The history chapter of most computer security courses includes a reference to the Morris Worm, a malicious program written in 1987 by Robert Morris that exploited weaknesses in Internet applications and brought the Internet to a halt.
30 years later, tens of thousands of children who were born after the Morris Worm became famous have graduated from college with computer science or software engineering majors. Sadly, very few were required to learn about the programming and design weaknesses that made the Morris Worm possible. The same weaknesses have since resulted in thousands of other vulnerabilities, some of which have inflicted much more severe damages than the Morris Worm did 30 years ago.
Students cannot earn a chemistry degree without taking mandatory safety courses where they learn how to avoid blowing up a building. But, surprisingly, they can become computer scientists or software engineers without any exposure to basic secure coding and safe design practices that could prevent an attacker from blowing up the Internet.
Secure design and coding is not new. The weaknesses that made the Morris Worm possible have long been included in the SANS Top 25 “Most Dangerous Software Errors”, and ways to prevent them have been widely documented by organizations such as SAFECode, OWASP or IEEE Center for Security Design. However, for no apparent reason whatsoever, mastering these techniques has never been required to become a software engineer or a computer scientist. At best students are taught security as an elective course, as if building a secure Internet was optional.
To compensate for this knowledge gap, mature software development organizations are providing security training to their software developers as part of a holistic approach to software security. Dell along with other organizations are also making this training available for free to the broader community through SAFECode.
But this is not sufficient; every day device manufacturers are turning into software companies to surf the Internet of Things (IoT) wave. They hire software professionals to make their devices connected and build their software culture. But without basic security knowledge, these software professionals will perpetuate the same mistakes that have contributed to our current state of insecurity.
“The best time to plant a tree was 20 years ago. The second best time is now.” – Chinese Proverb
The only sustainable way to break this vicious circle is to teach safe coding practices to future software professionals in the way we teach safety to chemists: by making it part of the curriculum and a required skill for graduation.
Both Industry and Academia have a key role to play in helping to build a more secure digital infrastructure. Industry has to make security part of every stage of their software development process and train their developers about secure coding techniques. Academia can do its part by making security part of their curriculum to train the next generation of software professionals.
We can all contribute to solving this security education paradox by educating the educational institutions in our own network about their role in making industry’s push for more secure software sustainable.