To ensure that security is built into digital systems and products by design, the U.S. federal government and cybersecurity experts have called for increased investment in cybersecurity skills and training across the technology sector. I was.
CISA Director Jen Eastly recently called on colleges to include security as a standard component in computer science classes, but some cybersecurity education experts say the sentiment makes sense. Not expected to have an impact.
Easterly’s comments, which came shortly before the release of the US National Cyber Strategy in March 2023, address the notorious cyber skills gap, which has expanded by 26.2% in 2022, according to (ISC)2. Filling in was an important factor.
The new strategy places the onus on both governments and broader industry to address this issue.
Despite this emphasis, some cybersecurity experts do not believe that CISA’s Easterly comments have any meaningful impact on how computer science courses are run.
Amy Baker, security education evangelist for secure coding training platform Security Journey, commented:
Baker and her counterpart Jason Hong, a professor in the Human-Computer Interaction Laboratory at Carnegie Mellon University’s School of Computer Science, said: Information security Many experts have pushed similar messages over the years.
A major barrier to security-by-design technology today is the lack of focus on security in college computer science courses.
When this issue was raised by Easterly, she also urged the tech industry broadly to take greater responsibility for the security-by-design of its products and services, in line with the goals of the National Cyber Strategy.
deep-seated problem
However, Hong pointed out that there are many factors involved in explaining the current situation. It often takes precedence over other functional requirements.”
He added that it is difficult for universities to attract high-quality cybersecurity professionals to their institutions because the salaries they can command are relatively low compared to working in government or industry.
Hong also pointed out that “many developers today don’t take formal computer science courses.” According to a 2022 study, 62% of him in developers learned to code in a college or university environment, and “he remains 38% who has not taken classes in these formal environments.” It is difficult for these individuals to know their level of security knowledge and training.
The increase in software vulnerabilities over the last few years is partly due to the general lack of security training in these courses, especially since computer science graduates are usually in software development roles. There is a possibility.
Baker said a big part of the problem is that many developers she encounters don’t even think about cybersecurity until they’ve written the code.
“A lot of people lack a basic understanding of why security should be part of their responsibility because it wasn’t included as part of the curriculum in the first place,” she points out.
Baker added that this is why technical organizations increasingly need to arrange basic security training for their staff in the workplace. Continued education is needed anyway, but understanding cybersecurity threats and changing approaches requires a foundational knowledge before taking a developer position, she said.
Solve a problem
Hong outlined a number of initiatives that should be taken to significantly enhance security education in universities.
First, he argued that the security element of computer science courses should be more hands-on. This includes security configuration guidance to understand important measures such as avoiding the use of default passwords and building access control measures.
The second is educating about common attack methods that are easily remedied, such as buffer overflow attacks, but which continue to “haunt” developers. “If you don’t recognize it, you can’t avoid it,” says Hong.
Additionally, we believe it would be helpful to provide insight into specific security tools on the market. For example, the best cryptographic toolkit. “We have to find the right balance between not being a vocational school and allowing people to learn very quickly in these places when they actually go out. I won’t,” he explained.
Baker agreed, suggesting that a good place to start is to present students with a list of the top 10 most common vulnerabilities in OWASP.
According to Hong, a more practical focus requires closer cooperation between academia and industry. He believes that more data sharing from companies, such as sharing data on the most effective security practices used by companies and providing insights into actual data breaches, will help universities improve security education. increase.
Hong said having more industry professionals come to the university for guest lectures would be the perfect platform for “talking about hard-won knowledge and stories we don’t know.” rice field.
Providing incentives
Big fines for infringement could be the incentive companies need to take developer training seriously, Baker suggests.
“Something has to happen to make people care about software security,” she said.
Hong added that companies should create more positive incentives to help developers fulfill their security responsibilities. It’s about finding ways to reward the effort you put into keeping your products safe.
“If you can do that, things will be much easier,” he said.
The U.S. National Cyber Strategy is determined to incorporate security by design into digital products and services. Fundamental to this approach should be the development of the skills and knowledge of the people involved in creating these technologies. Also, it should start with the educational system and embed security-by-design principles before future developers start their careers.
