Monday, April 28, 2008

Can Security be incorporated in the Computer Science & IT courses?

Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT software industry has recognized the importance of building secure software systems by incorporating security in their SDLC.

What amuses me is that the situation can be much better improved by integrating the basic security mantras in the graduate programs of Computer Science and Information Technology courses. The engineering courses for Computer Science and Information Technology at least can be sought to have the security touch points to enable the fresh candidates understand security implications while building software.

Currently, most security efforts at the university courses are in the form of specialized security classes which address particular topics in form of network security or cryptography. In contrast to the integrated approach currently being used in industry, education continues to handle security as an afterthought.

Something that everyone in the engineering courses would have learnt would be Database Management Systems (DBMS) and Web Technologies. Let’s take an example, we were taught that writing stored procedures are better compared to writing dynamic SQL because they are pre-compiled and hence better in terms of software performance. But we were not taught that stored procedures also helps protect you from a security threat called SQL Injection which is one of the most common attack.

My proposal is to plot security in the engineering curriculum with core courses. It just requires infusion as a subset in the main subjects. The concept of robust programming is native to secure coding. It is imperative to teach students that safe and reliable programs are inherently more secure.

The classic Software Development Lifecycle (SDLC) includes analysis, design, implementation, testing, and maintenance. Incorporating security into the SDLC yields the Secure Development Lifecycle. The touch points in the course should be Security Requirements and Analysis, Security Design, Security Implementation and Security Testing. Something that is fundamental to software programming and security assurance becomes the security coding mantras. A few are mentioned below.
• Principle of Defense in Depth
• Principle of Least Privilege
• Do not trust any user input
• By default Deny
• Assume the Impossible
• Graceful degradation on error

The idea is to make students aware of these small mantras while learning software programming. These small changes make a huge impact on the student who enters the industry and is already aware of security best practices if not all the attacks. It makes a great value add for the organizations too to hire a candidate with basic security knowledge. The ability to write secure code should be a fundamental to a university computer science as basic literacy. I am sure that the industry will also appreciate if the universities accept these changing demands.

Dharmesh Mehta
Technical Analyst, Mastek

No comments:

Post a Comment