What topics should or should not be included in software security education—Qualitative content analysis

Abstract

AbstractSoftware security education is still not preparing students for the types of high‐skilled technical roles that represent the most severe workforce shortage. Recognizing this, academia has begun redefining the knowledge area concepts of software security curricula to meet the current workforce shortage. This article studies the software security courses in Arab Gulf academic programs and benchmarks their descriptions with the corresponding knowledge area from cybersecurity Curricula (CSEC). 2017, the first set of global cybersecurity curricular guidelines. Using content analysis, six concepts or essentials are investigated: security requirements, secure design principles, secure source code, analysis and testing, patch, and ethics. It was found that no course follows all the CSEC. 2017 essentials. The analysis and testing essential were considered by all courses, and security after deployment, including the patch essential, needs more attention because it was not included in any course. Similarly, the security requirements and ethics essentials were also considered by a few courses. However, software success depends on requirements, and ethics has become critical in the cybersecurity and information assurance fields that depend on law and forensics. The secure source code essential was covered by most courses. The well‐known types of code attacks were covered, and over half of the courses discussed secure design principles essential. However, security by design is an emerging development philosophy. The article discussed observations and recommendations that will assist program managers and their staff in making effective decisions about the essentials and concepts that should be included when they are developing the software security curriculum.