an Francisco, Calif."Ninety-nine percent of the people want to write secure code," said panelist Ira Winkler, at the Secure Software Forum last week, "they just don't know how." Winkler, Global Security Strategist for CSC Consulting, was one of 12 panelists at the SPI Dynamics-hosted event, and his comment was at the core of the main point of contention during the 90-minute discussion about the security process in software development lifecycles.
"The people" to whom Winkler was referring are software developers, who many of the panelists (mostly senior security officers and consultants) believe lack the necessary secure coding skills for their organizations. As many of them have been forced to supplement those skills through training, they voiced dissatisfaction with the colleges and universities who are graduating these programmers with computer science degrees.
The developers themselves eluded blame as many of the panelists pointed the finger squarely at higher education. Brian Cohen, president and CEO of SPI Dynamics said, "Our universities are letting us down. It's inexcusable that engineering programs don't train programmers in security."
|"Our universities are letting us down."Brian Cohen, president and CEO of SPI Dynamics|
Nearly all the panelists had the responsibility of ensuring that their development teams produce code with as few vulnerabilities as possible. "Vendors must certify their developers [in secure coding] until universities do," explained Mary Ann Davidson, chief security officer at Oracle, during the forum's opening keynote address.
Davidson's point is a contentious reality that seems to exacerbate companies' frustrationparticularly when the solution means dipping into IT budgets. Dave Cullinane, Washington Mutual's CISO, has had to hire consultants from the large software vendors such as Microsoft and Sun Microsystems to train his development staff. He asked, "Why am I paying for vendors to train my programmers in secure coding? Can't I hire someone out of college who already knows how to do that?"
The Secure Mentality
Teaching secure programming to computer science students seems a legitimate request. Legitimate, perhaps, but not simple, according to Brian Chess, Ph.D., founder and chief scientist at Fortify Software. "If you expect universities to teach students a set of facts that will make them secure coders, you're dreaming," he said. "You have to teach a mentality."
The current mentality among developers values functions and performance far more than security, and this seems to be a reflection of the industry in which they work. Said Fred Rica, a partner at PricewaterhouseCoopers, Threat & Vulnerability Assessment Services, "The data from the security scans we run for our clients proves one thing: Function is king." He explained that the security vulnerabilities his service finds are often so basic that their clients could find them with the most remedial checks, if they made them a priority.
|"Function is king."Fred Rica, partner at PWC|
Security can't seem to find its way onto the priority list in computer science departments either. An audience member who teaches in one such department at Johns Hopkins University explained why more graduates aren't well versed in the finer points of secure coding by exposing the attitudes in his faculty staff room. "Most of the tenured faculty view secure coding techniques as this exotic, boutique discipline, not part of the core curriculum for computer science," he said.