SEC – SIGCSE 2022 Version

Security (SEC) – SIGCSE 2022 Checkpoint

The modern world increasingly relies on computing infrastructure to support nearly every facet of modern life: transportation, communication, healthcare, education, energy generation, and distribution, just to name a few. In recent years, with rampant attacks on and breaches of this infrastructure, it has become clearer that computer science graduates have an increased role in designing and implementing systems that are secure and can keep information private.

Security represents a crosscutting theme pervasive in all of the other areas of CS202X, including Software Development Fundamentals, Data Management, Operating Systems, Networking and Communications, Parallel and Distributed Computing, Systems Fundamentals, and Artificial Intelligence. As a consequence, Security needs to be incorporated into the philosophical mindset of computer science graduates so that all of the work expected from a computer science graduate is inherently secure. The six crosscutting themes of cybersecurity, viewed with a computer science lens [1]: confidentiality, integrity, availability, risk, systems thinking, and adversarial thinking, are also relevant to computer science graduates. Of these, the adversarial thinking mindset is not typically covered in the other KAs, and needs to be included in the SEC foundational unit.

Computer science students also need to learn about security concepts such as authentication, authorization, and non-repudiation.  They need to learn about system vulnerabilities and understand threats against information systems. As such, principles for protecting systems need to be covered to complement system design principles covered in the SDF and SE KAs, including principles such as secure by design, privacy by design, or defense in depth. Another concept important in the SEC KA is the notion of assurance, which is an attestation that security mechanisms are living up to security policies set up for data, processes, and systems. Other notable concepts covered in this KA include concepts underlying privacy, especially the technical aspects that are not covered in the Society, Ethics, and Professionalism KA. 

The Security KA is an “updated” name for CS2013’s Information Assurance and Security (IAS) knowledge area. Since 2013, Information Assurance and Security was rebranded as Cybersecurity and has become a new computing discipline with its own curricular guidelines (CSEC 2017) [1] that were  released by the Joint Task Force of the ACM, IEEE Computer Society, AIS, and IFIP. As such, the Security KA in CS202X is being carefully crafted from the disciplinary lens of computer science as applied to the CSEC 2017 guidelines, with additional updates due to recent developments in computer science. CS202X builds on CS2013’s recognition of how pervasive security is to all of computer science. 

[1] Joint Task Force on Cybersecurity Education. 2017. Cybersecurity Curricula 2017. Technical Report. ACM, IEEE-CS, AIS SIGSEC, and IFIP WG 11.8. https://doi.org/10.1145/3184594

The SEC KA is shown in two groups; (1) concepts that need to be emphasized within this KA, and (2) crosscutting concepts that are integrated into other KAs that reflect security.  When completed, the total distribution of hours will be summarized in the table below.

SEC. Core Security and Crosscutting Security Concepts in Other KAs

Core CS Core KA Elective Topics
Core Security KA concepts TBD TBD Y
Crosscutting Security concepts included in other KAs TBD TBD Y

SEC/Foundational Security

Topics:

  • Crosscutting concepts within Security: confidentiality, integrity, availability, risk, adversarial thinking, systems thinking
  • Vulnerabilities, threats, and attack vectors 
  • Authentication and authorization, and access control techniques
  • Concept of trust and trustworthiness
  • Principles of security, e.g., least privilege, open design, fail-safe defaults, defense in depth, layered defense
  • Principles of privacy
  • Tensions between security and other design goals
  • Legal issues and ethics

Illustrative Learning Outcomes

  1. Design and develop a system that is secure against a set of identified threats 
  2. Evaluate a system for trustworthiness
  3. Develop a system that incorporates various principles of security and evaluate it for its resilience to attacks
  4. Design and develop a system designed to protect individual privacy

SEC/Electives

A variety of electives can also be offered in the SEC KA: these can include electives that build on foundational security with this KA, or build on crosscutting security topics covered in the other KAs, or both. Such electives, with their topics and illustrative learning outcomes, will be included in the next version of this KA.

Desirable Professional Dispositions 

Professional dispositions are part of the competency model promised in our vision statement. Professional dispositions are “cultivated behaviors” desirable in the workplace. They are malleable and observable. 

Although several professional dispositions are desirable in the KA, a couple of the most desirable professional dispositions for this knowledge area are:

  • Meticulous: Careful attention must be paid to details of the real world when developing a secure system to assure that every aspect of the system is protected. This requires meticulousness on the part of the student.
  • Responsible: As society increasingly depends on computing infrastructure and information systems, students need to show responsibility when designing, developing, deploying, and maintaining secure systems.

Math useful for this KA

Topics useful for this KA can come from the following mathematical foundations’ areas. The listing of the following areas does not mean that full courses are needed. In many cases, the topics may be sufficiently covered within the same coursework that covers the corresponding Security topic.

  • Discrete structures
  • Group theory
  • Linear algebra
  • Number theory
  • Probability
  • Statistics

Crosscutting Security concepts included in other KAs

Using only one example each, the following list illustrates the extensive crosscutting nature of Security concepts in the other KAs. This list will be expanded when additional work is done in this KA, as well as the other KAs of CS202X.

  • Algorithms and Complexity
    • Cryptographic algorithms
  • Architecture and Organization
    • Reverse engineering
  • Artificial Intelligence
    • Machine learning models
  • Data Management
    • Data security
  • Graphics and Interactive Techniques
    • Privacy in XR systems
  • Human-Computer Interaction
    • Usable security
  • Mathematical Foundations
    • Cryptographic techniques
  • Modeling
    • Access control models
  • Networking and Communication
    • Secure networking protocols
  • Operating Systems
    • Memory protection
  • Parallel and Distributed Computing
    • Attacks due to race conditions
  • Programming Languages
    • Secure compiler development
  • Society, Ethics and Professionalism
    • Laws and ethics governing security and privacy
  • Software Development Fundamentals
    • Defensive programming
  • Software Engineering
    • Secure software engineering techniques
  • Specialized Platform Development
    • Secure platform architectures
  • Systems Fundamentals
    • Sandboxing techniques for isolation

Security Subcommittee

The subcommittee for this KA currently is:

  • Vijay Anand, University of Missouri – St. Louis, USA
  • Sherif Hazem, Central Bank of Egypt, Cairo, Egypt
  • Michele Maasberg, United States Naval Academy, USA
  • Rajendra K. Raj, Rochester Institute of Technology, USA (Chair)
  • Blair Taylor, Towson University, USA