This article was originally published in Infosecurity Magazine.
Jen Easterly, US Director of the Cybersecurity and Infrastructure Agency (CISA), recently called for universities to include security as a standard element in computer science coursework. This came hot on the heels of her address at Carnegie Mellon University, urging the tech industry to take greater responsibility for ‘security-by-design.’
Easterly’s campaign is timely and critical for the current application security landscape, in which we face an AppSec dilemma. For example, the recently released White House National Cybersecurity Strategy declared the need for a shift in liability for secure software – rather than pushing the onus onto technology users, tech providers now need to be more accountable. Yet considering the current vulnerability increase is equivalent to one CVE being added every 20 minutes, more needs to be done, and it must start with university-level education.
While not every developer will have a computer science degree – there are a variety of routes into the industry – the key concern is that for those who get a relevant degree, many will not have been taught one of the most critical elements of application development: security. According to Forrester, not one of the top 50 undergraduate computer science programs require a course in code or application security for majors. This creates a dilemma, with vulnerabilities rising and as many as 70% of organizations missing critical security steps in their software development lifecycle (SDLC). Clearly, the lack of security education is unsustainable, and universities and industry must come together to better protect software, drive forward more secure innovation and ultimately ensure organizations are better protected against a menacing threat landscape.
Easterly has stated that “students need to be well educated on security – including on memory safety and secure coding practices, and professors have a major role here.” To ensure software is ‘secure-by-design,’ it’s crucial that computer science professors examine their curriculum. At the moment, it’s typical for introductory courses to be focused on correctness, efficiency and performance, yet security needs to become a top priority alongside these elements. Students must be exposed to the value of coding securely early on and ensure they can spot basic issues before entering the industry.
Security education must continue in the industry – for those joining from university and developers with plenty of coding experience that haven’t previously had access to security education. Employers need to provide this continuous training on a programmatic basis to help build developer security knowledge and allow them to apply newfound skills on the job. This training has to go beyond general security awareness – e.g., recognizing a flaw – and focus more on deep education so that the developer and everyone supporting them across the SDLC can not only recognize a flaw but understand the impact it will have and be able to fix it.
For example, while development leaders won’t necessarily be developing code, they need to become accountable for the security of the end product. This could be done by shifting how they view security and making it a ‘lifeboat’ feature (a non-negotiable element needed before pushing code live). The same concept applies to everyone, from product and project managers to quality assurance managers. Everyone across the SDLC must embrace more secure habits to ensure the delivery of secure software.
However, security-by-design does not mean reactive patching – it means proactively coding securely. This is not simply ‘shifting left,’ but instead ‘starting’ from the left and baking in secure coding at every step of the process. This is only possible if we educate and enable those creating the code, software and applications in their university courses and throughout their careers.
There is also undoubtedly a divide between academia and industry. It’s important to examine how exactly we bridge the gap between what the industry needs its development teams to know and what universities are teaching junior developers.
This starts with creating more platforms for knowledge sharing. While academics publish research and attend scientific conferences, they far less regularly join industry security events – yet both industry and academia are asking the same questions and seeking the same answers. It’s time we overcame the divide and created more opportunities – venues, events, roundtables – to collaborate and learn from each other’s research. As Jason Hong, Professor in the Human Computer Interaction Institute at Carnegie Mellon University School of Computer Science, states: “Professionals and academics no longer need to be like passing ships in the night” and instead should begin solving issues together.
In a time of increasing risk and evolving vulnerabilities, Easterly’s campaign is critical. It highlights that security-by-design is not just the responsibility of big tech but of anyone influencing and educating the SDLC. Secure coding training must start in university and continue programmatically throughout a developer’s career, with cross-discipline collaboration at the heart of success. Only then will we make progress on reducing the number of vulnerabilities in software.