By John Dickson
In my last blog post I focused on the gap between software security and higher education, and how initial efforts to force universities to teach software security concepts in their curricula have largely been unsuccessful. In spite of requests from some of the largest software companies and their leaders, there hasn’t been a measurable change in how security concepts involving software are being taught in our universities. Therefore, the security of software being developed in industry has not been improved by college hire talent entering the workforce. Entry-level developers have to be taught how to build secure applications in addition to everything else they have to learn starting out on the job.
I’ve characterized many of the initial efforts to change the status quo at universities as the “stick” approach – using implied threats, i.e., not hiring graduates, in order to influence curriculum development. In my last post, I commented that that felt these efforts had been largely ignored by the faculty and staff at Computer Science departments at major universities. Now I want to highlight some of the “carrots” that I’ve seen – actions or broader initiatives that I feel have had a positive impact on the teaching of security software concepts at institutions of higher ed.
I hate to say it, but some of these concepts are right out of Andrew Carnegie’s “How to Win Friends and Influence People” – namely that if you want someone to do something, figure out what they want to do, then work back from there. My thoughts involving getting professors to teach software security concepts are not entirely different from what Mr. Carnegie developed nearly 100 years ago. In this case, if you want professors to teach secure software concepts, figure out what the professors want, then work back from there. Below is a list of ideas that I’ve seen in the real world that have worked (to varying degrees). They represent a starting point for positive engagement with universities that graduate armies of junior developers each year.
Hire their students – Ultimately, most conscientious professors care about where their students work after graduation. It reflects well on them with their department heads and administrators if you hire their students, if nothing else because they will be good sources for future community fundraising activities. If you hire their students, and develop a personal relationship with senior members of the faculty, you are more likely to find a receptive party when you broach the topic of teaching more application security concepts.
Sponsor interns – Great interns translate to great college hires when they graduate too, so you are self-interested to hire great interns. If you or someone in your company has developed personal relationships with faculty, they may even help you identify the pick of the litter.
Provide interesting graduate thesis ideas – As an industry professional, you know best what issues are persistent challenges in the application security field. If you can provide insight into these operational issues reflecting real-world issues, you are likely able to provide faculty with great ideas for future research for graduate theses.
Serve on an Advisory Panel – Nearly every major computer science or security program in higher education has an industry advisory group that provides input to their respective departments. If you really want to get to know the faculty and influence what is taught, volunteer for an advisory panel. I’ve been on the University of Texas at San Antonio (UTSA) Institute for Cyber Security industry advisory group for nearly three years, which has allowed me to better understand the inner workings at that institution. In addition, I recently sat on a review committee as the only non-faculty member to review the governance of the same Institute. Both experiences have provided unparalleled understanding and visibility into the computer science and security programs at UTSA. If you don’t have time to do that, consider delivering an application security guest lecture during one of the computer science classes.
Donate money and resources! – Perhaps the strongest way to gain the attention of faculty and staff at an institute of higher education is to give money or resources. One of the things I learned during the UTSA review was that Federal and state grant dollars are scarcer now than in the recent past. So if you can write a check to drive sponsored research or contribute to a scholarship fund, you will get the attention of university leadership. Short of actually writing a check (or checks), there are other ways to contribute that can have a positive effect, and provide the positive relationships. Another approach is to donate resources – software, or information that can be included in curriculum.
Next blog post – Additional ideas for engagement and what the Open Web Application Security Project (OWASP) is doing to move the needle.
john _at_ denimgroup.com