Colleges fail to teach design of secure code

RSA conference hears top computer science programmes in the US deliver minimal content on security

A group of computer hackers work on laptop computers. Photograph: REUTERS/Jeff Christensen
A group of computer hackers work on laptop computers. Photograph: REUTERS/Jeff Christensen

Karlin Lillington
in San Francisco

Despite growing concerns about the security and hackability of software, universities are failing to teach computer science students how to design secure code, according to a new study by Prof Matt Bishop of the University of California at Davis.

"We're not getting those skills taught at the university level and [students are] not picking them up later in the market, because it's not part of their role," said Jacob West, chief technology officer for enterprise security products at HP, in a session today at the RSA Conference on security.

Mr West, who has worked with Prof Bishop to develop ideas for improving computer science education, noted that 84 per cent of security breaches target software: “It’s the weak point in to the ecosystem.”

READ SOME MORE

At the same time, “the line between a secure and insecure system is very fine. A single mistake in the right place can bring a piece of software to its knees and put a corporation on the front of the Wall Street Journal.”

Of 12 leading US universities with what he considers the most mature computer science degree programmes in the country, Mr West said coursework on security was minimal and “horrifically bad”.

At Stanford, the University of California at Berkeley, Carnegie-Mellon and MIT – all famed for computing and engineering courses – only a single class on software security was required on a four-year degree course. There were very few elective courses on the subject, either, West said.

“And, only three of nine specialised courses at the top universities [for example, graduate degrees] have a security track,” he added.

“The problem is, we don’t write software that is robust. Yet, you don’t read the news where there isn’t a week that goes by without some security breach of software. For example the recent Apple breach – that was one line of code, a simple mistake, but led to a huge problem for the security industry.”

A critical problem is that a generation of people now teaching at university level “don’t know about robust programming or don’t believe in it.”

So, robust programming is not seen as integral to good programming, a problem that is exemplified by leading computer science textbooks that are full of poor examples taught as good coding, he said.

Addressing the problem is critical in a world where software is becoming ubiquitous and is used in critical operations and infrastructure, from automatically flying airplanes to running power grids and nuclear facilities.

Lack of financial resources is a problem in bringing about change, which will probably only come through collaboration between academia and government, he said.

“We need to help our computer grads understand the role of security in their new professions. We really have to teach everyone the core principles,” he said.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology