Using Security Checklists and Scorecards in CS Curriculum

Industry has recognized that creating secure systems requires incorporating security concepts throughout the software development lifecycle. A similar effort is required in education, integrating security best practices and risk management into the curriculum. At Towson University, we are developing and implementing a model to thread security throughout our computer science curriculum. Key to our plan is the use of security checklists and scorecards. Checklists provide a quantifiable list of security criteria to aid in writing secure code and reinforce security principles. Additionally, scorecards and checklists provide a consistent means of evaluation and assessment. This paper focuses on the development of security checklists for use with student laboratory work. Our plan is a work in progress; initial implementation began spring, 2007, with preliminary results available in June 2007. We are actively seeking partnership and collaboration opportunities with other universities and this paper serves as a vehicle for inviting ideas and feedback.