I sat in on an interesting session on professionalizing secure software development this morning at RSA Conference 2009. The panel was quite strong, with representation from ISC2,SANS Institute, SAIC, and Microsoft. They offered some good food forthought around the skill level of graduates from university andcommunity colleges, as very few have any knowledge of secureprogramming, and even less are exposed to it in their programs. Apparently, a handful of larger organizations will only hire developerswith demonstrated secure programming skills, but they are in a distinctminority. One of the panelist suggested that if employer’s begin todemand these skills, schools will begin to teach them.
The questions in the session were particularly insightful, and onein particular stood out: who teaches the teachers of secure softwaredevelopment? Within universities and community colleges, instructorsdon’t have secure software development expertise, so we can’t expectthis discipline to be taught.
I think this problem has been solved many times before, so we oughtto be able to look at how other technology skills have made it intomainstream curriculum. At some point, nobody knew anything about Java,but we overcame that. For that matter, nobody knew anythingabout extreme programming, but that’s not the case anymore either.
Continue speaking about the importance of secure programming skillsand promote them as an asset. Make connections between securedevelopment practitioners and academics. Offer internships. Sponsorsecure programming contests.
Patience is a virtue; with time, people will learn the techniques of secure software development.
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at RSA Conference 2009
Regular blogger for Cogitatio Privatim by Camouflage