David A. Wheeler's Blog

Thu, 15 May 2008

Oracle letter to Universities: Educate software developers on security/assurance!

I am delighted to point out a really interesting letter to Universities by Mary Ann Davidson, the Chief Security Officer of Oracle Corporation. It basically tells colleges and universities to stop ignoring security, and to instead include software security principles in their computer science curricula. I’m so delighted to see this letter, which has just been released to the public (it had been privately sent to many colleges and universities). Let me point out and comment on some great points in this letter, because I think this letter is really important.

In this letter, she notes that “many security vulnerabilities can be traced to a relatively few types of common coding errors”. I’ve noted that myself, by the way; simply educating developers on what the common (past) mistakes are goes a long way towards eliminating vulnerabilities. She then notes, “most developers we hire have not been adequately trained in basic secure coding principles in their undergraduate or graduate computer science programs.” I agree and think it’s horrific; more on that in a moment. She clarifies that this is a really important problem: “Security flaws are widely recognized as a threat to national security and to the privacy and financial well being of individual citizens, in addition to the costs they impose on us and our customers.” They haven’t just let this be; as they note, “We have therefore had to develop and roll out our own in-house security training program at significant time and expense.” Kudos to Oracle for doing such training, by the way; far too many organizations don’t do that, which explains why software continues to have the same old vulnerabilities as it did 30 years ago. But clearly Oracle cannot train the world, nor it is reasonable to expect that they do so.

She also states that “We believe that the ability to recognize and avoid common errors that can result in catastrophic security failures should be a core part of computer science curricula and that the above measures will foster such change. We strongly recommend that universities adopt secure coding practices as part of their computer science curricula, to improve the security of all commercial software, and ensure that their graduates remain competitive in the job market.” To that I say, Amen.

By itself, that’s great, but here’s the kicker: “In the future, Oracle plans to give hiring preference to students who have received such training and can demonstrate competence in software security principles.” Do you see this? Students at colleges and universities that fail to properly prepare them will be at a competitive disadvantage!

Today, almost all computer science and software engineering graduates will develop software that connects to a network, or must take data from a network… yet almost all are absolutely clueless about how to do so. Not because they don’t know what a “socket” is, but because they don’t know how to counter attacks. And if you’re hooked to a network, or take data from one, you will get attacked.

Yet the education community (with a few wonderful exceptions) still completely ignores the need to educate software developers on how to develop secure software. “It’s not my job” is not just wrong; it’s almost criminal. Society is depending on the educational community to educate students in the fundamentals of what they need to know. Society depends on software, and essentially every student in a software-related field will, after they graduate, write software that will be attacked. Attacks are no longer a surprise - they are a guarantee. Yet the educational system that’s supposed to prepare our developers fundamentally fails to do so. Since attacks are guaranteed, and the students are guaranteed to not know how to counter them, what other results would you expect? The basics of developing secure software should be a mandatory part of computer science and software engineering undergraduate curricula. The vulnerabilities that the students will embed in software, if they do not get this education, will lead to great loss of life and the loss of billions of dollars. Sure, schools already have a lot of material to cover, but practically nothing in a computer science curricula is as important as how to develop secure software; I can think of no other omissions in the CS curricula that cause so much damage. Don’t tell me that you only teach the “fundamentals”; programming languages change, but the need for security will never go away; it is fundamental. I think computer science and software engineering departments that do not explain the basics of developing secure software to all of their undergraduate and graduate students should be shut down, as a menace to society, until they change their ways.

Oh, if you want to see more about this letter, see Mary Ann Davidson’s blog article about it, “The Supply Chain Problem”, where she talks about what led up to the letter, and the follow-on from it: “Last year, I got fed up enough with Oracle having to train otherwise bright and capable CS grads in secure coding 101 that I sent letters to the top 10 or so universities we recruit from (my boss came up with the idea and someone on my team executed on it - teamwork is a wonderful thing)… I am sorry to state that only one of those universities we wrote to responded to my letter… We need a revolution - an upending of the way we think about security -and that means upsetting the supply chain of software developers… To universities, I cannot but contrast the education of engineers with that of computer science majors. Engineers know that their work product must above all be safe, secure and reliable. They are trained to think this way (not pawn off ‘safety’ on ‘testers’) and their curricula builds and reinforces the techniques and mindset of safe, secure and reliable product. (A civil engineer who ignores the principles of basic structures - a core course - in an upper level class is not going to graduate, and can’t dismiss structures as a ‘legacy problem.’)”

I would love to see many organizations banding together to sign a letter like this one. If enough organizations band together, I think many universities and colleges will finally get the message. I would expand it beyond computer science, to any curricula with a significant amount of software development (such as software engineering, MIS, and so on), but that’s a quibble. My goal is not to shut down any departments (I hope that’s clear); it’s to repair a serious omission in our educational system. Kudos to Mary Ann Davidson, for writing the letter and sending it to a number of Universities. When I learned of it, I begged her to please post it publicly. To her great credit, she’s now done so. Thanks, from the bottom of my heart! Now colleges and universities have even fewer reasons to claim the nonsense, “well, no one wants information on developing secure software.” The companies that will hire your students know otherwise.

path: /security | Current Weblog | permanent link to this entry