computer-science icon indicating copy to clipboard operation
computer-science copied to clipboard

Published 20 hours ago verified publisher icon ossu

RFC: Fleshing out Core Security

Open riceeatingmachine opened this issue 1 year ago • 5 comments

Problem:

In this RFC I'll be proposing some changes to core security to make it more streamlined.

Duration: 3 months.

Background:

The Core Security section was provisionally added to the curriculum and then made permanent to fill the needs of the curriculum. Not enough feedback was received presumably because not enough learners finished core security.

I finished the first two courses of Secure coding specialization in core security, some of the third one, and skimmed the 4th one (the third and fourth have a lot of repeat material from the first two).

Aside from the Secure coding specialization, the course Cybersecurity Fundamentals is too long (80-96 hours) and covers material that aren't needed in the core section.

The first two courses of the Secure Coding Specialization:

Principles of Secure Coding Identifying Security Vulnerabilities

Cover most of the topis we need to cover in IAS/Foundational Concepts in Security, IAS/Principles of Secure Design, IAS/Defensive Programming. They also cover about half of the IAS/Cryptography section, and 70% of the IAS/Web Security (elective) section.

As such, they fulfill the requirements of what we need in core security.

There are a few holes left to be filled in the CS2013 specification, for which we need to take some sections from the the third course of the Secure Coding Specialization (specifically week 3 lesson 8 on race conditions, and week 4 lesson 9 on psuedo random numbers).

For a few basic concepts of security, we need to include Security Governance & Compliance (a short 9 hour course which took me about 6 hours) to cover "CIA (Confidentiality, Integrity, Availability)" and "Concepts of risk, threats, vulnerabilities, and attack vectors" in depth.

In the images below, you'll see the CS2013 requirements and which courses cover those. image image image image image

We also cover in a whole bunch of elective topics in SE/Software Design and SE/Software Construction: image

As such, these three courses cover the topic of core security well:

Principles of Secure Coding Identifying Security Vulnerabilities Security Governance & Compliance Identifying Security Vulnerabilities in C/C++Programming - lesson 8 and lesson 9 only

Proposal:

  1. Remove Cybersecurity Fundamentals from the curriculum. SEE FIRST COMMENT
  2. Remove Exploiting and Securing Vulnerabilities in Java Applications from core security.
  3. Limit Identifying Security Vulnerabilities in C/C++Programming to lesson 8 and lesson 9 only and make it mandatory.

The prerequisites need to be "Core Programming, Databases, and Networking"

Core programming because there is code, databases for the SQL injection material, and Networking because most of the second course is about networking security.

riceeatingmachine avatar Jan 08 '23 10:01 riceeatingmachine