Where are developers who know how to develop secure so ftware?

[leichter_jerrold at emc.com (leichter_jerrold at emc.com)]

On Mon, 5 Jun 2006, David A. Wheeler wrote:
| ... One reason is that people can get degrees in
| Computer Security or Software Engineering without knowing how to
| develop software that receives hostile data.  Even the
| "Software Engineering Body of Knowledge" essentially
| omits security issues (a supplement is being developed,
| thankfully, though it's not REQUIRED)....
| 
| If you have connections with your local university, try to talk
| them into increasing the amount of education they provide in
| developing secure software (where software development is done).
| I give away a book on this topic, as part of my effort to get the
| information disseminated....
Keep in mind that you can run into a fundamental conflict about what
a university education is supposed to be about.

At least where computer science departments are part of the liberal
arts school, their fundamental view is that they are there to teach
concepts, not to train people for work.  The view is that, if you want
someone who knows the basics of today's technologies, hire a graduate
of a vocational school.  Universities produce people who know how to
think about technology and can learn the details of any particular
technology when they need to.  University programming assignments
focus on the ideas, not on the "trivial minutia" of validating input,
for example.  A university cryptography course will likely be heavy
on theory, light on how to safely apply cryptographic primitives.  Any
"secure computing" courses at universities are likely to focus on what
someone identifies as broad principles, not on how to avoid buffer
overflows in C - much less on how to restructure existing horrible
C code so that you can eliminate its buffer overflows.  (When I ask
the typical university-trained CS major "How do you recognize that a
class has been designed well?" about the only answer I am likely to
get is that the member fields are all private and accessed through
getters and setters.  Sigh.)

I don't want to get into a debate about the validity of this approach,
but recognize that it's there and it's not going away.  I would also
be very careful about any sentence that starts "you can get a degree
without knowing X", because you'll be astounded to learn just what
you can substitute for X.  For example, very few CS graduates have
any understanding of even the most fundamental facts about floating
point arithmetic.  (Ask them how many times a loop that starts an FP
value at 0.0 and adds 0.1 to it until the result equal 1.0 will execute.)

When I interview new college graduates, on almost all subjects, I assume
that, if they got a good college education, they understand basic
principles and will be able to use them to learn specifics.  But on the
real practice of software development, what they haven't learned through
co-op programs or other work experience, I'll have to train them on.
(It's also my view that design, architecture, non-trivial secure coding,
and so on cannot be taught in the way that sciences are taught, by
someone lecturing from the front of the room.  They need to be taught as
art or writing is taught - by example and by practice and critique.
This is something university CS departments are rarely set up to do.)

                                                        -- Jerry