To ensure that digital systems and products have security built in by design, the US federal government and cybersecurity professionals have been calling for greater investment in skills and training in cybersecurity throughout the tech sector.
Despite CISA Director Jen Easterly recently calling for universities to include security as a standard element in computer science coursework, this sentiment is not expected to have any meaningful impact, according to some cybersecurity education professionals.
Easterly’s comments came shortly before the US National Cyber Strategy was published in March 2023, a key component of which is closing the notorious cyber skills gap, which grew by 26.2% in 2022, according to (ISC)2.
The new strategy places responsibility on both the government and wider industry to tackle the issue.
Even with this emphasis, some cybersecurity experts do not expect comments by CISA’s Easterly to have any meaningful impact on the way computer science courses are run.
Amy Baker, security education evangelist at secure coding training platform Security Journey, commented: “There’s a lot of discussion but not much action.”
Baker, and her counterpart, Jason Hong, professor in the Human Computer Interaction Institute at Carnegie Mellon University School of Computer Science told Infosecurity that many experts have been pushing a similar message for many years.
Currently, a major barrier to secure-by-design technology is the lack of emphasis on security within computer science courses at Universities, which is where the majority of developers learn their skills before starting their careers.
When this issue was raised by Easterly, she also urged the tech industry more widely to take greater responsibility for security-by-design in their products and services – in keeping with the goals of the National Cyber Strategy.
A Deep-Rooted Problem
However, Hong noted there are many factors involved to explain the status quo. One is that there are already many requirements in computer science courses, and “security is often considered secondary to other functional requirements people need.”
He added that it is difficult for universities to attract high-quality cybersecurity experts to teach at their institutions due to the relatively low salary they can command compared to working in government or industry.
Hong also pointed out that “lots of developers today don’t take formal computer science courses.” Research in 2022 found that 62% of developers learn code in college or university settings, “which leaves 38% who don’t take classes in these formal settings.” For these individuals, it is hard to know the extent of security knowledge and training they have, if any.
The rise in software vulnerabilities in the past few years can partly be attributed to the general lack of security training in these courses, especially as computer science graduates typically take software development roles.
Baker said a large part of the problem is that many developers she comes across do not even consider cybersecurity until they are creating code.
“Because it’s not included as part of the curriculum to begin with, many lack foundational knowledge about why security has to be part of their responsibility,” she noted.
This is why tech organizations are increasingly having to arrange basic security training for their staff on the job, added Baker. While continuous education is necessary regardless, to understand changing threats and approaches in cybersecurity, she said the foundational knowledge needs to be in place before they take developer positions.
Solving the Problem
Hong outlined a number of efforts that should be taken to substantially enhance security education at universities.
First, he argued that the security element of computer science course should become more practical. This includes teaching security configuration, to understand essential measures like avoiding the use of default passwords and building in access control measures.
Another is educating on common attack methods that can be easily remediated, yet still continue to “plague” developers, such as buffer overflow attacks. “If you’re not aware of it, you can’t avoid it,” said Hong.
Additionally, he believes it would be helpful to provide insights on specific security tools in the market; for example, the best encryption toolkits. “We have to figure out the right balance between making sure we don’t become a trade school, but also ensuring that when people are out in practice, they get up to speed really quickly in these places,” he explained.
Baker concurred, stating that introducing students to the OWASP Top 10 list of most common vulnerabilities would be a good place to start.
Having a more practical focus requires closer collaboration between academia and industry, according to Hong. He believes more data sharing from companies – for example, regarding the most effective security practices they use, and providing insights into real-life data breaches – would help universities improve their security teachings.
Hong said that more industry professionals coming into universities to guest lecture would be the perfect platform to “talk about hard-won knowledge and stories that we don’t know about.”
Providing Incentives
Large fines for breaches may be necessary motivations for companies to take the training of developers seriously, Baker suggested.
“Something has to happen so that people start caring about software security,” she stated.
Hong added that companies must also create more positive incentives for developers to help meet their security responsibilities – finding ways to reward their efforts in keeping products secure.
“Once we do that things will become much easier,” he said.
The US’ National Cyber Strategy is determined to embed security-by-design into digital products and services. The foundation of this approach must be on developing the skills and knowledge of those people involved in creating these technologies – and that needs to start in the education system, embedding security-by-design principles in prospective developers before they begin their careers.