Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Education Privacy United States

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes (darkreading.com) 173

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.
This discussion has been archived. No new comments can be posted.

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Comments Filter:
  • by aussersterne ( 212916 ) on Sunday April 10, 2016 @01:03PM (#51879885) Homepage

    In fact, it's been decades.

    But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?

    • by Hunter-Killer ( 144296 ) on Sunday April 10, 2016 @01:17PM (#51879929)

      Depends on the problem you intend to address.
      Malware clean up, vuln scanning, thumb drive police--IT.
      Sanitizing inputs, not storing sensitive data in plaintext--dev.

      • Re: (Score:2, Insightful)

        by Darinbob ( 1142669 )

        Sanitizing inputs and such, that's programming, not computer science. Also if you want to be good at cyber security you need math. The subject is more of a graduate level one in many ways, though I agree familiarity with it is important. For the average student cyber security will be more of a rote memorization class rather than one that teaches real understanding of the topics.

        • by Anonymous Coward

          I humbly disagree. Programming is applied computer science, in the same way engineering is an apppied science. We're expecting these CS graduates to go fourth and do something, and a good portion of that is in implementation.
          Good engineers need to understand the limitations of their theoretical knowledge, and how to apply sound principals in a real world, practical manner. For instance, I've seen blueprints which required a weld at the bottom of a 6 tall square tube, which was 4 inches in diameter. When cal

          • That isn't CS, that is programming.
          • Who will go first, second, and third?

          • We're expecting these CS graduates to go fourth and do something, ...

            Historically, universities were about perpetuating knowledge and the advancement of knowledge. Apprenticeships and professional programs are where people learn do to something practical. Universities were the hallowed halls of pure learning.

            In the beginning, no one foresaw that a pure math specialization would have huge practical use. Some of the greats in computer science never thought their work would ever see use outside of the math department. If memory serves, Bool was extremely pleased that Boole

            • Historically, universities were about perpetuating knowledge and the advancement of knowledge.

              I've heard this often, but people need to accept that this is no longer the case. We're not talking about the sons of the aristocracy anymore. John and Jane Q. Public don't go to university to advance knowledge, they go to get a job. At it's most ridiculous, some people go to University to play sports without any actual use for the degree they'll get (and sometimes earn) at all.

      • It's the difference between securing a bank from robbers and manufacturing the vault.
    • by __aaclcg7560 ( 824291 ) on Sunday April 10, 2016 @01:19PM (#51879937)

      Those should be in IT departments, no?

      The IT department can handle deployed applications. Programmers still need to write application code to prevent security issues in the first place.

      • So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

        • by __aaclcg7560 ( 824291 ) on Sunday April 10, 2016 @03:28PM (#51880529)

          So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

          Because when I think of the term "computer science," or more precisely the initials "CS," I believe it covers every aspect of computers from the pie in the sky theories to the power button. Apparently, this is a common misconception that many people outside the university system have.

          To paraphrase Robert Kiyosaki of "Rich Dad, Poor Dad" fame: the higher you go for education degrees, the less you learn.

          Translations: universities are pushing out specialists when this country need generalists.

          • I have no problem with the idea that there ought to be courses on security, just not in CS where (at least when I was a student) that's not really what they do. They're in the business of figuring out/proving/disproving whether things *can be computed in theory* and how, in theory.

            Security just isn't a question that has anything to do with that, and these are people that write comparatively little code. It's not what the discipline is about.

            There *are* people that spend their time learning how to code, and

            • So basically you're saying 99% of people studying CS should be studying something else?

              CS has expanded beyond it's math roots. Not all CS even comes out of math departments. Some CS is taught out of the business school (spit). Never hire those people.

              If you want to complain about CS majors who program, you should contrast them with CS majors who don't...that is one useless bunch of air thieves.

              IMHO you should get a pretty good handle on programming with self study in high school or before, if you wan

            • by raymorris ( 2726007 ) on Sunday April 10, 2016 @04:43PM (#51880907) Journal

              Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.

              Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.

