Michael Howard - What isn't being taught well enough in college? Security!

Posted By: The Channel 9 Team | Apr 5th, 2004 @ 9:44 AM | 24,374 Views | 11 Comments
Michael Howard, Microsoft's top security official, notes that many college graduates need to get remedial security training.
Media Downloads:
Rating:
1
0
#Apr 6th, 2004 @ 9:18 AM
Jeremy W
Jeremy W
that blogging guy
I agree completely. Colleges are teaching a lot more about business priorities. These are generally rooted in the convenience vs security balance, but approached purely from a business sense. Which is good, but because the balanced isn't being maintained you have whole roles being defined around security (which is good, but again it's extreme because the balance is so far off).
#Apr 6th, 2004 @ 9:24 AM
jcfiala
jcfiala
Self Portrait
Huh - never thought about it, but yeah - while I was at CMU (admittedly, ten years ago), security was never brought up as something to worry about in any classes.

Now, I'm finding it rather facinating.

-john
#Apr 6th, 2004 @ 11:24 AM
murph
murph
You think you've got it bad? I finished my Computing degree nearly 19 years ago...

I've worked mostly for small companies on teeny dev teams ever since - training is all about how good I am at picking stuff up as I go along.

If I were to disappear off at a tangent (I know, I should blog it) there's a large group that's seldom well catered for )-: Scoble was discussing how easy it is to blow one's conference budget a while back yet I exist in a world where the notion of "conference budget" doesn't even make it to the level of "theoretical concept" (one does slightly better on training budget - in that at least its acknowledged as not existing).

I feel better now!

#Apr 6th, 2004 @ 10:06 PM
vanlandw
vanlandw

My college had an elective course..."System Security"

Tought with linux machines....and pretty much we learned basic hacking techniques.  Then the second half of the course was implementing what we learned to a box and try to keep hackers out of our machines.  Very intersting to learn how a WHOIS and a HOST command can really screw up a machine....

#Apr 7th, 2004 @ 12:52 AM
adwb
adwb
mm2

I know quite a few people who have been hired recently by Microsoft from WWU (my current location of study) and I happen to know that the security courses are few and far between. Being a computer science student here at WWU has made me realize that this is not the place I want to continue my education. The instructors don't seem interested in what they teach and the selection of courses is very focused on doing good math using a dated programming language.

I have to say that I have had one instructor who is very interested in security and writing quality code. Coincidentally he teaches only one class per quarter and runs a local software company during the day. I'd go as far as to say he's not even a "real" professor. So that reduces the number of excellent security instructors to nill at WWU.

#Apr 7th, 2004 @ 12:30 PM
nasserd
nasserd
My inaugural post to Channel9 (hoorah!)

I've been on the software side of things for almost a decade now; however only left college barely 2 years ago. From what I've seen from the insides of schools (public, private... ivy, quasi-ivy, non-ivy... Tier 1, and Tier 2) whose curriculums I've investigated, here's a shortlist of their courses:

* Whiz-bang animation courses
* OOP using Java; now more with C#, .NET
* EE approaches to software dev't
* Starting a software biz
* n-tier system... how they work.

Very little has anything to do with security.  When the CS graduates look for jobs, they say "wait, they can do that?"  Or, "Naw, that's not what I was taught."

Okay, enough ramble.  Long story short, students barely know what to look for... and schools (as always) rely on student interests to build a popular field of study.

In the end, as was previously mentioned, since schools don't know what to offer (and don't know who can teach it), the students are unable to learn.  And the vicious cycle makes another round...
#Apr 7th, 2004 @ 3:43 PM
timothyblek
timothyblek
bah!
My first poast as well!

I think alot of what is taught in schools comes from teaching to the lowest common denominator.

I participate on an advisory board every year at the local community college where I also teach part time.  This year I came across something interesting.  We basically ran into two schools of thought:

1) teach basic classes to get the high school kids up and running with computer and programming classes and on to a good 4 year or jr. programming job.

2) teach really cool, but very advanced classes on security (mostly network though), knowing that we're going to be catering to businesses out there educating their employees though our certificate programs.

Obviously, teaching "Hello World" isn't as sexy or fun as an advanced class on securing a Linux firewall, so competent teachers want to have the "fun" courses.  Ultimately, schools must make money though, or they can't pay us teachers, so the fresh meat get the basic programming classes, not exciting at all, mostly because it is a struggle to fill these student's heads with good programming practices and we spend a large portion of time just with flow control and the concepts of OOP.

That leaves the middle ground, a sort of no man's land.  At what point is it appropriate to introduce a programmer to security concepts?  Before or after they learn what a switch statement is?  Before or after they learn to connect to a database?

Also, look at the job postings today, people are asking for things like a year of C#, 5 years RDMS, 3 years OOP.  I have very rarely seen a request for something like "1 year secure programming experience"

#Jun 8th, 2004 @ 3:24 PM
anduril
anduril
I'm not a programmer, well not outside of being a hobbyist. I enjoy doing some programming on the side in my free time so of course I'm not going to be taught how to write secure code. They're interested in attempting to pass a decent amount of us, students who couldn't code if their lives depended on it.

Granted, my school does offer quite a few security courses that don't focus on writing secure code but rather creating a secure system enviroment, network, what not. I'm an IST major, not CS Smiley
#Jun 9th, 2004 @ 10:43 AM
ryanlowe
ryanlowe
You will be happy to know that the Software Engineering program at the University of Ottawa has a required security course for all fourth year students.  It was quite comprehensive, covering threat modelling, encryption, digital signatures.  I very much enjoyed going to the class and the content was very interesting.  I agree that generally developers are either ignorant or don't care enough about security issues though.

Ryan Lowe
University of Ottawa Software Engineering class of '04
Microsoft Communities