Monday, January 24, 2011

SWEBOK V3 and Software Security

Steve Tockey at Construx Software gave me some good news recently: the new revision of the IEEE’s Software Engineering Body of Knowledge (SWEBOK) will include software security as a fundamental concern in software engineering.

The SWEBOK is intended to document a common understanding of software engineering, and to act as a map to everything that anybody who designs, builds and tests software should know and understand. This is part of the IEEE’s attempt to establish basic accreditation for software engineers: a Certified Software Development Professional (CSDP) designation, similar to certified project managers (PMP) and certified IT security professionals (CISSP) and so on.

The CSDP has not gained much traction in the software development community, although the accreditation initiative has the support of companies like Boeing and Lockheed Martin. Most developers that I know haven't heard of the SWEBOK or know about CSDP certification. The only real-life CSDPs I have met have been instructors from Construx, which also sponsored some of the SWEBOK work.

But the SWEBOK has become a reference for some university programs, and a handful of universities now offer entry-level CSDA certification training as part of their software engineering programs - similar to PMI's CAPM associate certification. So the SWEBOK has the potential to influence future software development.

The security updates in V3 of the SWEBOK look like they will wire security into requirements, design, construction, testing, maintenance, configuration management, software engineering management and processes, tools and methods, and software quality. Everywhere really. This is exactly right.

We have to be realistic. It will take a while for these and other changes to be made and reviewed and approved, and for the new SWEBOK to be published. (It looks like the latest revision is already some months behind schedule). And it will take years after that before the new version will be adopted. Adding software security in the SWEBOK isn’t going to change how people design and build software in the real world soon. But I am still glad to see it. It’s a small step, in the right direction.

1 comment:

nonee said...

how to implement quality metrics in terms of its attributes so that the one can distinguish from others as a good one??

Site Meter