olly - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why do developers lack application security training?

The importance of building secure applications is well established. And yet software developers graduating with degrees in computer science often lack application security training. Why is that so, and what can be done to remedy this situation?

In my experiences at both undergraduate and graduate school, most of my professors were really good at what they did -- lecture and impart book knowledge. The problem is the theory they taught me and the lack of hands-on experience most of them had didn't translate all that well to the real world. Some schools are worse than others. Luckily, my undergraduate degree was from a school that prided itself in providing hands-on experience.

Overall, I believe the lack of application security training and other hands-on experience is a fundamental challenge we face in the industry, and there's not a great fix. I suppose higher standards for hands-on experience -- even some form of continuing education -- could be established for college professors. I'm confident that won't fly.

I believe that many degree programs are only meant to teach the essentials and not everything students need to know. The term "on-the-job experience" came about for a reason. That said, two universities local to me in Atlanta are well known for their information security programs: Georgia Tech and Kennesaw State University.

Perhaps undergraduate studies in computer science combined with graduate studies in security would be the ideal path for students to take. Or a double major wouldn't be bad, if you can hack it. (I couldn't resist the pun.)

Some might think that the government should get involved. I'm not crazy about that type of regulation and licensing. I'd prefer to stay with this free-market scenario whereby the savvy computer science graduates know that their learning has just begun. They understand that their graduation "commencement" is just that and they go on to self-study, attend conferences, take courses and otherwise learn as much as they can about software security throughout their careers. That's what I did, and I know many others who work in IT who have done the same. Even with having worked in security for two decades, I have a long way to go before I will feel that I've mastered these concepts.

The important question is: Are you up for the challenge and willing to do the work necessary to be successful in securing applications? If so, you'll be greatly rewarded, given the demand for this expertise.

Next Steps

App coding lessons from the next generation of developers

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you train software developers in application security?
The only way that the free market will address this is if producers of software bear some liability for security failures, and if providers of services that are based on software bear substantial liability for losses of their customer's data.

Cliff is right. Where there's no accountability, there's no standard of excellence or performance. In a previous life I wrote advertising copy for a client who wouldn't follow any deadlines, but then would expect the writing and design teams to put out perfect materials. It came to a head when the company went out of business because the sales team never allowed for the resources (personnel) to do a good job. The same is true here. If nobody is on the chopping block because of performance, there's no incentive to create great things.
Very true, guys...actions have consequences and we're not quite seeing them at this level, yet.
IMO, the other way to getting your applications secure would be to get it tested with independent security testers. When developers work on security aspects, they are likely to be aware of potential flaws in system and may end up focusing on only those areas. Plus, there are chances that they would be biased towards accepting/rejecting security flaws in their own code. What do you think?
Great point LalitBhamare...potential for conflict of interest - fox guarding the hen house. That's how I market my services as do many others. It's always good to get a fresh, unbiased perspective.
AS a developer we may not be aware of all the potential security risks out there. The networking staff is more likely to have this knowledge. I think if they could do the testing of the security measures, they would find the flaws easier than the developer. 
Very true, ToddN2000! The one caveat to that is that networking staff might not know enough about security, especially application security, or have the proper tools to find the flaws that truly matter. Given the uniqueness of application (and mobile app) security, even across the different application platforms, it's often best to use someone who specializes in that area. I.e. Instead of hiring a general contractor to fix your home's elevated radon levels, you hire radon remediation specialist who has the proper training, tools, and methodologies that can have the most positive impact on the problem.
It's true, most Computer Science programs teach the essentials, with a lot of math and theory, and don't focus on areas like security or testing. A developer would have to seek out specialized security courses, or learn on the job if they were lucky enough to have a colleague who could mentor them.
I think I can count on one hand the number of developers I know that have specialized security training. Most of that work gets handed off to a specialist who is brought in for the job.
I feel the same. Most IT departments I have worked on treat them as separate departments.  Like abuell mentioned, it's in the education. As times change the courses need to adjust to make the skill set useful and well rounded.