secure development training in CS curriculum
The other day, a co-worker told me that he's close to finishing his computer science degree at a local university. He's in help desk now. He wants to move into development soon and eventually into security. I happen to be studying the CISSP Software Development Security domain, so I asked him how much emphasis his degree program puts on secure development practices. He said that secure development is not in his curriculum. I've talked to others who studied CS in past decades and even in the last 10 years who said it wasn't part of their studies and that they had to learn it after the fact, if at all. You would think that by now it would be a requirement. Why isn't it? It seems that college would be the perfect time for it.
Comments
-
UnixGuy Mod Posts: 4,570 ModDegrees are different, and vary by university/department. Some curriculum if they have 'computer security' or 'software security' subjects they include it, but if the degree is rigorous enough then learning secure code development shouldn't be hard in self-study, it's easy for a good programmer to pick those habits really.
Computer science degrees are academic, with focus on algorithms, math, and software development
University is all about teaching you how to learn, rather than covering every detail in every subject -
tedjames Member Posts: 1,182 ■■■■■■■■□□That makes sense. However, most of the developers I've worked with and especially the dev managers still don't consider it. I worked with one dev manager who openly said that he thought that security just got in the way of his staff getting their jobs done. "We've done it this way for 20 years!" Unlike the majority of security personnel I've known, most developers (not all) don't bother with self-study or advancement. It's frustrating.
A good friend of mine who has worked as a developer for 25 years has gone out of his way to learn security and to build it into his software. He and I have regular discussions about it and share information. I think he's the exception, at least among all of the developers I've worked with over the years. -
UnixGuy Mod Posts: 4,570 Modyep I agree with you, I guess it boils down to attitude it seems. Even those who learn stuff in university or via certs, they happily ignore it or can't be bothered etc etc...
-
tedjames Member Posts: 1,182 ■■■■■■■■□□And then they complain that security is not doing its job when the system gets compromised. All we can do is advise senior management to remediate. As long as they accept the risk, our jobs are safe. That doesn't make it right, though.
-
UnixGuy Mod Posts: 4,570 ModTrue, no one is gonna volunteer and say that the compromise is a result of their own negligence, someone's gotta take the blame I heard security peeps blaming foreign governments for the Malware infection on their laptop
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□I believe the answer to this lies in how universities decide on their CS curriculum. I know many base theirs on ACM guidelines, like these, which were last updated in 2013.
https://www.acm.org/education/curricula-recommendations
https://www.acm.org/binaries/content/assets/education/cs2013_web_final.pdf
Check out the chart on page 37.
I didn't spend a lot of time on this 400 page publication, but it did mention spending a mere 3 hours here and 6 hours there on secure code development practices. The 2008 version didn't recognize the category of secure coding at all. So maybe it will start to hit schools in 2-3 years if they bump the recommendations up. Universities are really slow about adopting tech trends in my opinion.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP