Software firms fault colleges' security education

SAN FRANCISCO--Software companies are taking colleges to task for not producing computer science graduates who know how to create secure programs.

In a two-hour panel session Tuesday at the Secure Software Forum here, Oracle, Microsoft and other software makers attempted to analyze why flawed software is still overwhelmingly the rule and not the exception in the industry. A major contributor, the companies said, is college students' lack of a good grounding in secure programming.

"Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it," said Mary Ann Davidson, chief security officer at Oracle, who kicked off the panel discussion that, while separate from the ongoing RSA Security Conference, addressed many of the same topics.

The panel discussion is the software industry's latest soul-searching on security. While companies claim to want more secure software, in most cases, they have yet to put their money where their mouth is. Many software makers believe that better training of computer science graduates is a key step toward improving software quality, but some security researchers have criticized the industry, pointing out that industry demand for programmers generally does not give preference to those trained in secure programming.

Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, likened the situation to sports.

"Colleges produce athletes capable of going on to the NFL because their football programs know what is needed," he said. "We have to be very clear what types of skills we need from future graduates."

Such thinking is driving Microsoft and other security companies to try and influence curricula at colleges. Microsoft has pledged $500,000 to 10 universities as part of a contest to create trustworthy-computing curricula, and several security firms have also established scholarships at a handful of schools. Private industry is not the only one attempting to kick-start better security education at universities. Several federal agencies, including the Department of Defense and the National Security Agency, have named several college programs as National Centers of Academic Excellence in a variety of security disciplines.

Oracle's Davidson said education is only a start, noting that better tools need to be developed to spot common flaws. Such tools should be used by all developers because even well-trained, well-meaning developers can miss errors in programs. In one case, Oracle's security staff missed one out of 21 flaws during an audit, a mistake that cost the company $1 million to fix later, she said.

"Even the people who 'get it' need good, automated tools," she said.

However, others on the panel laid the blame for the problems squarely at the feet of software makers.

Until companies are willing to foot the bill for security, applications will not get better, Rica said. When given a choice to put new features into a product or secure the old ones, software makers do not hesitate.

"Functionality still trumps security," he said. "Functionality is still king."

A Gartner study found that while companies put a lack of skills as a priority on their list of problems to be fixed, funding for developer training is second-to-last on their budgets.

Ira Winkler, a security consultant and part of the panel, criticized the focus on college education and stressed that companies should not rely on schools to train developers.

"I'm not going to hire someone straight out of college because they don't know anything," he said. "We need people who have on-the-job training."

[System Tyrant]

Programming Languages are to blame too.

I agree that colleges don't do enough to educate programmers on secure programming, but before you go nuts blaming the professor you might want to take a look at the languages. I think there is a real need to build a language that that is more condusive to forcing good programming. I know that is very open ended general statement.

I personally don't like C++ because there is just too much that can go wrong with my code. I will admit I am not a great programmer. I prefer languages that don't allow me to much control like Java. I would even prefer to use Object Pascal if it was supported better.

[rjfrank]

Software Firms Fault Universities

I find it audacious that software development firms are saying that the reason software is developed with security holes is because the universities are not teaching secure software. I am a former IBM Systems Engineer, JAVA instructor, and a contract college teacher. I started programming computers in mid-1960s.

If software firms want more secure, error-free software they need only examine and correct their own practice of 'stuffing' systems and applications with 'junk' features and functions that are rarely used by the consumer. These 'featues(?)' are in the software merely to make it appear more 'powerful' and to thwart the competition. If the added features are so marketable they should be developed in a separate program --- and the software firms know it would not sell!

Another inane practice is "Get the primary functions working and put it out to the public. Let the users find the small holes." What we used to call 'Beta Software' is now 'release 1 software.'