secure development training in CS curriculum

tedjames

The other day, a co-worker told me that he's close to finishing his computer science degree at a local university. He's in help desk now. He wants to move into development soon and eventually into security. I happen to be studying the CISSP Software Development Security domain, so I asked him how much emphasis his degree program puts on secure development practices. He said that secure development is not in his curriculum. I've talked to others who studied CS in past decades and even in the last 10 years who said it wasn't part of their studies and that they had to learn it after the fact, if at all. You would think that by now it would be a requirement. Why isn't it? It seems that college would be the perfect time for it.

UnixGuy

Degrees are different, and vary by university/department. Some curriculum if they have 'computer security' or 'software security' subjects they include it, but if the degree is rigorous enough then learning secure code development shouldn't be hard in self-study, it's easy for a good programmer to pick those habits really.

Computer science degrees are academic, with focus on algorithms, math, and software development


University is all about teaching you how to learn, rather than covering every detail in every subject

tedjames

That makes sense. However, most of the developers I've worked with and especially the dev managers still don't consider it. I worked with one dev manager who openly said that he thought that security just got in the way of his staff getting their jobs done. "We've done it this way for 20 years!" Unlike the majority of security personnel I've known, most developers (not all) don't bother with self-study or advancement. It's frustrating.

A good friend of mine who has worked as a developer for 25 years has gone out of his way to learn security and to build it into his software. He and I have regular discussions about it and share information. I think he's the exception, at least among all of the developers I've worked with over the years.

UnixGuy

yep I agree with you, I guess it boils down to attitude it seems. Even those who learn stuff in university or via certs, they happily ignore it or can't be bothered etc etc...

tedjames

And then they complain that security is not doing its job when the system gets compromised. All we can do is advise senior management to remediate. As long as they accept the risk, our jobs are safe. That doesn't make it right, though.

UnixGuy

True, no one is gonna volunteer and say that the compromise is a result of their own negligence, someone's gotta take the blame I heard security peeps blaming foreign governments for the Malware infection on their laptop

yoba222

I believe the answer to this lies in how universities decide on their CS curriculum. I know many base theirs on ACM guidelines, like these, which were last updated in 2013.

https://www.acm.org/education/curricula-recommendations
https://www.acm.org/binaries/content/assets/education/cs2013_web_final.pdf

Check out the chart on page 37.
I didn't spend a lot of time on this 400 page publication, but it did mention spending a mere 3 hours here and 6 hours there on secure code development practices. The 2008 version didn't recognize the category of secure coding at all. So maybe it will start to hit schools in 2-3 years if they bump the recommendations up. Universities are really slow about adopting tech trends in my opinion.