College-level courses designed to train aspiring application developers in the latest secure coding practices are generally hard to find, but professors that run two of the most prestigious security training programs in the United States say course offerings are improving and students are lining up to take them.
Secure coding training courses often take a back seat to other material that competes for inclusion in the curriculum, said Pascal Meunier, a visiting assistant professor at Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS) program. Meunier said more security experts need to become teachers and join in the effort in creating and maintaining course material.
Secure software development is a relatively early discipline that is rapidly changing, making it difficult for colleges and universities to create courses that can be repeated from semester to semester. Institutional knowledge is scattered. There are few centralized resources for university professors to draw upon to reduce duplication, collect relevant material and identify funding sources. Meunier, whose secure coding class was one of the first in the country taught at a university level, said he hasn't found a book that could serve well in his programming class on its own.
"My secure programming class requires a good revision and updates every time I teach it, so it is a lot of work, especially compared to more established areas that are more or less static in the material taught to undergraduates," Meunier said. That makes secure programming less popular to teach, and it requires more money for upkeep and for creating new labs and projects."
Information exchange and money would help provide consistent secure programming education throughout the United States, Meunier said. The SANS Institute held a Faculty Workshop on Secure Software Development last spring to exchange information and tips between universities on the subject of secure coding. The workshop should be an annual event, he said.
"In general, I believe that people willing to teach secure programming and develop new material are insufficiently funded and the task is under-prioritized," he said.
The interest in secure coding classes is rising among aspiring developers. While many are focused on learning effective coding techniques, some turn to secure programming to make them more attractive to prospective employers.
"Some are overwhelmed by the sheer number of ways in which it is possible to mess up a program's security, and all they need to care about," Meunier said. "From what I can tell, they become much more cautious afterwards. It's an interesting area because surprises are always around the corner."
When the CWE/SANS Top 25 Dangerous Programming Errors list was announced, security experts hoped it would increase the level of attention paid to security by software developers and also be used as a tool in academic environments. Meunier, who has been on the board of editors of the CVE at MITRE since 1999, helped develop the Top 25 list. He said the list could be helpful to highlight the fundamental problems with coding.
"It is a preventative effort which gets an amplified impact through the software lifecycle," he said. "Given this amplification effect and the costs of patching and poor security, I believe that it should be put on a poster and framed in every software development company, and covered in secure programming classes."
Matt Bishop, a professor in the Department of Computer Science at the University of California at Davis, also worked on the list's creation. He said the list has potential, but will have only a minimal effect.
"What's depressing in a way is that all of these things in this list have been around since I've been doing computer security in 1979," Bishop said.
Bishop is one of the co-directors of the Computer Security Laboratory at UC Davis. He helped organize the SANS faculty secure coding workshop last year. Adding secure programming courses at universities is difficult because computer science curriculums are already very full at many schools, he said.
"More funding and getting people with experience will really help," Bishop said. "You can't require this without support because university budgets are really stretched tight."
At UC Davis, Bishop said his security class covers both robust and secure coding. The students are told every program they write will have unusual stuff thrown at it.
"With aspiring software developers there's an intense emphasis on getting it finished and getting the requirements of the project satisfied," Bishop said. "Once they see what happens when you don't code robustly, they become quite interested and enthusiastic about it."
Will the Top 25 Errors list have any impact on education? Meunier said we'll have to wait and see.
"How much impact it will have depends on how much developers will pay attention to it," he said.