44.9SEMar 10
Experience Report on the Adaptable Integration of Requirements Engineering Courses into Curricula for ProfessionalsOleksandr Kosenkov, Konstantin Blaschke, Tony Gorschek et al.
There is a growing demand for software engineering education (SEE) for professionals because of the increasing demand, active evolution of the technological landscape, and changes in the skills required by the practice. Integrating requirements engineering (RE) courses into SEE curricula for professionals systematically and effectively is challenging. In particular, curricula for professionals have different demands, are more dynamic, and modular in nature. In this study, we report on our experience in the development of three SEE curricula for professionals and the integration of RE courses into such curricula. We suggest basic principles for such integration and describe the systematic approach focused on course content mapping that we have developed.
43.3CRMay 22
Validating Threat Modeling Results with the Help of Vulnerable Test ApplicationsOleksandr Adamov, Davide Fucci, Felix Viktor Jedrzejewski et al.
Validating threat modeling results remains difficult because completeness is hard to judge without an external oracle. Existing studies often rely on expert-produced reference models and other human baselines, but these can contain omissions or disagreements. This paper evaluates a complementary, vulnerability-grounded validation approach. We apply threat modeling to intentionally vulnerable applications with a known vulnerability set to measure the number of related vulnerabilities that can be discovered. We compare ThreMoLIA, an LLM-assisted threat modeling solution developed by our team, with the Microsoft Threat Modeling Tool (MTMT) across two vulnerable applications: AzureGoat and the Vulnerable Bank Application (VulnBank). The inputs to both tools are limited to architecture, data flow diagrams, and their descriptions. The results show that ThreMoLIA achieved higher vulnerability coverage on both systems. We show that vulnerable test applications provide a practical benchmark for assessing threat coverage and complement expert-based validation.
SEJun 28, 2023
MLSMM: Machine Learning Security Maturity ModelFelix Jedrzejewski, Davide Fucci, Oleksandr Adamov
Assessing the maturity of security practices during the development of Machine Learning (ML) based software components has not gotten as much attention as traditional software development. In this Blue Sky idea paper, we propose an initial Machine Learning Security Maturity Model (MLSMM) which organizes security practices along the ML-development lifecycle and, for each, establishes three levels of maturity. We envision MLSMM as a step towards closer collaboration between industry and academia.