Doctors and nurses train rigorously in patient safety. Structural engineers must focus on construction stability in their projects. Yet our technology industry continues to build hardware devices, medical devices, cars, software, and online applications that continuously expose sensitive data and personally identifiable information. Worse still, this cyber security chaos is often caused by technology weaknesses that are well known by experts but too frequently ignored or unheard of by everyone else.
One of the most exploited website security vulnerabilities is the infamous “SQL Injection” which first appeared around 1998. Almost two decades later, it is still one of the prime suspects when organizations are compromised. The most recent high-profile case is TalkTalk, an ISP in the United Kingdom that lost 157,000 personal data records of its customers.
The Quest for a Secure Software Engineer
In a 2015 experiment with IT graduates, we placed a software developer job ad for our company on a university notice board. We asked each applicant to assess four snippets of software code — each about ten to twenty lines of Java — and verify whether they believed the code included any security vulnerabilities. (Yes, we did include a SQL injection weakness.)
The job ad was a great success; 80 students were interested in a position to write secure software.
- Good news: 50% of the students answered at least one question out of four correctly.
- Bad news: The other 50% missed all of the security weaknesses in the code.
- Final result: Only 2 out of 80 total applicants identified all four of the security issues.
After speaking with both the graduates and their professors, it became very clear to me that educating students about secure code development is not a priority in academia today. We kept hearing from both groups that there is not enough time available in the curriculum to teach students how to code securely and that it is too difficult to teach effectively. While this may not be a statistically valid sample with sufficient data points to draw conclusions about all college and university students and secure coding, do you think that we are far from reality?
So You Think You Can Code Securely?
In 2015 we also assessed and benchmarked security professionals in secure coding at several security conferences around the world including BruCON in Belgium, DaggerCon and IRISSCon [https://www.iriss.ie/iriss/irisscon.htm] in Ireland, and the AISA national conference in Australia. After reviewing the data, we noticed the following:
- Security experts taking our challenge are really outstanding in finding software vulnerabilities in application source code. There were many outstanding penetration testers at these events.
- However many of these security professionals found it very challenging to fix these security weaknesses properly in a particular software development framework like Java Spring Framework or C# Web Forms.
- Offensive secure coding skills often trump more difficult to learn defensive secure coding skills.
Closing the Developer Security Skills Gap
So here is the key question to noodle on. How do we create more secure technology when our software engineering students aren’t learning how to write secure software and our security experts often do not have the development background to fix security vulnerabilities in code?
I think there is some effort required from different stakeholders:
- Colleges and Universities: Just like patient safety is a mandatory subject for medical personnel and construction safety is mandatory for building engineers, software security should be part of every college or university’s IT curriculum. The number of IT students is increasing each year and we need to stop producing brilliant software engineers that make basic SQL injection mistakes.
- Developers: Every developer needs to understand that they have an important role in society, building software that runs our traffic control systems, cars, power plants, banking systems, and medical devices. Any security weakness introduced in their code could affect the lives of people on a daily basis. The recent Ashley-Madison data breach has painfully demonstrated this.
- Organizations: Whether a company is planning to contract or hire developers, it is critical to assess their secure coding skills. You have no idea how much pain this will save you later on.
Pieter Danhieux is CEO of Secure Code Warrior, a gamified cyber security skills development platform that enables organizations to evaluate, benchmark and improve the secure coding skills of their developers. He is also a certified instructor for the SANS Institute teaching military, government, and private organizations offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. He is currently one of the select few people worldwide to hold the GIAC Security Expert (GSE) certification.
© 2015 Pieter Danhieux. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.