[ISN] Software firms fault colleges' security education

InfoSec News isn at c4i.org
Thu Feb 17 04:44:20 EST 2005


By Robert Lemos 
Staff Writer, CNET News.com
February 16, 2005

SAN FRANCISCO -- Software companies are taking colleges to task for
not producing computer science graduates who know how to create secure

In a two-hour panel session Tuesday at the Secure Software Forum here,
Oracle, Microsoft and other software makers attempted to analyze why
flawed software is still overwhelmingly the rule and not the exception
in the industry. A major contributor, the companies said, is college
students' lack of a good grounding in secure programming.

"Unfortunately, if you are a vendor, you have to train your developers
until the universities start doing it," said Mary Ann Davidson, chief
security officer at Oracle, who kicked off the panel discussion that,
while separate from the ongoing RSA Security Conference, addressed
many of the same topics.

The panel discussion is the software industry's latest soul-searching
on security. While companies claim to want more secure software, in
most cases, they have yet to put their money where their mouth is.  
Many software makers believe that better training of computer science
graduates is a key step toward improving software quality, but some
security researchers have criticized the industry, pointing out that
industry demand for programmers generally does not give preference to
those trained in secure programming.

Fred Rica, a partner in PricewaterhouseCoopers' Threat and
Vulnerability Assessment Services, likened the situation to sports.

"Colleges produce athletes capable of going on to the NFL because
their football programs know what is needed," he said. "We have to be
very clear what types of skills we need from future graduates."

Such thinking is driving Microsoft and other security companies to try
and influence curricula at colleges. Microsoft has pledged $500,000 to
10 universities as part of a contest to create trustworthy-computing
curricula, and several security firms have also established
scholarships at a handful of schools. Private industry is not the only
one attempting to kick-start better security education at
universities. Several federal agencies, including the Department of
Defense and the National Security Agency, have named several college
programs as National Centers of Academic Excellence in a variety of
security disciplines.

Oracle's Davidson said education is only a start, noting that better
tools need to be developed to spot common flaws. Such tools should be
used by all developers because even well-trained, well-meaning
developers can miss errors in programs. In one case, Oracle's security
staff missed one out of 21 flaws during an audit, a mistake that cost
the company $1 million to fix later, she said.

"Even the people who 'get it' need good, automated tools," she said.

However, others on the panel laid the blame for the problems squarely
at the feet of software makers.

Until companies are willing to foot the bill for security,
applications will not get better, Rica said. When given a choice to
put new features into a product or secure the old ones, software
makers do not hesitate.

"Functionality still trumps security," he said. "Functionality is
still king."

A Gartner study found that while companies put a lack of skills as a
priority on their list of problems to be fixed, funding for developer
training is second-to-last on their budgets.

Ira Winkler, a security consultant and part of the panel, criticized
the focus on college education and stressed that companies should not
rely on schools to train developers.

"I'm not going to hire someone straight out of college because they
don't know anything," he said. "We need people who have on-the-job

More information about the ISN mailing list