By John Dickson
Perhaps one of the more interesting discussions at last month’s SANS AppSec conference was with Mary Ann Davidson, Chief Security Officer at Oracle Corporation. Mary Ann’s session drew on several military analogies to the software security world, but the section of her presentation that got my strongest interest dealt with higher education. In a nutshell, Mary Ann has been trying to influence colleges and universities to graduate better developers, specifically developers who understand basic concepts of secure software development and design. She speaks frequently – as she did at SANS – about how she sent letters to the top 12 hiring universities demanding that they teach secure development concepts. I’ve characterized this as a great example of a “stick” approach to affecting change, namely “you had better change or else.” This might have an impact if you’re Oracle (or Microsoft or Google). This will likely have less of an effect if you’re Denim Group or any other company with less market footprint.
At the SANS conference, I found out that Mary Ann only received one response out of her 12 letters. This is a surprise to me, given her high-profile position at Oracle. If these universities could be so indifferent to Oracle, how will they respond when lesser giants squawk?
I learned two things:
- Professors might perceive themselves to be impervious to outside threats, even from one of the 800-pound Silicon Valley gorillas. (Tenure trumps all, I guess)
- Indifference might be involved. Perhaps the universities have so many competing requests that Mary Ann’s letter fell on deaf ears.
Regardless, receiving one out of twelve letters speaks volumes. Others in the software security community have met with similar results. Undergrad students rarely understand secure development concepts – at best they took one elective that skimmed the highest-level concepts of secure system design and software security. At worst, they had one lecture on SSL. In spite of the rise of college security programs, the development of software security courses has lagged significantly.
I’ve been told this is because of the sheer amount of classes Computer Science programs force their undergraduates to complete for their degree plans. How can you justify bumping a class on operating systems to insert a secure programming class? Fair enough, but those of us in industry are still forced to train software developers in the skills they need for secure development – a process that can take two years.
The status quo is bad, and universities are cranking out new coders who will learn how to make the same mistakes, and will learn the hard way to create more secure code.
Coming up – Ideas for “carrots” for higher education to encourage them to teach more software security.
john _at_ denimgroup.com