Why Can’t Johnny Program Securely?

Why Can’t Johnny Program Securely?

Tech Talk, Past Presentation

The October 2022 tech talk was presented by Robert Seacord

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract

Secure coding (unsurprisingly) is hard. Our educational systems have failed to properly prepare students, and our assessments have overestimated their abilities. Analysis and testing is useful but inadequate. This presentation will discuss the gap in qualified secure coders and what we can do to eliminate it.

About the Presenter 

Robert C. Seacord is the Standardization Lead at Woven Planet, where he works on the software craft. Robert was previously a Technical Director at NCC Group, Secure Coding Manager at Carnegie Mellon’s Software Engineering Institute, and an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University.

He is the author of seven books, including Effective C: An Introduction to Professional C Programming (No Starch Press, 2020), The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). He has also published more than 50 papers on software security, component- based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development. Robert has been teaching secure coding in C and C++ to private industry, academia, and government since 2005. He started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering; he  also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. Robert is on the advisory board for the Linux Foundation and is an expert at the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.

Designing and Launching Secure Software Development Degree Apprenticeships Partnering with Historically Black Colleges and Universities – Panel Session

Designing and Launching Secure Software Development Degree Apprenticeships Partnering with Historically Black Colleges and Universities – Panel Session

Past Presentation

The May 2022 tech talk was presented by Diana Elliott, Girish Seshagiri, and Nikunja Swain

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

About the Session

Currently, in the U.S. over one million software developer positions and 600,000 cybersecurity occupations are unfilled due to the lack of available skilled job seekers. At the same time, the percentage of women, minorities and veterans in technology professions continues to be low. In this panel discussion, we describe how a consortium of South Carolina Historically Black Colleges and Universities (HBCUs) is partnering with SC employers to design and launch IT and cybersecurity degree apprenticeship cohorts in fall 2022. The panelists will provide a status update of the exemplar government/industry/academic collaboration which will result in career pathways to technology jobs for cyber security and computer science graduates of HBCUs. The panelists will discuss the requirements of DOL Registered Apprenticeship Program which is a high-quality vocational training model with standard work process including 2,000 hours of on-the-job training and 61 academic credit hours. The panelists will present how the HBCU consortium colleges mapped cybersecurity and computer science degree curricula to National Initiative Cybersecurity Education (NICE) Framework competencies for developing software which is secure from cyber-attacks.

About the Presenters

Diana Elliott is a senior fellow in the Center on Labor, Human Services, and Population at the Urban Institute. Her work focuses on families’ financial security and economic mobility and the programs and policies that support them, including apprenticeships. Elliott is the director of several apprenticeship projects at Urban, including the Apprenticeship Expansion and Modernization Fund, which launched over 1500 apprentices into tech occupations. Prior to Urban, Elliott was a research manager at the Pew Charitable Trusts and a family demographer at the US Census Bureau. Elliott holds a PhD in sociology from the University of Maryland, College Park.

Girish Seshagiri Founder/CEO of Nonprofit Apprenticeship Implementation Solutions, Inc is an early adopter of the apprenticeship dual model. Under his leadership, the Community Initiative Center of Excellence for Secure Software (CICESS) was launched in Peoria, Illinois in 2015. CICESS received the 2018 Innovation in Cybersecurity Education Award given by the National Cyberwatch Center. Girish is currently focused on government/industry/academic collaboration partnering with Historically Black Colleges and Universities to design and launch IT and Cybersecurity degree apprenticeship cohorts. Girish is the immediate past co-chair of the NICE Apprenticeship Working Group. Girish has an MBA from Michigan State University.

Nikunja Swain is a professor, department chair, and executive director of center of excellence in cybersecurity at South Carolina State University. Dr. Swain has over 35 years of college level teaching experience and he is a registered professional engineer in South Carolina. Dr. Swain has over 70 conference/journal publications, and number of grants from NSF, DOE, USDA/NIFA, DOD, and others. Dr. Swain is a life senior member of IEEE, a professional member of ACM, a member of SIGITE, and ASEE.

