Software Security: Education’s missing module
I’m shortly due to reach my fifteenth year as a programmer within the software industry. During this time I have witnessed a significant increase in the number of viruses, malicious software and security holes found within any given piece of software. To protect us, software vendors issue security patches issued within software updates on a regular basis and hope we all apply these to avoid the pitfalls. This ship first, fix later approach has always seemed odd to me. It’s akin to locking the door of your house after the burglar has already visited, in the hope all of your neighbours will follow suite and remember to lock their houses too!
The computer security industry can be split into three sections: the White hats, Grey hats and Black hats. The White hats are our guardian angles, who spend their time finding and fixing security problems. The opposite of this is the ‘evil’ Black hats who attempt to expose and maliciously exploit security vulnerabilities in the goal taking our data or controlling our computers without our consent. And, in-between these two are the Grey hats, who like to prove they can hack; but without any real malicious intent. The individuals within each camp range from IT professional to passionate teenagers seeking a thrill. Although quite different they share a common tool-set. All of these tools are easy to access and complemented by a huge collection of tutorials. These include standalone utilities such as the port scanner ‘nmap’ to entire operating systems built for the sole purpose of security scanning/hacking, such as ‘Back Track 5’. Another similarity shared by these individuals is they share a common target. Your Software!
Flaws in software more often than not reveal security vulnerabilities. These vulnerabilities can lead to leaked data, or, even the bad guys having control of your computer. This leads me onto the main point and a question: do software programmers/developers consider security when applying their craft? In my experience the answer in, ‘No!’. The fault of which does not solely lie with the programmer. I see no evidence from the Schools, Collages and Universities that the subject is covered sufficiently by the relevant courses. Take for example, a web development course; are the students being taught about SQL injection, or, the importance of software updates. More often than not I see web developers creating beautiful sites in Joomla or WordPress, or, any other CMS, and at the end the site simply gets hosted and left for the client to manage. I ask the question: whose’s going to update the core CMS, or, the plugins used after a security vulnerability has been found. Not the web developer, as they have been paid and moved on! This is a typical example of how the industry is disjointed. And, I’m not picking out web developers: further examples could easily be given involving Java/C/Ruby developers, or, companies that deliver bespoke systems.
The problem is both an educational one in the academic sense and a re-education of users and clients so they appreciate and demand security guarantees. Imagine if you are faced with these two quotes, the first, “I can provide you with a website for $400”. The other said, “I can provide you with a website for $400, plus $50 per year to monitor and maintain security patches”. What option would you pick? I fear at the minute most would choose the first option; thus, the need for re-education, re-education, re-education.
So how would one go about fixing this? I’d love to see security knowledge being taught alongside every web development and software development course. I’d also like to see a web development/programming governing body, ensuring our work is up to scratch. This governing body would be akin to the building trade’s regulators; ensuring and enforcing we deliver consistent and quality products to our customers. Alongside this we should expect our work to be appreciated as a craft and educate future clients that our products need maintenance which will incur maintenance costs.