Why Can’t Johnny Develop Secure Software?
June 22, 2010 at 10:21 am 1 comment
The line of reasoning here is interesting. The people interviewed in this piece argue that software developers will never learn to develop secure software — it’s at odds with their goals as developers (to write code fast, to meet customer needs). But they also argue that it doesn’t work to bring in an outside security expert, because she won’t be able to pay attention to everything in the code to find every possible security breach. Their answer: automated testing tools. It feels like an Agile answer to me — we’ve got a development problem with no obvious solution, so we’ll test and iterate.
“The talent coming out of schools right now doesn’t have the security knowledge it needs,” says Paul Kurtz, executive director at SAFECode, a nonprofit organization backed by major software vendors and focused on secure software development practices. “There needs to be a lot more work in our educational institutions to teach them how to develop secure code.”
But nearly all experts agree that no matter how strong the training effort, the average developer will never be very security-savvy. “They’re always going to be more focused on code quality and trying to meet their deadlines,” Sima says. “If I’m a developer, as soon as I’ve been assigned a project, I’m already behind. If there’s a faster way to do something, they’re going to take it, because for them speed is more important than security.”
via Why Can’t Johnny Develop Secure Software? – secure software development/Security – DarkReading.
Entry filed under: Uncategorized. Tags: computing education, software engineering.
Computing Ed Research - Guzdial's Take 
1.
Alfred Thompson | June 22, 2010 at 2:13 pm
I see this as a two part problem. The first is that programmers are not taught how to write secure code. The second is that they are not given the time to do it right.
Several years ago Microsoft did a complete shutdown of development to train all their develoeprs in writing secure code. They then implimented new development plans that included security as a basic part of the development plan. A magic bullet that made everything go away? Of course not. But the software including both Windows Vista and Windows 7 have been much more secure than previous versions. And than most competitors. This of course must be an ongoing commitment.
Students are not generally being trained in writing secure code. The academic environment has always been a wide open, let’s trust our peers and share everything sort of environment. That is the attitude that lead to many of the security breaches in commercial software for the last 30 years. The world has changed but our education environment has not changed with it.
So without training we start behind. And then we face the reality of deadlines, rapid changes of requirements and demands of the customer in the industrial world. Now we compound the problem by not letting people spend time on threat assesment, solid design, and careful coding and testing. I am not convinced that the old development models were a problem because I feel really strongly that no one really followed them anyway. They could have worked and in rare cases when they were followed they did work. But we’re an impatient world looking for shortcuts.
We use metrics like lines of code generated. Ha! What idiot thinks that number can’t be gamed? And who thinks that more lines of crappy code is better than fewer lines of really good code?
Lastly I don’t think it is far to blame the programmer. If they don’t have the time to do it right(which includes secruty) the blame lies mainly with the people who set the schedule and demand speed over quality/security.