The Digital Transformation Spiral Model

The Digital Transformation Spiral Model

Past Presentation

The March 2022 tech talk was presented by Dr. Barry Dwolatzky

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract:

Digital transformation has become an imperative for organisations in the 21st Century irrespective of size, sector, or geographic location. Studies have shown that a very high percentage of digital transformation journeys have failed to deliver the desired results. In order to mitigate some of the risks associated with digital transformation and its associated organisational changes, we have proposed a lifecycle model approach. We call the lifecycle the “Digital Transformation Spiral Model”, or DTSM. It is an iterative and incremental model with both a “design and development” cycle and a “governance” cycle. The focus is on continuous innovation via continuous improvement. The DTSM draws on a number of tools and frameworks including the Business Model Canvas (BMC), CMMI, and Kent Beck’s 3X model.

About the Presenter 

PROFESSOR BARRY DWOLATZKY, BSc(Eng), PhD, FSAIEE, FIITPSA

Barry Dwolatzky is professor emeritus in the School of Electrical & Information Engineering at Wits University. He is the founder and Director of the University’s Joburg Centre for Software Engineering (JCSE). He is also the founder of Wits University’s Tshimologong Digital Innovation Precinct in Braamfontein, Johannesburg. While he remains the Director of the JCSE, in July 2021 he was appointed as Director of Innovation Strategy in the Office of the Wits Deputy Vice-Chancellor: Research and Innovation.

Barry’s undergraduate (BSc(Eng) ) and postgraduate degree (PhD) are in Electrical Engineering and are from Wits. In 1979, he left South Africa and worked in the UK as a postdoctoral researcher at the University of Manchester Institute of Science and Technology (UMIST), Imperial College, London, and at the GEC-Marconi Research Centre. Over this period, he worked on a number of large software research and development projects.

Barry returned to Wits from the UK as a senior lecturer in 1989. He became a full professor in 2000. In December 2017, he officially retired from Wits and was appointed a professor emeritus. His primary focus over the past 30 years has been the growth and development of the South African software engineering sector.

In 2005, Dwolatzky was the major driver in setting up the Joburg Centre for Software Engineering (JCSE) at Wits. The JCSE aims to grow skills, promote the adoption of best practices, and encourage innovation and entrepreneurship in South Africa’s digital economy. In 2007, he became Director and CEO of the JCSE.

In 2013, Dwolatzky spearheaded an initiative at Wits to establish a major digital innovation hub in the Braamfontein area of inner-city Johannesburg. Called the “Tshimologong Precinct,” the project has attracted significant support from government and a range of major local and international companies. IBM Research has established their 12th international laboratory in Braamfontein as an integral part of the precinct.

In recognition of his contribution to the South African IT industry, Barry Dwolatzky was named the “South African IT Personality of the Year” in 2013, and received an award for “Distinguished Service to IT” from the Institute of IT Professionals of South Africa (IITPSA) in 2016. Also in 2016, Wits University presented him with the “Vice Chancellor’s Award for Academic Citizenship.”

Why Is It So Hard to Do Easy Stuff?

Why Is It So Hard to Do Easy Stuff?

Past Presentation

The April 2021 tech talk was presented by Gerardo Lopez

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract:

Software technology is huge and seems complex, but it really isn’t: every technology is just an enormous bunch of small pieces (each only a few characters long). It is impossible for anyone to understand everything, but successful software implementations can be achieved with a thorough understanding of the “small set of pieces” required to solve a given problem.

To create a good software solution to address a given problem, we first must formulate a good understanding of that problem — specifically, we need to discover the structure of the problem. Good software should model the problem’s structure, thus making it easy to debug and maintain.

Engineering techniques to achieve this were invented many years ago, and many programmers and organizations were successful in applying this knowledge. These engineering techniques are easy to learn, but are not used widely enough by software engineers today.

About the Presenter 

Gerardo Lopez

Gerardo is an entrepreneur, businessman, and software engineer with more than 45 years of experience in transforming software development to well-established software engineering practices in order to achieve top quality and reduce development cost and time.

