U.S.Department of Homeland Security

Software Assurance

Workforce Education & Training Working Group


Software Assurance Education, Training & Certification Web Guide
Academic Curricula and Course Sampling

Commercial Training Sampling
Non-Commercial Training Sampling
Refereed Articles and Papers

Academic Curricula and Course Sampling

Carnegie Mellon University

Florida Institute of Technology, Master of Science in Information Assurance and Cybersecurity

James Madison, Computer Science Department

The Johns Hopkins University Information Security Institute (JHUISI) Master of Science in Security Informatics Program

George Washington University Computer Science curriculum

Massachusetts Institute of Technology EECS Undergraduate Program

Master of Software Assurance Reference Curriculum

Purdue University, The Center for Education and Research in Information Assurance and Security (CERIAS)

Rochester Institute of Technology

Stanford University Computer Science curriculum

Stevens Institute of Technology Master’s Degree Concentration in Software Assurance

United States Air Force Academy

University of California at Davis Computer Science curriculum

University of Detroit Mercy, The Center for Cyber Security and Intelligence Studies

Virginia Tech CS curriculum

If you know of other curricula that could be listed here, please send its web link to software.assurance [at]

Commercial Training Sampling

Aspect Security, Inc., Application Security Education and Training

Foundstone, Inc., Education

International Information Systems Security Certification Consortium, Inc. (ISC)²

KRvW Associates, LLC., Training Services

Microsoft Corp., Clinic 2806: Microsoft® Security Guidance Training for Developers (and other courses)

Netcraft, Inc., Web Application Security Course

Next Generation Security Software, Ltd., Security Training

The SANS Institute, Inc.

Secure Coding in C and C++ course, Software Engineering Institute, Carnegie Mellon University

Security Innovation, Inc., Application Security Education

Software Assurance and Information Security courses at the Software Engineering Institute, Carnegie Mellon University

Symantec Corp., Application Security Principles and Security in Software Development Lifecycle

If you know of other training that could be listed here, please send its web link to software.assurance [at]

Non-Commercial Training Sampling

OWASP WebGoat Project
Open Web Application Security Project (OWASP)'s WebGoat is a deliberately insecure Java 2 Enterprise Edition (J2EE) web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

ThreadStrong's Secure Application Development E-Learning Classes (available for free)
Denim Group donated its ThreadStrong secure software development courses to U.S. universities to help students learn how to build more secure software. According to Denim Group’s press release, students of universities who offer these e-learning courses learn how to “mitigate complex threats presented by a variety of software development languages, including mobile platforms such as Android and Apple's iOS. By taking security into account at the beginning of a software development project, these students can then avoid the common trap of unknowingly introducing security vulnerabilities into their software. These courses also demonstrate how to strike a real-world balance between functionality and security to enable a secure and agile enterprise that can protect its information while exceeding business performance goals.” The press release includes this information for universities to begin offering the courses at no charge: “ThreadStrong licensing is being donated to all eligible accredited universities and offers unlimited access to all available course materials enabling each student to review the training classes even after training is complete to refresh their knowledge. Universities are encouraged to contact Denim Group at (210) 572-4400 or at to apply for a ThreadStrong complimentary license.”

Refereed Articles and Papers

"Training and Awareness" article on Build Security In


Software Assurance Professional Competency Model, Department of Homeland Security, October 2012

Software Assurance: A Curriculum Guide to the Common Body of Knowledge. PDF is available for download from the Build Security In Web site.

Backgrounder on Software Assurance: A Curriculum Guide to the Common Body of Knowledge

Software Assurance Best Practices for Air Force Weapon and Information Technology Systems – Are We Bleeding? Thesis by Ryan A. Maxon, Major, USAF, Air Force Institute of Technology, AFIT/GIR/ENV/08-M13, March 2008

Toward an Organization for Software System Security Principles and Guidelines, version 1.0, by Samuel T. Redwine, Jr. Institute for Infrastructure


Workforce Education and Training Status Briefing, Software Assurance Forum, October 3, 2007