Security Should Start with Education

Before I get into the details, let me give you a little background… In addition to contract work and my dreams of starting up something of my own, I’m working on finishing my degree in Computer Science. One of the classes I’m currently taking is Advanced Programming. Undergraduate computer science curriculums focus very heavily on Java and this class seems to be a chance for the students to get exposure to other languages (namely Perl, ANSI C, and C++). Much of this class consists of labs and little programming projects. The trouble with these is that almost no mention is made of security issues. I’ll describe a couple of the assignments to give you an idea of exactly what I’m talking about.

The first is just a Perl script to go through a directory and recursively calculate the MD5 checksums of the files and store them into a text file for later usage. The script can then be run to compare two of the previously generated MD5 files to see what files have changed, what have been deleted and what have been removed. This was used as an exercise to get us using a little bit of Perl and to “teach us about security”. What surprised me is that no mention was ever made of all the recent developments surrounding the flaws with MD5. If we’re learning about security shouldn’t we hear about the flaws as well?

The next little project involves creating a Perl CGI login page. I assume that since we’re creating a login page that this would be the opportune time to discuss security. Instead the assignment went something like this. Create the page and use a form which does a GET against the CGI script. The list of usernames and passwords are stored in a text file which resides in the same directory as the script. Both usernames and passwords are kept in plaintext. We check the user and password and tell them it’s a bad login if the user doesn’t exist and a bad password if the user exists, but the password is wrong.

Flaws:

  1. We’re passing the username and password using the query string.
  2. We haven’t talked about securing the datasource and with the current configuration it’s freely available to all.
  3. We’re storing the actual password instead of a hash.
  4. We’re telling a potential attacker that they’ve got a correct username.

At no point were any of these security issues brought up. In addition there was no mention made of SSL. I might be over analyzing these exercises and I don’t think I’m the target audience for this course, but it brings up the question: How can we expect graduates to write secure code if there is only a passing mention made of it in their universities? The only way we’re going to get developers writing more secure code is if the topic is brought up and discussed regularly.

I never learned

I never learned about security at college. Maybe those who took the operating systems class did, I am not sure. I learned about it through reading on the web.

Not surprised

Academic projects are useful to force students to do some programming, but in my observation they suffer from the following problems:

  • The deliverable is graded academically, whereas "real world" software is graded on a pass/fail standard. The academic grading is fairly prescribed and students would call foul if the instructor deducted points for noticing a buffer overflow opportunity or if the program crashed with unexpected inputs. On the other hand, your boss in the real world will "fail" you for these type of oversights.
  • The problem domain for most academic software is, put simply, academic rather than pertinent. Computing a Fibonacci series or the towers of Hanoi, to my knowledge, never happens outside of the classroom.
  • Security is pretty hard stuff, but writing secure software often falls more into the realm of software engineering than computer science, with the exception of things like the MD5 exploit example.

While it would be nice for instructors to encourage good security, you may need to take it upon yourself to do this. Application security generally isn't considered an academic concern, but I agree with you that it should get more attention than it does currently.

I agree that most acedemic

I agree that most acedemic study in computer science is really about theory and less about software engineering. Having said that, I must say that this class doesn't not seem to have theory as its primary goal. The primary goal of the course seems to be real world practical skills and tools usage. Having that in mind, I just found it a little disconcerting that these issues weren't brought up.

Right

The fact that you recognize this shortcoming puts you head and shoulders above your peers who may think nothing of the security implications. If you don't mind me saying so, the friction you feel is what most smart people feel in college. The Academy is a fantastic place to learn about software, but the really great programmers I've known have the ability to see what isn't being taught and go after it personally.