Gerardo holds a Bachelor’s degree in Electrical Engineering from Tec de Monterrey, and spent two years working for a Master of Arts degree in Computer Sciences at Texas University.

From 1982 through 2000, he founded and grew Softtek, a software development company in Mexico, to become the largest in Latin America. In 2002, he started Towa with the vision to excel in software quality and lead Mexico to become #1 in software quality in the world (“Mexico should achieve in software what the Japanese did in car manufacturing 60 years ago”). Gerardo is currently serving the SEA as leader of the Content Creation working group.

Cliff Diving Into TSP℠: How Watts Humphrey saved a third-year software engineering lab course in Rajasthan’s LNMIIT

Cliff Diving Into TSP℠: How Watts Humphrey saved a third-year software engineering lab course in Rajasthan’s LNMIIT

Past Presentation

The July 2020 Tech Talk was presented by Dr. Philip Miller

Watch the Recording on YouTube
View the Presentation Slides
Read the Full Meeting Minutes

Abstract:

With no more than a university course information form and list of the names of software projects from a previous course offering, the author, a Visiting Professor at LNMIIT, decided that TSP was his best chance at giving students a useful experience in teaming software development.  Students had no prior training in TSP℠, PSP℠, or software engineering.  There was no coordination with a concurrent software engineering theory course. There were 215 students. Prior work with 200 of the university’s students in an intermediate C programming course indicated serious gaps in knowledge and skill sets. The author was the only faculty member involved. There were no teaching assistants. This had all the ingredients necessary for an educational disaster.  Surprisingly the course was judged a great success by the students, the author, most of the faculty who paid attention to the course, and the University Director, a very high quality tenured professor of computer science on loan from BITS Pilani. 

How can we account for such an unlikely outcome? Watts Humphrey was a genius. Students worked harder, with more cohesion and to greater effect than anyone expected. Support from the top was excellent. Requiring all 21 of the student software teams to adhere to TSP orthodoxy on open source projects of their own choosing were good ideas, really good ideas. Treating the students as young professionals was rewarded with them behaving exactly like that – young, sincere professionals. The course was a joy. Watts would have loved it even though the author broke rule after rule after rule. Data and details will be presented.

About the Presenter 

Dr. Philip Miller has been working on one, and only one thing since entering the field of computer science as special faculty in the Computer Science Department of Carnegie Mellon University in 1979. That thing is to extend the excitement, benefits and blessings of knowledge, skills and careers in computing to people who could use some help. In the 1980s pursuit of that objective led to leadership in creating Advanced Placement Computer Science for the College Board and leveraging money from Steve Jobs and the National Science Foundation into novice programming environments that dominated American university freshman programming courses for a half decade or so. In the 1990s the pursuit was manifest in iCarnegie, a CMU backed startup that used blended learning to bring high quality curriculum and superb instructor preparation and support to hundreds of thousands of learners around the globe at prices more than an order of magnitude lower than a CMU education.

Being a slow learner it was well into the 2000s before Dr. Miller figured out that even very well trained people weren’t going to get jobs so long as the software companies proudly spouted things like, “We only hire from the top 20 universities!” It was another year or two before he realized that “authentic examination”, certifying personal software skills in the context of working on real systems was the key to leveling the playing field while at the same time identifying qualified developers for a global industry that was chronically starved for human capital. The World Bank loved the idea. As Dr. Miller waited for the several years that it took Carnegie Mellon and the World Bank to work out the details that made it possible for the former to accept money from the latter, Dr. Miller became a TSP Coach. Breathtaking is the only way that Dr. Miller describes the success of TSP in his coaching experiences. The confluence of authentic examination and disciplined, empirically based software development has Dr. Miller on his current quest to remove the inefficiencies in both training and hiring.

His PhD thesis (Political Science, Ohio State, 1976 ) used Lebesgue measure theory and Alfred Tarski’s notion of models of formal theory to analyze and extend the existing body of spatial theories of voter choice.

℠ Personal Software Process, PSP, Team Software Process, and TSP are service marks of Carnegie Mellon University. The Software Excellence Alliance is not affiliated with Carnegie Mellon University.