Blog

Secure Coding 201: Does it Exist?

I constantly hear that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught to program in half a dozen different languages and styles, but their assignments have never been run through a static code checker to validate that all the best practices have been followed from a security standpoint. I have interacted with many computer engineers who happily produce insecure (unsafe) products. Secure Coding 101 may not exist, far less 201.

I am reminded of my first Physics test in college, where our professor failed the entire class of 60 since we had all arrived at an incorrect answer to the question, even though our working was correct. In fact, he would deliberately made the question impossible to answer correctly by omitting a crucial piece of information. His explanation was, "You are engineers now. Engineers need to get things right, or people may die. This was to teach you to ask when you don't know." That was a valuable learning experience.

Insecure website programming may not often cause someone's death, but it can and does cause people untold financial, social, or career harm when their private information is stolen by hackersmerely because the page or the application was insecure.

I would like to see a requirement for secure coding to be added to all of the language classes at college level and a commitment by the students to use only secure techniques before they are allowed to graduate.

I have advocated that all programmers being interviewed to work on user interfaces be required to demonstrate some knowledge of secure coding and familiarity with the OWASP top 10 deadly sins, with only limited success. But as breaches of the type that Anthem, Target, JP Morgan, and others have suffered become more prevalent, I hope we can expect more applications developers to pay more attention to security issues and start demanding appropriate experiences during their professional education.

When Secure Coding 201 is a mandatory class, perhaps we will see fewer breaches.