I agree completely. Colleges are teaching a lot more about business priorities. These are generally rooted in the convenience vs security balance, but approached purely from a business sense. Which is good, but because the balanced isn't being maintained
you have whole roles being defined around security (which is good, but again it's extreme because the balance is so far off).
Huh - never thought about it, but yeah - while I was at CMU (admittedly, ten years ago), security was never brought up as something to worry about in any classes.
Now, I'm finding it rather facinating.
You think you've got it bad? I finished my Computing degree nearly 19 years ago...
I've worked mostly for small companies on teeny dev teams ever since - training is all about how good I am at picking stuff up as I go along.
If I were to disappear off at a tangent (I know, I should blog it) there's a large group that's seldom well catered for )-: Scoble was discussing how easy it is to blow one's conference budget a while back yet I exist in a world where the notion of "conference
budget" doesn't even make it to the level of "theoretical concept" (one does slightly better on training budget - in that at least its acknowledged as not existing).
I feel better now!
My college had an elective course..."System Security"
Tought with linux machines....and pretty much we learned basic hacking techniques. Then the second half of the course was implementing what we learned to a box and try to keep hackers out of our machines. Very intersting to learn how a WHOIS and a HOST
command can really screw up a machine....
I know quite a few people who have been hired recently by Microsoft from WWU (my current location of study) and I happen to know that the security courses are few and far between. Being a computer science student here at WWU has made me realize that this
is not the place I want to continue my education. The instructors don't seem interested in what they teach and the selection of courses is very focused on doing good math using a dated programming language.
I have to say that I have had one instructor who is very interested in security and writing quality code. Coincidentally he teaches only one class per quarter and runs a local software company during the day. I'd go as far as to say he's not even a "real" professor.
So that reduces the number of excellent security instructors to nill at WWU.
My inaugural post to Channel9 (hoorah!)
I've been on the software side of things for almost a decade now; however only left college barely 2 years ago. From what I've seen from the insides of schools (public, private... ivy, quasi-ivy, non-ivy... Tier 1, and Tier 2) whose curriculums I've investigated,
here's a shortlist of their courses:
* Whiz-bang animation courses
* OOP using Java; now more with C#, .NET
* EE approaches to software dev't
* Starting a software biz
* n-tier system... how they work.
Very little has anything to do with security. When the CS graduates look for jobs, they say "wait, they can do that?" Or, "Naw, that's not what I was taught."
Okay, enough ramble. Long story short, students barely know what to look for... and schools (as always) rely on student interests to build a popular field of study.
In the end, as was previously mentioned, since schools don't know what to offer (and don't know who can teach it), the students are unable to learn. And the vicious cycle makes another round...
My first poast as well!
I think alot of what is taught in schools comes from teaching to the lowest common denominator.
I participate on an advisory board every year at the local community college where I also teach part time. This year I came across something interesting. We basically ran into two schools of thought:
1) teach basic classes to get the high school kids up and running with computer and programming classes and on to a good 4 year or jr. programming job.
2) teach really cool, but very advanced classes on security (mostly network though), knowing that we're going to be catering to businesses out there educating their employees though our certificate programs.
Obviously, teaching "Hello World" isn't as sexy or fun as an advanced class on securing a Linux firewall, so competent teachers want to have the "fun" courses. Ultimately, schools must make money though, or they can't pay us teachers, so the fresh meat get
the basic programming classes, not exciting at all, mostly because it is a struggle to fill these student's heads with good programming practices and we spend a large portion of time just with flow control and the concepts of OOP.
That leaves the middle ground, a sort of no man's land. At what point is it appropriate to introduce a programmer to security concepts? Before or after they learn what a switch statement is? Before or after they learn to connect to a database?
Also, look at the job postings today, people are asking for things like a year of C#, 5 years RDMS, 3 years OOP. I have very rarely seen a request for something like "1 year secure programming experience"
I'm not a programmer, well not outside of being a hobbyist. I enjoy doing some programming on the side in my free time so of course I'm not going to be taught how to write secure code. They're interested in attempting to pass a decent amount of us, students
who couldn't code if their lives depended on it.
Granted, my school does offer quite a few security courses that don't focus on writing secure code but rather creating a secure system enviroment, network, what not. I'm an IST major, not CS
You will be happy to know that the Software Engineering program at the University of Ottawa has a required security course for all fourth year students. It was quite comprehensive, covering threat modelling, encryption, digital signatures. I very much
enjoyed going to the class and the content was very interesting. I agree that generally developers are either ignorant or don't care enough about security issues though.
University of Ottawa Software Engineering class of '04
Well, looking just a few years back maybe Microsoft wasn't a company that took security seriously either. As the demand for people with security training increases I'm sure colleges will deliver.
College can teach some basic security aspects. But it never teaches the real time stuffs.
I am doing Masters in Cybersec but when I go on with latest hacks and stuffs , I find my study is nothing . The latest technology threats are not at all included nor exposed in any university.
Microsoft might have not considered about security when they came into business or technology but they must provide information abt such things to the college which can be a part of study updating regularly.
Tranining is definately required when a grad student goes out of hos college