Software Assurance Competency Model
March 2013 • Technical Note
Thomas B. Hilburn (Embry-Riddle Aeronautical University), Mark A. Ardis (Stevens Institute of Technology), Glenn Johnson ((ISC)2), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Nancy R. Mead
In this report, the authors describe a model that helps create a foundation for assessing and advancing the capability of software assurance professionals.
Software Engineering Institute
CMU/SEI Report Number
This Software Assurance (SwA) Competency Model is a foundation for assessing and advancing the capability of software assurance professionals.
An organization in which software assurance is critical can use the SwA Competency Model for a variety of purposes:
- to structure its software assurance needs and expectations
- to assess the capability of its software assurance personnel
- to provide a roadmap for employee advancement
- to serve as a basis for software assurance professional development plans
The SwA Competency Model was intended to be general enough for individuals or organizations to tailor it easily to their specific employment sector, application domain, or organizational culture.
Modern society increasingly relies on software systems that put a premium on quality and dependability. The extensive use of the internet and distributed computing has made software security an even more prominent and serious problem. As a result, the interest in and demand for software security specialists have grown dramatically in recent years.
- What background and capability is needed to be a security specialist?
- How do individuals assess their capability and preparation for software security work?
- What is the career path to increased capability and advancement in software development?
- How do employers and acquirers determine their software security needs and assess and improve the software security capabilities of their employees and contractors?
To help organizations and individuals determine SwA competency across a range of knowledge areas and units, this model provides a span of competency levels 1 through 5, as well as a decomposition into individual competencies based on knowledge and skills. This model also provides a framework for an organization to adapt the model's features to the organization's particular domain, culture, or structure.
"The IEEE Computer Society (IEEE-CS) Professional Activities Board (PAB) has endorsed the SEI Software Assurance Competency Model as appropriate for software assurance roles and is consistent with A Framework for PAB Competency Models."
—Dick Fairley, Chair of the Software and Systems Engineering Committee of the IEEE Computer Society Professional Activities Board (PAB)
As part of earler work on software assurance education programs, the SEI also led development of an SwA Core Body of Knowledge (CorBoK). The CorBok served as a foundation for the development of curriculum and course guidance for software assurance curricula.
The CorBoK is based on an extensive review of software security reports, books, and articles as well as surveys of and discussions with industry and government SwA professionals. The CorBoK covers the entire spectrum of SwA practices involved in the acquisition, development, operation, and evolution of software systems. Table 1 describes the principal components (knowledge areas) of the CorBoK.
Of course, not every software security job requires knowledge and competency across the entire CorBoK. For example, a position might require deep capability in one or more areas but only a lower level awareness across the other areas. Also, different application domains (e.g., financial system or transportation system) and application types (e.g., web system or embedded system) typically require software security specialists to have additional competencies beyond the CorBoK.
What Is the Path to Increased SwA Capability?
Professional competency models typically feature so-called competency levels, which distinguish between what is expected in an entry-level position and what is required in more senior positions. Figure 1 describes SwA competency levels.
The SEI can help organizations develop a SwA competency model that is specific to their organization or their acquisition needs, and identify or develop the associated needed coursework. Contact us for more information.
The SwA Competency Model not only provides the basis for assessing an individual's current competency in software assurance practice, but it can also provide direction to individuals for their professional growth and career advancement.