Expert Roundtable on The Future of Security Education
The 2013 Target breach and the titanic losses incurred by the firm (reportedly around $440 million) attracted months of coverage in big media—but anybody who follows security news knows that businesses are always under attack. Indeed, according to a survey by security vendor Checkpoint, 88 percent of organizations suffered a security breach at least once in 2013, and the Ponemon Institute estimates the cost per breach at $145 per compromised record. So, how can our defenses be improved?
Jacob West, chief technology officer (CTO) for enterprise security products at HP, has thought deeply about this question. Citing Gartner research that 84 percent of attacks target software, he argues that we need to rethink security education, so that the next generation of software developers learns how to write more robust code now. To find out more, we spoke with West, and took his ideas to two other leading security experts to get their opinions on how to address this crisis.
Today, says West, “Attacks are staged and contain multiple phases, which contain different individual actors [and] different systems and target different assets.”
Thus, while a simple phishing attack may be what first allows an attacker to compromise a particular user’s credentials and log into a system, software is key to what happens next: The attacker exploits software vulnerabilities to gain more access, or to compromise more assets, in order to steal more intellectual property.
West says that a division exists today between “people whose responsibility is to do security, and people who are responsible for things where security matters a great deal, but who aren’t security professionals.” The most important area in which security matters but professionals aren’t experts in the field is software development, says West.
Indeed, West points out that of the top nine undergraduate computer science courses in the U.S. as ranked by U.S. News and World Report, precisely “...zero of them require a security course for undergraduates.”
The result? The software industry has no guarantee that any of its developer new-hires have been taught anything about security.
West says this situation is untenable, and has to change. But how? He suggests three key steps for improving security education:
1. Require security training for new hires. West believes the solution must begin with the IT industry, which needs to rethink the skill set it requires from freshly minted developers.
“Today, organizations don’t emphasize security skills as strongly as they should—and this is particularly true for non-security-specific roles, [such as software] development,” he notes.
And so, says West: “Every job description for every fresh college graduate for every development role in the world should require basic secure development experience. We (the industry) should be... saying, ‘these things are important to us; we value them in terms of industry career growth and investment.’”
West hopes this, in turn, will put pressure on universities to educate their software developers in basic security.
“The university system wants its graduates to be hired and to be successful in their careers,” West says. “If they’re not meeting those expectations, then part of the responsibility is on us, in the industry, to make those expectations more clear.”
2. “Adopt a professor.” But if universities are not currently including security in software-development curricula, then it is reasonable to assume that the current crop of professors is not qualified to equip developers with the necessary skills. Indeed, West says that today’s professors were not educated about security themselves, and thus don’t have the skills to teach it.
Thus, West argues, the industry must intervene to “retrofit professors and knowledge and textbooks.”
West believes that universities are top-heavy, bureaucratic institutions that tend to be slow to accept change, and that businesses will have a higher success rate if they target individual professors, rather than trying to lobby for major overhauls from the top down.
“We need to see much more partnership between industry and academia in the form of individual professors,” he says.
West suggests businesses identify courses with “real security implications,” and offer to partner with instructors to introduce security into their existing lessons. This cooperation could take many forms, he says—such as providing course materials, lectures or mini-internships, or by helping to create lab assignments that incorporate security.
“The more industry can bring specific knowledge and resources to bear at classroom-level, the more we can turn a very big and slow-moving ship pretty quickly and nimbly,” West says.
3. Integrate security into existing frameworks. If security is to be included in development courses, then something must make way for it. Here West is brief, sketching out the work that will need to be done rather than identifying specific solutions (which he leaves to those in academics).
“At the industry and university level, we need to look at how we are going to integrate security into topics, while not taking away too much attention from the core aspects,” he says. “We’re going to have to identify what we’re going to give up in order to give more attention to security in college curricula.”
West admits his proposals are not a complete solution to a huge problem, though he hopes they could provide a good start. But we are dealing with two huge, complicated leviathans here, in the form of academia and the security industry—and the practical implications of West’s ideas could be very complex.
So, we took his proposals to a pair of top security experts to ask some key questions: How can we make the coding of our applications more secure? Can academia be pressured to change? And should businesses work more closely with educational organizations?
Jeff Williams,CTO and co-founder of application security firm Aspect Security, agrees with West that a lack of robust coding in software applications is a serious problem today.
“It’s important for developers to know that breaches do happen because their code is insecure,” he says.
In fact, the problem may be getting worse, not better. Williams, who has a background in security training, cites SQL injection—a common type of hack—as an example.
