Ounce Labs Inc. has started a program to help universities produce software writers with a knack for security. Under the Secure Foundations Initiative, the company will offer academic institutions its expertise and technology to help promote secure coding.
"Well-constructed software is the core of information security; the industry as a whole must make proper coding techniques a top priority throughout development," said Jack Danahy, CEO of the Waltham, Mass.-based firm, which specializes in software vulnerability risk management. "There's really a need for academia to step up and teach people to make software that's secure, not just functional. You won't find many security people who don't feel a sense of ownership about this issue. If we can solve the problem of insecure software, everything will be much better, and people who get more education on security will be more marketable later."
So far, the firm has committed software and research grants worth more than $500,000 to launch the program, providing the resources to such institutions as the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, George Washington University and the HACNet Lab at Southern Methodist University.
"Development of reliable, secure software has historically been presented as a separate subject, but we now recognize it as a primary skill that should be taught throughout computer science and engineering curricula," Dr. Eugene Spafford, executive director of CERIAS, said in a statement. "We are pleased to have Ounce Labs' support for the CERIAS program, and we are exploring ways to incorporate their technology into our information security curricula."
As part of the program, Ounce Labs will make available its Prexis software, which automatically scans source code to analyze an application's overall security and pinpoint vulnerabilities that need fixing. "With reliable metrics that allow organizations to evaluate and manage software risk, Prexis lets students compare security levels of applications over time and against other applications," the firm said in a statement. "Prexis also offers detailed analysis of each vulnerability, including location, severity and remediation techniques, so users become familiar with coding errors and how to fix them."
Dr. F. Marco Marchetti, associate director of the HACNet Lab at Southern Methodist University, said the software will prove handy. "This level and quality of analysis will give them an in-depth understanding that will make them top prospects for software engineering and security positions," he said.
Marchetti said the university will start offering the program to graduate students at the start of the next semester in January.
"Security used to be an add-on factor," he said. "Getting an application to work, not crash, is priority one. Now, there's a growing realization that the basic concept of writing secure code is something that must be taught. Prexus will help. By teaching people at the start what to look for and be aware, I think we'll come a long way quickly.