The importance of building secure applications is well-established. And yet software developers graduating with degrees in computer science often lack application security training. Why is that so, and what can be done to remedy this situation?
The fact that most developers entering the job market do not have sufficient -- or any -- application security training is an issue that has received much attention. Probably the best-known public discussion of the issue was when Oracle CSO Mary Ann Davidson sent a letter to several university computer science department chairs demanding that they begin instructing students about secure development. Unfortunately, she received only one response. There are two major reasons why universities have problems producing graduates with sufficient security knowledge: Most universities are not ready to teach secure coding, and many students are not in a position to learn.
University curricula tend to change very slowly so incorporating formal security instruction into traditional computer science programs will take time. In addition, the computing field moves quickly and computer science programs have a plethora of emerging topics competing for attention in a finite number of credit hours available for most students. Application security must compete with other -- and arguably equally important topics -- such as parallel programming and cloud computing.
Most universities are not ready to teach secure coding, and many students are not in a position to learn [it].
In addition, most computer science professors and teaching assistants do not themselves have a strong background in security engineering or secure coding. Their research is focused in different areas of the computing field, and many have little applied knowledge in software development for the types of large-scale systems being created in many organizations. Obviously these are generalizations and counter-examples exist, but for most universities they hold true.
In addition to challenges at the university level, many students are not ready to learn a tremendous amount about secure development until later in their university education. Some basics such as input validation and output encoding can be taught to a degree, but these high-level topics can really only demonstrate their value when applied to more complicated and real-world systems that students may not see until they take more advanced coursework.
How do you explain SQL injection vulnerabilities to students who have never had a course in databases, and, even if they did, why would you expect them to remember the material? Similarly, if a student had no experience building Web or other network-attached systems, how would you drive home the importance of authentication and authorization?
The situation is not hopeless, but both academia and corporate consumers of their graduates need to be realistic about what can be done and what results to expect. Curriculum changes may be difficult and slow moving, but course content delivered in support of the curriculum can be augmented with materials that contain secure coding information. Last year, my organization made our ThreadStrong secure development e-Learning available for free to qualifying universities, and this approach has seen some success.
In addition, professors could include free materials from organizations such as the Open Web Application Security Project (OWASP) in relevant courses. Programming assignments can be updated to include more common real-world coding environments such as Web and database applications. In addition, universities should reach out to other individuals and organizations that can help. Local professionals with secure coding experience may be available and their corporate employers would benefit from the relationship by having early access to graduates as well as being able to screen for students with a particular interest and aptitude for secure development. In addition, programs such as OWASP's Academic Supporter are available for interested institutions.
So what is a reasonable expectation for organizations hiring recent graduates? As the industry starts to demand more of their graduates, it will become reasonable to expect that computer students -- especially those looking to become full-time developers -- should come out of their university program with some introduction to security engineering and secure coding concepts.
Students who are specially inclined toward security should be able to come out with even stronger application security training. Organizations will still have to expect they will need to provide role-specific security training as well as training on advanced topics; they should also understand that these changes will take time. It is also critical to remember that developer education is important, but it is only one part of a balanced software assurance approach that also includes threat modeling, security testing and other activities.
Do you have a question to ask our experts? Let us know and we'll pass it on!
This was first published in March 2013