing SCADA Infrastructure Communications

Distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems were developed to reduce labor costs, and to allow system-wide monitoring and remote control from a central location. Control systems are widely used in critical infrastructures such as electric grid, natural gas, water, and wastewater industries. While control systems can be vulnerable to a variety of types of cyber attacks that could have devastating consequences, little research has been done to secure the control systems. This paper presents a suite of security protocols optimized for SCADA/DCS systems which include: point-to-point secure channels, authenticated broadcast channels, authenticated emergency channels, and revised authenticated emergency channels. These protocols are designed to address the specific challenges that SCADA systems have