Spafford Information Security ArticleDownload PDF
Gene Spafford on IT Security Education
While infosec profession has grown dramatically, the formal curriculum in college education still needs improvement. (Part of the What Happens Next security predictions series.)
By Dr. Gene Spafford
November 17, 2008 — CSO — The majority of programs at colleges and universities around the country are certainly doing a good job of training people to go into positions in IT. In fact, we have a greater demand among employers for students than we have students to fill positions. That said, there are some areas where we lack students who graduate with the right amount of expertise and focus. IT security and cyber forensics are areas where we have a critical need for workers in the field.
Computer science has been undergoing a transition over the last few years in academia. We've gone from teaching fundamentals for construction and systems to focusing more on all the places where computing can make a difference. The transition has been more to concepts at higher levels, with languages and graphics and network computation, than we saw five years ago. Before, computer science was focused more on program solutions around individual host computers and only some distributed computation. Now we are seeing more and more with large scale networks, cloud computing, Google apps, just to name a few. The field is shifting in that direction.
The security implications of these things are not known, or are being dismissed. The companies pushing these solutions are more interested in the business case than in the possible negatives. For instance, there are some interesting issues related to privacy of information that is stored and calculated remotely -- companies that have access to that data may be able to use it in marketing, which means more profit for them. They aren't motivated to find new ways to protect it.
Universities don't often have a financial interest in a particular technology. Thus, they are often in a better position to compare technologies, find flaws, look at unusual extensions, and otherwise explore the issues.
There are now areas of specialization that need more concentration at the machine level -- lower level network protocol, assembly language and analysis. But these areas are not part of the core curriculum anymore and often not even offered as electives because so few students are interested in these machines-level areas. Interest waned because for many schools, the kinds of employers that court students, that pay the most, and where student interest lies, require that higher level skill set. If you are Google, Yahoo, Amazon or Ebay, you want students that can do high-level, network-level programming and handle web-design issues. This creates a problem for students who need lower-level knowledge as a specialization area. If someone is going into a field that needs to do real-time control in aircraft, or needs to do forensic analysis of malware for criminal activity, they need a very different skill set.
Infosec principles, in general, are not in the regular IT curriculum and a reasonable core curriculum for infosecurity has yet to be determined. Some places, such as Purdue, offer courses in secure programming, but they are electives. A very few places have formally integrated the material into coursework. However, until curricular material is widely available, coverage will be spotty.
Many of the programming flaws that are common are actually taught against in almost every curriculum. For example, every text and course I know about for beginning programming teaches to avoid buffer overflows -- if it is possible in the language being used in the course. Problems arise because students don't pay attention sufficiently, because they are pressed for time and avoid the necessary safeguards, they switch languages to something where they have not been trained, or they end up in environments where productivity is stressed more than quality.
There are security problems that are more subtle than programming flaws. Concentrating on those, rather than on the bigger picture, means that in a few years we are likely to have a different list of common problems.
One criticism I hear from some companies is that students don't come out with enough understanding of problem solving for real world situations. They have really good book knowledge, but not enough understanding of practical application. As a field, we are continuing to evolve. It appears that producing a well-rounded graduate who really knows both the field and practical application would probably take six years. So we are seeing more students go back for masters degrees now to pick up that additional knowledge.
- As told to Joan Goodchild