Education and training play a crucial role in secure code writing, says Howard Schmidt, CEO of R&H Security Consulting in Issaquah, Wash. and a former White House cybersecurity advisor.
The onus is on software companies to ensure they either hire code developers trained in secure code authoring or provide themselves the necessary training needed by programmers so that they are able to write more secure code, he says.
One professor at the University of Ottawa believes that, while educational institutions are producing more IT graduates who know how to code secure software, there is still a “great distance to go.”
The University of Ottawa’s software engineering program educates undergrads on secure coding through a course called Design of Secure Computer Systems, says computer science and software engineering professor Timothy Lethbridge.
But while the course is compulsory for software engineering undergrads, it is merely an elective for computer science students, Lethbridge says. He explains that’s because computer science programs encompass many scientific fields, a student that majors in artificial intelligence, for instance, may see no need to take the secure coding course.
Still, many computer science undergrads choose to take the course, he says.
“Many students take it because they know that security is important and it will help them get a job,” Lethbridge says.
The course includes training in security policies, mechanisms and awareness, physical security, user authentication, application security mechanisms, encryption, external and internal firewalls, security of operating systems and software, devices for security analysis and ethical issues in computer security.
Meanwhile, more students at the University of Waterloo are taking courses in writing secure software, says Urs Hengartner, assistant professor at the university’s David R. Cheriton School of computer science.
A Network and Security course, for example, is being taught to 200 students enrolled this term, while Applied Cryptography has 130 students enrolled every year, Hengartner says.
“Students are looking for more security courses. [The Applied Cryprography instructor] told me that if we had a real security course, up to half of the students would probably take that course instead of the Applied Cryptography course,” Hengartner says.
The University of Waterloo’s Developing Programming Principles course for software engineering undergrads also provides insight into secure coding practice, covering topics such as tracing and debugging.
In Software Testing and Quality Assurance students learn how to build a reliable system through lectures on structural and functional testing, integration and system testing, software reliability and quality assurance.
While students in Waterloo get knowledge on secure programming, Hengartner believes “we can definitely do better.” He says the university is planning to hire more faculty staff to teach software security and design more security-related courses.
The university plans to introduce an additional security course on an experimental basis to determine whether there is sufficient interest among students.
Likewise, existing software developers should undergo regular refresh training in order to upgrade their knowledge on secure code practices and techniques, Lethbridge says.
“Security, usability and reliability are needed to improve the software infrastructure,” he says. “Unfortunately, my experience in the industry is that, at the moment, the amount of training that they do on the workforce is not as deep as it should be.”