Where are developers who know how to develop secure software?

[dwheeler at ida.org (David A. Wheeler)]

James McGovern asked:

> Figured I would ask the list a question that I haven't figured out the
> answer to. How have other enterprises that seek architects
> and developers knowleedgable in secure coding software development
> practices articulated it to their internal HR recruiting arm?
> We have been seeking candidates with this background but haven't
> ran across much on our side of town.

It's not quite the answer you were looking for, but you may find
it necessary to get otherwise knowledgeable people and train them.
I'm saying this is ideal - it is not.  But so few people have this
knowledge that it is often necessary.

One reason is that people can get degrees in
Computer Security or Software Engineering without knowing how to
develop software that receives hostile data.  Even the
"Software Engineering Body of Knowledge" essentially
omits security issues (a supplement is being developed,
thankfully, though it's not REQUIRED).  Since most
programs is connected to the Internet or receives data
from strangers sent over it, this means that most are unqualified
to develop today's software (!).   Most software developers
don't have those degrees, last I checked, but that only makes
the lack of knowledge worse.  I think this is bordering on
criminal.  There are some good partial steps; I know that
George Mason University has an optional Master's level course
on secure programming, for example, but the basics of this information
should be MANDATORY at the UNDERGRAD level.

If you have connections with your local university, try to talk
them into increasing the amount of education they provide in
developing secure software (where software development is done).
I give away a book on this topic, as part of my effort to get the
information disseminated.

I've seriously talked with a U.S. Senatorial staffer about
the possibility of MANDATING the teaching of secure
progrmaming technniques in universities
that receive federal funding (for programming-related degrees).
I'd HATE to go down that road; universities and acceditation bodies
should normally be free to make such determinations.
But I think nobody in power wants to see people die because
cyberattacks were too darn easy.  Hopefully the
universities will see the light before this has to get forced.
Civil engineers don't graduate until they understand the
basics of bridge-building, including how to compute and handle
loads.  Software developers shouldn't graduate until they
are able to identify and handle security attacks in software,
at least the basics.

--- David A. Wheeler