            • Might I suggest security courses taught as a branch of software engineering? One would learn to integrate security fundamentals within the basic design of an application. Much better then bolting it on after the fact. And those security fundamentals, and the way they are used, will not change. Implementations will - but a degree should be about the fundamentals and not said implementations.

              Software engineering is typically taught as a subset of computer science so I do not see a problem with such cred

    • by rakslice ( 90330 ) on Sunday April 10, 2016 @01:28PM (#51879953) Homepage Journal

      Although there are a lot of CS-level concepts you can teach someone that relate to security, when it comes to "IT security jobs" and the practical security issues that you're going to deal with in them, there is very little connection.

      The analogy that I often use is: Would you expect a physicist to be able to fix your car? I like to think not. Or would a news outlet fall into a similar trap of publishing claims from some company looking for free a marketing opportunity that universities have a responsibility to teach their graduates auto repair?

      At the very least I would expect a news outlet to catch on that "cybersecurity" is not a term that is actually used by many people that deal with the security of software and computer networks.

      • Yeah, this. (Score:4, Informative)

        by aussersterne ( 212916 ) on Sunday April 10, 2016 @03:31PM (#51880545) Homepage

        At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"

        Two very separate fields.

    • by fuzzyfuzzyfungus ( 1223518 ) on Sunday April 10, 2016 @01:37PM (#51879975) Journal
      Unfortunately, aside from the intervening decades having led to surprisingly little progress in deciding what 'CS' should actually include(in the sense of a degree, I assume that academic computer scientists have successfully held the line on the 'no, running windows update is not computer science' issue); people don't even have the decency to provide a cogent definition of what they are fretting about the presence or absence of in a CS curriculum.

      'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?

      As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.
      • by HiThere ( 15173 )

        I don't know. When I took computer science, it was algorithm design and numerical analysis. Security wasn't even mentioned. But that was before public access to the Internet, so perhaps things are different now.

        However, my expectation would be that security wouldn't be handled under Computer Science. And since Computer Engineering was a major under Electrical Engineering, and included things like designing half-adders, that doesn't sound like the right place either.

        Perhaps there needs to be an Informati

        • In my CS program, it was the same—huge on math and theory and the mathematical representation of concepts, problems, and sequences/patterns. Very little coding. Just enough code in year one to get you able to actually touch keyboards and do the math, but otherwise, very little "applied" technology of any kind.

          That, we were told, belonged to the engineering wing over in computer engineering, who was to worry about implementation of CS concepts and theory, and to the applied/operations wing over in info

          • should have been.

            CS = math + theory
            CE = programming + hardware
            IT = deployment + operations

            That's the way it was at my university back in the '90s. This was at a large school that is in what is now the PAC-12 conference. Each one was a separate, rigorous four-year degree.

          • Even if you're doing a very theoretical CS course, cryptography and information theory should be covered and these are both very relevant to security. Complexity theory and game theory are core parts of computer science and are also fundamental to computer security (what is the worst-case behaviour of this algorithm in the presence of an adversary?). You might not be taught things labelled security, but the fundamental concepts should be there.
        • The internet certainly changes 'security' in some ways(eg. this may not be a 'CS' problem; but "you have 1 million users; many of them with room-temperature IQs or horribly malware riddled home computers; you need some heuristics to detect compromised accounts aggressively enough that we don't get blacklisted and the world's major email systems won't touch us; but not so aggressively that we piss off customers with false positives or need to expand our customer service department by a factor of ten" is the
    • by gweihir ( 88907 )

      As many of these people will do system architectures and design and some of them will do implementation, I must strongly disagree. Trying to retrofit security somehow to things that were designed without is the core reason for today's mess.

  • by Anonymous Coward on Sunday April 10, 2016 @01:15PM (#51879917)

    Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

    These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.

    • Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

      Well said. It's as bad as expecting an EE to know how to change a fuse.

    • Here's a hard problem that's very much in demand right now, that's 100% comp sci. Given that day-to-day programmers are in fact not perfect, it would be awesome for them to have provably secure libraries. Library functions that CAN'T result in a buffer overflow or underflow, for example.

