Should teachers teach secure programming

I found [via SlashDot] an interesting article at ZD/Net News. Howard Schmidt wants developers and their companies to be held liable for security issues in their code. But he doesn't completely blame developers. He also blames the companies they work for and their education.

Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.

"Most university courses traditionally focused on usability, scalability, and manageability, not security. Now a lot of universities are focusing on information assurance and security, but traditionally Web application development has been measured in mouse clicks — how to make users click through," said Schmidt.

I hear all the time from teachers who say they don't have time to include secure programming in their courses. The AP CS exam doesn't test it either. It seems to me that security along with ethics are two issues that must be concidered in all programming courses in today's world. It is just too late when someone starts programming for a living. It's all about priorities. Is there a particular coding concept that is more important than security? That's a loaded question of course. But we do need to start thinking about the value of adding one more data structure or one more type of sort weighed against adding a unit on secure design and programming.

- Alfred Thompson 

Comments (3)

  1. Bernard says:

    Interesting theme you have brought up. Teaching secure software development IMHO is not a short nor easy task. I have yet to come across uni programs that have allocated sufficient resources to teach this.

    Where and when should writing secure code come into the picture? Should the course be focus on code security or more of the underlining the security concepts like China wall etc, or should they be focusing on information system security or just allocated part of the system development/programming unit on security?

  2. andersonimes says:

    I definitely agree that there is not a focus on security in the education system that is up to par with what the industry demands.

    I took CS classes in High School and I can tell you that I definitely did not have the level of knowledge that would be required to absorb security related topics. There are too many non-programming related subjects that need to be explored before security issues and threat modeling can really be understood.

    The appropriate place for these classes is the upper level bachelors degree. Schools should have a minimum set of requirements with regards to security related courses. There were a few security classes in my bachelor’s degree and I can tell you – they were a complete waste of time.

    The industry dictates to a certain degree what is being taught in colleges. If the corporations want more security trained hirees, they need to focus on the push toward better security taught in colleges.

  3. daryllmc says:

    IMO, Security and Ethics should both be taught. But this is the old push/pull of teaching theory (Computer Science) versus practical application (Development).

Skip to main content