an Francisco, Calif.?”Ninety-nine percent of the people want to write secure code,” said panelist Ira Winkler, at the Secure Software Forum last week, “they just don’t know how.” Winkler, Global Security Strategist for CSC Consulting, was one of 12 panelists at the SPI Dynamics-hosted event, and his comment was at the core of the main point of contention during the 90-minute discussion about the security process in software development lifecycles.

“The people” to whom Winkler was referring are software developers, who many of the panelists (mostly senior security officers and consultants) believe lack the necessary secure coding skills for their organizations. As many of them have been forced to supplement those skills through training, they voiced dissatisfaction with the colleges and universities who are graduating these programmers with computer science degrees.

The developers themselves eluded blame as many of the panelists pointed the finger squarely at higher education. Brian Cohen, president and CEO of SPI Dynamics said, “Our universities are letting us down. It’s inexcusable that engineering programs don’t train programmers in security.”

Nearly all the panelists had the responsibility of ensuring that their development teams produce code with as few vulnerabilities as possible. “Vendors must certify their developers [in secure coding] until universities do,” explained Mary Ann Davidson, chief security officer at Oracle, during the forum’s opening keynote address.

Davidson’s point is a contentious reality that seems to exacerbate companies’ frustration?particularly when the solution means dipping into IT budgets. Dave Cullinane, Washington Mutual’s CISO, has had to hire consultants from the large software vendors such as Microsoft and Sun Microsystems to train his development staff. He asked, “Why am I paying for vendors to train my programmers in secure coding? Can’t I hire someone out of college who already knows how to do that?”

The Secure Mentality
Teaching secure programming to computer science students seems a legitimate request. Legitimate, perhaps, but not simple, according to Brian Chess, Ph.D., founder and chief scientist at Fortify Software. “If you expect universities to teach students a set of facts that will make them secure coders, you’re dreaming,” he said. “You have to teach a mentality.”

The current mentality among developers values functions and performance far more than security, and this seems to be a reflection of the industry in which they work. Said Fred Rica, a partner at PricewaterhouseCoopers, Threat & Vulnerability Assessment Services, “The data from the security scans we run for our clients proves one thing: Function is king.” He explained that the security vulnerabilities his service finds are often so basic that their clients could find them with the most remedial checks, if they made them a priority.

Security can’t seem to find its way onto the priority list in computer science departments either. An audience member who teaches in one such department at Johns Hopkins University explained why more graduates aren’t well versed in the finer points of secure coding by exposing the attitudes in his faculty staff room. “Most of the tenured faculty view secure coding techniques as this exotic, boutique discipline, not part of the core curriculum for computer science,” he said.

Better Training on the Job?
Not everyone was down on higher education, however. SPI Dynamics, based in Atlanta, uses Georgia Tech computer science interns. CTO and Founder Caleb Sima raved about the skills these young programmers displayed. They were tasked with finding the bugs in assigned code blocks, where SPI Dynamics hid flaws. The interns were so good that SPI Dynamics began turning them loose on code that wasn’t intentionally “bugged” and asked them to fulfill the same mission. The exercise turned out to have a similar premise to a game that they played in one of their Georgia Tech courses.

At Oracle, explained Davidson, finding vulnerabilities is no game for development teams. Her directive to her teams: “You’re accountable for every line of code you write.” Proving that they were dead serious, Oracle put its development teams through secure coding training, gave them the top few vulnerabilities on which to focus (“a one-pager”), and told them to find and fix them in their code. Then the code was audited and if any of those vulnerabilities were found, according to Davidson, “no bonus, no stock options [for the responsible teams].”

Taking such a hard-line and investing real money in training to back it up may be the only way to change a software culture that doesn’t highly value security. Theresa Lanowitz, a Gartner research director focused on application testing and development, frequently hears the gripes about the lack of skills from her clients. “It’s the number one concern they cite,” she said. “Yet training and education rank second-to-last in many budgets.”

“Everybody salutes the education flag but most people don’t have time,” explained Cohen, a 24-year veteran of the IT industry. “Education has to happen to people while they do their jobs. We can’t stop the corporate engine to teach.”

Winkler, who does not believe in security certifications, also advocated on-the-job training. He explained that the number of classroom hours required to complete some security certifications is equivalent to only a single workweek in the real world. “You can’t learn security in [a classroom] environment,” he said.

The problem with teaching developer security on the job is that the consequences of mistakes are very real. An overlooked vulnerability may result in a failing grade in the classroom, but in production code it can cost a software company millions. The comments at the Secure Software Forum indicate that management has grown weary of allowing their companies to be the laboratories where recent computer science graduates learn from their mistakes. They believe that’s what colleges are for.