Where are the Developers? The Gap Between Software Security and Higher Education

By John Dickson

Perhaps one of the more interesting discussions at last month’s SANS AppSec conference was with Mary Ann Davidson, Chief Security Officer at Oracle Corporation. Mary Ann’s session drew on several military analogies to the software security world, but the section of her presentation that got my strongest interest dealt with higher education. In a nutshell, Mary Ann has been trying to influence colleges and universities to graduate better developers, specifically developers who understand basic concepts of secure software development and design. She speaks frequently – as she did at SANS – about how she sent letters to the top 12 hiring universities demanding that they teach secure development concepts. I’ve characterized this as a great example of a “stick” approach to affecting change, namely “you had better change or else.” This might have an impact if you’re Oracle (or Microsoft or Google). This will likely have less of an effect if you’re Denim Group or any other company with less market footprint. 

At the SANS conference, I found out that Mary Ann only received one response out of her 12 letters. This is a surprise to me, given her high-profile position at Oracle. If these universities could be so indifferent to Oracle, how will they respond when lesser giants squawk? 

I learned two things:


  • Professors might perceive themselves to be impervious to outside threats, even from one of the 800-pound Silicon Valley gorillas. (Tenure trumps all, I guess)


  • Indifference might be involved. Perhaps the universities have so many competing requests that Mary Ann’s letter fell on deaf ears.



Regardless, receiving one out of twelve letters speaks volumes. Others in the software security community have met with similar results. Undergrad students rarely understand secure development concepts – at best they took one elective that skimmed the highest-level concepts of secure system design and software security. At worst, they had one lecture on SSL. In spite of the rise of college security programs, the development of software security courses has lagged significantly.

I’ve been told this is because of the sheer amount of classes Computer Science programs force their undergraduates to complete for their degree plans. How can you justify bumping a class on operating systems to insert a secure programming class? Fair enough, but those of us in industry are still forced to train software developers in the skills they need for secure development – a process that can take two years.

The status quo is bad, and universities are cranking out new coders who will learn how to make the same mistakes, and will learn the hard way to create more secure code.

Coming up – Ideas for “carrots” for higher education to encourage them to teach more software security.

Contact us for help teaching your developers about software security.


john _at_ denimgroup.com


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

2 Responses to “Where are the Developers? The Gap Between Software Security and Higher Education”

  1. アクセサリー

    プレゼンテーションは重要性で、企業世界。I以来頻繁に見つける自分自身の疑問、なぜ新しい名称ハンドバッグは間違いなく非常に高価。すべて夜彼らはとき異なるスタイルも図形。彼らそれにもかかわらずは、常に引っ張りだこといくつか出張需要もプロが制作したバッグ デザイナー。

Leave a Reply

Your email address will not be published. Required fields are marked *