College Degrees Now Available for Secure Software Development

Tracie Berardi, Program Manager, Consortium for IT Software Quality (CISQ)


Cybersecurity training and workforce development is a common theme and solution that’s proposed at conferences that discuss the challenges of cybersecurity and the future as we know it – developing, architecting and living within digital IT ecosystems. Who’s steering the ship? Do leaders understand the security threats and do their teams know how to develop secure, resilient and trustworthy systems for the future? For years, IT was siloed and focused predominantly on functionality. Web-based applications and services expanded the attack surface.


Amidst these fast-paced technological changes, there is good news for workforce development, because with a skills gap, comes opportunity.


The Software Engineering Institute (SEI) at Carnegie Mellon University is one of the premiere universities in the U.S. for software engineering.  The SEI has developed Software Assurance Curricula with support from the U.S. Department of Homeland Security.  The courses available include –


  • Master of Software Assurance Curriculum
  • Undergraduate Software Assurance Curriculum
  • Community College Software Assurance Curriculum
  • Software Assurance for Executives


I spoke with Girish Seshagiri, EVP and CTO of ISHPI Information Technologies, who explained that in the United States we now have three community colleges that offer an Associate Degree in Secure Software Development based on the SEI curriculum and adoption guidelines.


Girish is passionate about this subject. He is on CISQ’s Board, co-chair of the National Initiative for Cybersecurity (NICE) apprenticeship sub-working group, and co-founder of the Community Initiative Center of Excellence for Secure Software (CICESS). CICESS promotes a dual model apprenticeship in partnership with community colleges. Girish’s employer, ISHPI, was an early adopter of the apprenticeship model at the ISHPI AIS Software Development Division in Peoria, IL. Students take college courses while participating in paid, on-the-job experience.


The CICESS GP project won the 2018 Innovations in Cybersecurity Education Award (curriculum category) by the National CyberWatch Center, a National Science Foundation-funded Advanced Technological Education Center at Prince George’s Community College in Largo, Maryland.


Here’s a recent article in Community College Daily:


So you want to implement Quality Assurance… or should it be Quality Control?

By Bill Ferrarini, Senior Quality Assurance Analyst at SunGard Public Sector, and CISQ Member


Most companies will use these terms interchangeably, but the truth is Quality Assurance is a preventative method while Quality Control is an Identifier.


Don’t go shooting the messenger on this one, I know that each and every one of us has a different point of view when it comes to quality. The truth of the matter is we all have the same goal, but defining how we get there is the difficult part.


Let’s take a look at the different definitions taken from


Quality Assurance

Quality Control

The planned and systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled.

The observation techniques and activities used to fulfill requirements for quality.

Quality Assurance is a failure prevention system that predicts almost everything about product safety, quality standards and legality that could possibly go wrong, and then takes steps to control and prevent flawed products or services from reaching the advanced stages of the supply chain.

Quality Control is a failure detection system that uses a testing technique to identify errors or flaws in products and tests the end products at specified intervals, to ensure that the products or services meet the requirements as defined during the earlier process for QA.



As different as the definitions are, their scope is also very different.


To define a company’s Quality Assurance strategy is to specify the process, artifacts, and reporting structure that will assure the quality of the product. To define a company’s Quality Control is to specify the business and technical specifications, release criteria, test plan, use and test cases, and configuration management of the product under development.


It is important for a company to agree on the differences between Quality Assurance (QA) and Quality Control (QC). Both of these processes will become an integral part of the companies’ quality management plan. Without this delineation a companies’ quality system could suffer from late deliveries, being over budget, and a product that does not meet the customers’ criteria.


Quality Assurance

The ISO 9000 standard for best practices states that Quality Assurance is “A part of quality management focused on providing confidence that quality requirements will be fulfilled.”


Quality Assurance focuses on processes and their continuous improvement. The goal is to reduce variance in processes in order to predict the quality of an output.


To measure a company’s success in a Quality Assurance Implementation, you would do well to monitor the follow areas:

  • Best Practices
  • Code
  • Time to Market

Quality Control

The ISO 9000 standard for best practices states that Quality Control is “A part of quality management focused on fulfilling quality requirements.”


While QA is built around known best practices and processes, QC is a bit more complicated. To Control Quality, at a minimum you need to know two pieces of information:

  • The Customer’s view of Quality
  • Your company’s view of Quality

There are certain to be gaps between these two opposing views. How well you bring those gaps together will determine the Quality of your product.


Other metrics that come into play within a Quality Control environment would be:

  • Number of defects found vs. fixed in an iteration
  • Number of defects found vs. fixed in a release
  • Defects by severity level

These are just some of the metrics you would use to measure the success of your Quality Control implementation.



Neither QA nor QC focuses on the “whose fault is it?” question. The goal of a good QA and QC implementation should be to make things better by continuously improving your quality from start to finish. This requires good communication between the QA/QC groups.


Key attributes for success are:

  • Participation: Both process owners and users need to provide their expert input on how things “should” work, and define that in a fashion that allows your Quality Control to monitor the function.
  • Transparency: Open communication and the ability to look at all aspects of the process are critical to fully understand and identify both what works and what doesn’t.
  • Clear Goals: The entire team should know the intended results.

So if your company is implementing a Quality Management System, your first order of priority will be to understand the differences between QA and QC and when established measure and improve every chance you get.


About the Author

Bill Ferrarini is a Senior Quality Assurance Analyst at SunGard Public Sector. Bill has over 25 years of experience testing software, hardware, and web browser based systems. After beginning his career as a software developer, Bill has been devoted solely to furthering the Quality Management movement. He has a diploma in Quality Management, a degree in Video and Audio Production, is a former certified ISO internal auditor, and an accomplished musician.