How can I encourage my local university to offer a course on secure coding?

Question

Security is of increasing importance yet the vast majority of universities have no courses on this topic. What can we do to encourage universities at large to close this gap? The only mechanisms that exist for learning how to write secure code is a few good books and local user groups such as OWASP.

Answer 1

I wish universities made some huge changes to that way they set up their curriculum, in general - when I graduated with my programming degree, I found that was completely not prepared to join the real world. I had a bunch of very specific knowledge about certain languages, but I found that I had no idea when to actually apply them, and I was completely not prepared to actually solve problems with code, just to implement something somebody else had already solved.

Though this is far more abstract, I wish they spent more time talking about the thinking behind the code, instead of the code itself. This includes security, but also analysis, team development, source control, documentation (and I'm not talking about "2 comments for every line of code"!), etc.

Answer 2

The key to this is to find a faculty member who is interested in this topic and work with him or her to get it added to the curricula. In my experience, though, most computer science departments don't actually teach programming so much as they teach basic language concepts so that you can then apply them to CS research topics. It's typically the research topics that get the most attention, obviously, from the faculty. Other than a few schools that have a strong emphasis on software engineering -- and even these tend to be more focused on methodologies -- you won't find many that will help you write good code, from a security perspective or otherwise. In most programming classes the objective is to get the problem solved, with little emphasis on code quality.

Having said all that, it's difficult to imagine that one could really come up with 16 weeks of content on secure coding alone. I suspect that it would be easier to come with a few lectures that would make up part of a basic software engineering course. Ideally, what you'd like to see is a two-semester sequence that covers basic topics in software engineering, including security, and then has a significant project component to it where you could actually put the concepts to work in a meaningful way. Some universities do offer this, but I've only seen in a graduate level setting. They'd be much more effective requiring this as a capstone sequence in an undergraduate setting, but then again I'm not sure most CS departments are as interested in turning out programmers as computer scientists.

Answer 3

Shouldn't this be a part of all coding courses, not a separate elective?

Answer 4

Dan Bernstein taught such a course 5 years ago: http://cr.yp.to/2004-494.html

Part of the course was taking actual open source programs, and studying its source for real, live security vulnerabilities. Very hands-on, from what I gathered.

Answer 5

No mean to bash lisp, but it would have been more helpful to learn security and other things like source control and what not, than spend as much time as most Universities spend on Lisp or other academic languages, like Prolog...

Anyways the real problem is the professors, most university professors are academic, of course, so they focus on the intangible skills, which are very useful after you've worked for say 5 years (that's when I could finally truely appreciate mostof the academic fluff, which really opens one's mind). So there is a lack of people that can teach security at universities, but if you can get some security specialist to come I bet the university would be more than pleased. But they aren't very likely to move on their own, as it's not easy finding security specialists with spare time.