Secure Coding mailing list archives
Where are developers who know how to develop secure software?
From: dwheeler at ida.org (David A. Wheeler)
Date: Mon, 05 Jun 2006 11:27:40 -0400
James McGovern asked:
Figured I would ask the list a question that I haven't figured out the answer to. How have other enterprises that seek architects and developers knowleedgable in secure coding software development practices articulated it to their internal HR recruiting arm? We have been seeking candidates with this background but haven't ran across much on our side of town.
It's not quite the answer you were looking for, but you may find it necessary to get otherwise knowledgeable people and train them. I'm saying this is ideal - it is not. But so few people have this knowledge that it is often necessary. One reason is that people can get degrees in Computer Security or Software Engineering without knowing how to develop software that receives hostile data. Even the "Software Engineering Body of Knowledge" essentially omits security issues (a supplement is being developed, thankfully, though it's not REQUIRED). Since most programs is connected to the Internet or receives data from strangers sent over it, this means that most are unqualified to develop today's software (!). Most software developers don't have those degrees, last I checked, but that only makes the lack of knowledge worse. I think this is bordering on criminal. There are some good partial steps; I know that George Mason University has an optional Master's level course on secure programming, for example, but the basics of this information should be MANDATORY at the UNDERGRAD level. If you have connections with your local university, try to talk them into increasing the amount of education they provide in developing secure software (where software development is done). I give away a book on this topic, as part of my effort to get the information disseminated. I've seriously talked with a U.S. Senatorial staffer about the possibility of MANDATING the teaching of secure progrmaming technniques in universities that receive federal funding (for programming-related degrees). I'd HATE to go down that road; universities and acceditation bodies should normally be free to make such determinations. But I think nobody in power wants to see people die because cyberattacks were too darn easy. Hopefully the universities will see the light before this has to get forced. Civil engineers don't graduate until they understand the basics of bridge-building, including how to compute and handle loads. Software developers shouldn't graduate until they are able to identify and handle security attacks in software, at least the basics. --- David A. Wheeler
Current thread:
- Where are developers who know how to develop secure software? David A. Wheeler (Jun 05)