“We started talking about it in the late 1990s, but now, 14 years later, it’s still one of the leading vulnerabilities,” he says. “We’ve had 12 to 15 years to stamp it out, and it’s made no difference. That’s a pretty bad indictment of the way software security works.”
Rick Doten, chief information security officer (CSO) for Digital Management Inc., agrees with West and Williams that software is a weak link. However, the news is not all bad: he cites Microsoft as an example of a company that recognized this problem in its own development processes.
“Microsoft changed its measure of success: [They] measured [you] on having no flaws, not [on] meeting the deadline. That’s why Microsoft 2008 was late; that’s why Vista was late; it’s why Microsoft stopped delivering on time. They stopped focusing on the deadline, and focused instead on making the software secure,” he says.
But Doten points out that this was an industry solution, and he is ambivalent about West’s first proposal: that firms should start requiring basic security knowledge of new hires in order to to pressure universities.
“I partly agree … [that] without the right incentives, no one is going to do anything. It might be something that could work,” Doten says. However, he notes that since security changes so fast, academic instruction is likely to fall behind quickly.
Williams, meanwhile, doubts that the industry is ready to follow Microsoft’s lead by placing a heavy emphasis on secure coding during the software-development process, and he doesn’t think we’re likely to see West’s first proposal adopted anytime soon.
“It’s a good idea, but I don’t think it will happen,” says Williams. “Most people still hire developers to build things and automate the business.”
Security, regrettably, is just not a high enough priority.
While the first proposal was met with some ambivalence, both experts were in support of West’s second proposal: that businesses should work closely with instructors in academic institutions.
“It would be best for universities to reach out to the industry to get experts to come in and help,” says Doten. “Big companies like HP and IBM would buy into that—for instance, they might think, ‘I’m going to sponsor this thing, and will donate people to maybe help teach a class, and in exchange I get first right of refusal of graduates.’”
A firm believer in the persuasive power of data, Williams hosts a free tool on his company website, called “Secure Coder Analytics.” It is a 20-question quiz designed to reveal precisely what developers don’t know about security. Williams says that when businesses see, in detail, the gaps in their employees’ knowledge, it has a galvanizing effect on how seriously they take security. Perhaps the same approach would work in academia, he suggests.
“A study that looked at what graduating computer science students know about security might wake up institutions to say, ‘Hey, we’re not graduating students with the skills that they need.’ Then we could put in a program that would improve those numbers,” he says.
But would the schools be open to such partnerships? Doten is unsure, noting that universities are very “political” organizations.
“They don’t like outsiders, or people without PHDs,” he says. “It might not be easy to get a computer science professor to let somebody who doesn’t even have a degree, but who has been a hacker for half of his life, to come in and teach a class.”
At the end of the day, however, Doten thinks West’s idea is fundamentally sound: “I have a feeling it’s going to be harder than it sounds—but if we can make it work, it would be beneficial.”
Meanwhile, Williams thinks it is possible to address West’s third concern: how to fit security into existing development courses. Here, he says, effective security training must have a practical emphasis.
“I could teach the theory of SQL injection in an hour—but if I have the students actually do it, then it’s totally easy to understand, and will only take three minutes,” Williams says.
“[However,] in a lot of organizations you are not allowed to use simple security tools because they think they are hacker tools, and don’t want their developers to have those tools,” he adds. “You’re expected to develop secure code, but you’re not allowed to use tools to test the security of code. It’s a ludicrous proposition that puts developers in a very difficult place.”
After speaking to Doten and Williams, we took their comments back to West and gave him a chance to reply. Since most of their doubts centered on the practicality of gaining security knowledge in school versus afterwards, in a corporate context, West wanted to stress an important distinction:
“I think it’s important to distinguish two distinct activities, which I’ll call ‘education’ and ‘training,’ respectively,” he says. “The focus of education must be to develop a foundational set of knowledge that defines a domain—such as computer science. As security rapidly became a large part of what it means to be a computer scientist, we strained our educational system’s ability to keep pace with the industry’s need.
“Training, on the other hand, is all about the specific skills necessary to complete a task or do a job. Necessarily, training is targeted, and the specifics it covers must change with the details of the roles it trains individuals to fill.”
Before industry can train its employees effectively, says West, that foundational knowledge—education—must first be established. Training alone is not enough.
“The industry is, and must always be, responsible for training new hires and seasoned veterans alike on specific skills,” he says. “However, it’s naïve to think that any amount of after-the-fact training will make up for the fundamental gap we see between academic curricula today and the demands placed on their graduates upon entering the workforce.”
It’s a subject on which many security experts have strong opinions, and the debate will continue to run. Meanwhile, what do you think? Let us know in the comments below.