Report: Summit on Education in Secure Software


Technical Report

About This Report

From the Executive Summary:

The goal of SESS was to develop a comprehensive agenda focused on the challenges of secure software education. To meet this goal, SESS had three specific objectives.

  1. To have cybersecurity stakeholders from academia, government, industry, and certification and training institutions discuss the goals of teaching secure programming and the current state of that teaching;
  2. To use that discussion as the basis of a collaborative effort to suggest new approaches, and improve existing approaches, to improve the quality of that education and to enable it to reach a broader audience; and
  3. To outline a comprehensive agenda for secure software education that includes objectives for different audiences, teaching methods, resources needed, and problems that are foreseen to arise.

The findings are presented in the form of “road maps” for constituent groups that describe ways to improve the state of education in secure programming. The road maps explain what the members of the constituent group should know, various methods by which they might be educated, and what resources will be necessary to achieve that level of education. The road maps also identify expected and possible challenges to meeting these goals—the “potholes”. Each roadmap concludes with specific recommendations for meeting the articulated educational goals.

Several themes emerged from the recommendations of the individual roadmaps. The ten recommendations below provide a starting point for stakeholders across constituent groups to begin to transform education in secure software.

  1. Increase the number of faculty who understand the importance of secure programming principles, and will require students to practice them.
  2. Provide faculty support for the inclusion of security content in existing courses through clinics, labs, and other curricular resources.
  3. Establish professional development opportunities for college faculty, noncomputer science professionals, and K-12 educators to heighten their awareness and understanding of secure programming principles.
  4. Integrate computer security content into existing technical (e.g. programming) and non-technical (e.g. English) courses to reach students across a variety of disciplines.
  5. Require at least one computer security course for all college students:
    1. For CS students focus on technical topics such as how to apply the principles of secure design to a variety of applications.
    2. For non-CS students focus on raising awareness of basic ideas of computer security.
  6. Encourage partnerships and collaborative curriculum development that leverages industry and government needs, resources, and tools.
  7. Promote collaborative problem solving and solution sharing across organizational (e.g. corporate) boundaries.
  8. Use innovative teaching methods to strengthen the foundation of computer security knowledge across a variety of student constituencies.
  9. Develop metrics to assess progress toward meeting the educational goals specified in the roadmaps presented in this document.
  10. Highlight the role that computer security professionals should play in key business decision-making processes.


Support for this work was provided through the National Science Foundation Directorates of Computer and Information Science, and Engineering and of Education and Human Resources under Award #1039564. Opinions expressed, conclusions drawn, and recommendations provided do not necessarily reflect the views of the National Science Foundation.