Software firms fault colleges' security education

In a two-hour panel session Tuesday at the Secure Software Forum here, Oracle, Microsoft and other software makers attempted to analyze why flawed software is still overwhelmingly the rule and not the exception in the industry. A major contributor, the companies said, is college students' lack of a good grounding in secure programming.

"Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it," said Mary Ann Davidson, chief security officer at Oracle, who kicked off the panel discussion that, while separate from the ongoing RSA Security Conference, addressed many of the same topics.

The panel discussion is the software industry's latest soul-searching on security. While companies claim to want more secure software, in most cases, they have yet to put their money where their mouth is. Many software makers believe that better training of computer science graduates is a key step toward improving software quality, but some security researchers have criticized the industry, pointing out that industry demand for programmers generally does not give preference to those trained in secure programming.

Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, likened the situation to sports.

"Colleges produce athletes capable of going on to the NFL because their football programs know what is needed," he said. "We have to be very clear what types of skills we need from future graduates."

Such thinking is driving Microsoft and other security companies to try and influence curricula at colleges. Microsoft has pledged $500,000 to 10 universities as part of a contest to create trustworthy-computing curricula, and several security firms have also established scholarships at a handful of schools. Private industry is not the only one attempting to kick-start better security education at universities. Several federal agencies, including the Department of Defense and the National Security Agency, have named several college programs as National Centers of Academic Excellence in a variety of security disciplines.

Oracle's Davidson said education is only a start, noting that better tools need to be developed to spot common flaws. Such tools should be used by all developers because even well-trained, well-meaning developers can miss errors in programs. In one case, Oracle's security staff missed one out of 21 flaws during an audit, a mistake that cost the company $1 million to fix later, she said.

"Even the people who 'get it' need good, automated tools," she said.

However, others on the panel laid the blame for the problems squarely at the feet of software makers.

Until companies are willing to foot the bill for security, applications will not get better, Rica said. When given a choice to put new features into a product or secure the old ones, software makers do not hesitate.

"Functionality still trumps security," he said. "Functionality is still king."

A Gartner study found that while companies put a lack of skills as a priority on their list of problems to be fixed, funding for developer training is second-to-last on their budgets.

Ira Winkler, a security consultant and part of the panel, criticized the focus on college education and stressed that companies should not rely on schools to train developers.

"I'm not going to hire someone straight out of college because they don't know anything," he said. "We need people who have on-the-job training."