The Security Education Paradox

The history chapter of most computer security courses includes a reference to the Morris Worm, a malicious program written in 1987 by Robert Morris that exploited weaknesses in Internet applications and brought the Internet to a halt.

30 years later, tens of thousands of children who were born after the Morris Worm became famous have graduated from college with computer science or software engineering majors. Sadly, very few were required to learn about the programming and design weaknesses that made the Morris Worm possible. The same weaknesses have since resulted in thousands of other vulnerabilities, some of which have inflicted much more severe damages than the Morris Worm did 30 years ago.

Students cannot earn a chemistry degree without taking mandatory safety courses where they learn how to avoid blowing up a building.  But, surprisingly, they can become computer scientists or software engineers without any exposure to basic secure coding and safe design practices that could prevent an attacker from blowing up the Internet.

Secure design and coding is not new. The weaknesses that made the Morris Worm possible have long been included in the SANS Top 25 “Most Dangerous Software Errors”, and ways to prevent them have been widely documented by organizations such as SAFECode, OWASP or IEEE Center for Security Design. However, for no apparent reason whatsoever, mastering these techniques has never been required to become a software engineer or a computer scientist. At best students are taught security as an elective course, as if building a secure Internet was optional.

To compensate for this knowledge gap, mature software development organizations are providing security training to their software developers as part of a holistic approach to software security. Dell EMC along with other organizations are also making this training available for free to the broader community through SAFECode.

But this is not sufficient; every day device manufacturers are turning into software companies to surf the Internet of Things (IoT) wave. They hire software professionals to make their devices connected and build their software culture. But without basic security knowledge, these software professionals will perpetuate the same mistakes that have contributed to our current state of insecurity.

“The best time to plant a tree was 20 years ago. The second best time is now.” – Chinese Proverb

The only sustainable way to break this vicious circle is to teach safe coding practices to future software professionals in the way we teach safety to chemists: by making it part of the curriculum and a required skill for graduation.

Both Industry and Academia have a key role to play in helping to build a more secure digital infrastructure. Industry has to make security part of every stage of their software development process and train their developers about secure coding techniques. Academia can do its part by making security part of their curriculum to train the next generation of software professionals.

We can all contribute to solving this security education paradox by educating the educational institutions in our own network about their role in making industry’s push for more secure software sustainable.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize