In a feature article on the Software Advice website about the Future of Security Education, I was part of a small group discussing the problem of producing better developers who can code more securely to help alleviate the application exploits we are seeing in the headlines. Our discussion started from three suggestions to improve security education by Jacob West, CTO for enterprise software for HP: require security training for new hires; adopt a professor (industry take a few professors and indoctrinate them in proper application security methodologies); and third, Integrate security into existing frameworks. These are all prudent suggestions, but the challenge is larger than that, and these may work better on paper than in practice. As an example in the article, Jeff Williams, CTO of Aspect Security noted that SQL injection, which is a prevalent application attack vector has been around for over a dozen years, still hasn’t been weeded out of software being developed even today.
Just last week, the new Shellshock exploit that affects Unix system using Bash shell, where an attacker can remotely execute system commands was revealed. It is a perfect example of security hole in code that has been around for dozens of years. You’d think no one would normally have a system sitting on the Internet that could be exposed to a vulnerability like this, but, millions of web servers run on Unix systems and they could allow someone to craft a command to inject code through the web server interface accessing the underlying Bash shell. The best write-up about this vulnerability (that’s technical but still understandable) is from Troy Hunt here.
But my point is we have a significant gap in education for training developers, of the software we use every day, to make them consider security as one of the goals of development, not just functionality. The tough part about implementing the three ideas West put forth above is the constant change in threat landscape, and the introduction of new programming languages, and application architecture approaches over the years (e.g., client server development, web development, mobile app development, etc.). So just considering evolution, someone could have started school focused on web development, and 4 years later, mobile apps are the rage, so they re-learn how to program for that, and at no point learned the security implications of apps on mobile device or cloud services to integrate into their development process. We must make it core to the education. To expand my second point above, developers used to start by learning C, now they are starting off learning Ruby or Python, but I predict soon we’re evolving to the functional programing languages becoming more popular, like Lisp, Clojure and Racket (even Apple’s new Swift language has functional programming concepts).
Luckily, there are some concepts that have been pretty static among all architectures and languages over the years, such as following the Open Web Application Security Project (OWASP) Top 10. OWASP continually tracks which vulnerabilities are most popular among applications, so it’s a good place to start. Adam Shostack’s book About Threat Modeling: Designing for Security provides another great reference to implement security within the development life cycle. And one of the most comprehensive list of web application security testing procedures, the culmination of hundreds of experts who test applications every day, is documented in the Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto. This publication is a 1000 page reference to how and what to test when evaluating web applications. These are just a few resources that university computer science departments could leverage within their programming curriculums, as well as partnering more with Industry experts to share their expertise, and to work with Professors to keep up their perspective. Once developers get into the workplace, we need to provide them with a development life-cycle that includes security assessments from the beginning, from design, development, testing and implementation (and sun downing). This too is well understood by many, Shostack’s book being a great reference for its design. And we as consumers (enterprises and individuals) must demand more secure software to help incentivize the industry to step up and consider security and privacy just as much a requirement as an intuitive user interface.
– Rick Doten, DMI Chief Information Security Officer (CISO)