Comment There’s a line in the latest plea from CISA — the US government’s cybersecurity agency — to software developers to do a better job of writing secure code that might make you spit out your coffee.
Jack Cable, CISA’s senior technical advisor, writes that in 2019, when he was a computer science student at Stanford University in California, he didn’t need to take any cybersecurity courses to graduate. That, he says, was true for students at 23 of the top 24 computer science schools in America.
Nearly five years later, “the list of the top 24 computer science universities has not changed: 23 still do not require cybersecurity,” Cable wrote in his memo.
Follow the coffee spit.
UC San Diego, for the record, is the only school in the top 24 with a computer science and engineering program that lists security as an undergraduate requirement, though it’s unclear if that’s actually the case from the college’s curriculum.
“Cybersecurity is seen as a sub-discipline, much like graphics or human-computer interaction – not the basic knowledge every future software developer should be equipped with when they enter the workforce,” Cable laments. “This is unacceptable. Too often, attacks exploit simple weaknesses that any developer with basic security knowledge could stop.”
We agree wholeheartedly. Of course, computer science is not engineering, and you could argue that engineering is a more natural place for practical secure coding. Turning an abstract algorithm into a secure software routine or writing a service that doesn’t blindly trust user input, for example, is an implementation-level problem for engineers. We understand.
But screw him, this situation is unsustainable. Build security into your compsci curriculum for the benefit of new developers and the people who use their code.
The infosec skills shortage is old news by now, and voices in the private and public sectors have called on developers to tackle vulnerabilities in their software supply chains. Even the White House’s National Cybersecurity Strategy calls for holding app makers accountable for security flaws in their products, which will first need better developer training.
But if colleges and universities don’t require computer science students to take infosec classes before those companies hire them, look, we have a real problem. It’s one that will contribute to the disconnect between security executives and developers — not to mention the ever-growing threat of ransomware and other destructive cyberattacks.
One reason for the lack of courses, according to CISA, is that the private sector does not require these skills from its developer employees. In September, the agency hosted a workshop that addressed the challenges of incorporating security into computer science curricula, and one of the identified barriers was a lack of demand.
“To date, companies have not expressed that security is one of the key factors they evaluate when hiring software developers,” Cable wrote. “Until that changes, universities have little incentive to change their practices.”
Ali: Here’s your chance to do something about it. Last month, CISA published a request for information on the role of security in IT education. The deadline for responses is February 20, and we’ll be keeping a close eye on what comes up. ®