      You want a grander problem? How about a provably secure sandbox? We've seen how "engineered" sandboxes such as Flash, Java, and Android have worked out. Designing a sandbox that provides /emulates a basic CPU while PROVA

      • Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.

        It exists. You might want to look up Google Native Client. The verifier for it has been formally verified and guarantees that no memory accesses can be to the outside of the sandbox. Of course, that's not the entire problem. It's trivial to prove that a program that has no side effects is secure, but anything useful in a sandbox has to be able to communicate with the world outside of the sandbox. And as soon as it can communicate with the outside world, it becomes a staging ground for attacking the bit

        • I didn't know that the NaCl verifier had been verified. That's very interesting, thanks. In fact I still can't find a reference for that, probably just because Google searches with the word "verified" turn up so many results talking about code verified BY the verifier.

    • by gweihir ( 88907 )

      I strongly disagree. Security is never a "detail". Security must have strong influence on architecture and design, it must take into account and influence algorithms, interfaces, technologies, etc. used, as otherwise it will never work well. Your mind-set is precisely the reason why we have today's mess.

    • Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

      And this, in a nutshell, is why security is still a mess after all these years. It's always unimportant, an afterthought, or someone else's job.

      Most of the security industry exists because software developers did a bad job. In fairness, it's not necessarily their fault. Commercial operating systems are insecure because people want features and a low price, not security, for example.

  • "Cybersecurity?" (Score:3, Insightful)

    by Anonymous Coward on Sunday April 10, 2016 @01:18PM (#51879933)

    Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".

    System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.

    ..Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

    Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."

    Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?

  • by kuperman ( 7726 ) on Sunday April 10, 2016 @01:29PM (#51879955) Homepage

    As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.

    Looking at the article, the final paragraph explains some things:

    CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

    So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

    I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

    • And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

      If you want your technology to become the industry standard, you need to capture your users when they're young and don't know better. SUN Microsystems, Apple and Microsoft have done that for years by donating or selling products at low prices.

      I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

      A common practice among many businesses to get attention to their products.

    • by tomhath ( 637240 )

      I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company./

      And then get it posted as a slashdot article. Even more publicity (free or otherwise).

    • Re: (Score:2, Informative)

      by geek ( 5680 )

      You aren't being cynical. This is dead on. I work as a threat intelligence analyst and engineer for a fortune 500 IT department. We have a revolving door of products sold to us in just this way that our exec team falls for. The cyber security biz is rife with snake oil salesmen selling the latest and greatest. I showed my CSO just how bad it was by bringing him into 5 different vendor meetings where we were sold the same exact buzz word salad "They're already in you're network! The average detection takes 1

  • by shess ( 31691 ) on Sunday April 10, 2016 @01:47PM (#51880003) Homepage

    I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.

    • by HiThere ( 15173 )

      Security *is* a very hard problem, and if you insist on perfection impossible. This doesn't mean it isn't worth trying for.

      OTOH, some "security" practices are just stupid. E.g., change your password every month to a new alphabetic string longer than 8 characters containing at least one punctuation character and at least one digit. And no repetition. That's a guaranteed recipe for work-arounds that break security.

    • by gweihir ( 88907 )

      That is precisely the point: Engineers and developers with no understanding of IT security always think it is easy and then mess it up badly. Teaching them something about it will make at least the bright ones realize that it is not easy and that they should get expert help when building something that requires security.

  • Cybersecurity experts are NOT professors with multiple PHD's. It's a waste of time to learn anything but the basics from those guys at unholy high dollars per hour colleges charge.

    • by ark1 ( 873448 )
      How many prominent cryptographers do you know without advanced education?
      • by Lumpy ( 12016 )

        And all of them are 100% useless in computer security. They are great at encryption, but they suck as bad as a soccer mom at keeping a hacker out of the network.

  • by mlookaba ( 2802163 ) on Sunday April 10, 2016 @02:23PM (#51880149)

    "The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."

    This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.

    Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.

  • I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.

    Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.

    I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.

    Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.

    Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.

    I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.

    • by Octorian ( 14086 )

      Everyone on Slashdot keeps saying things like this. But in the real world, the degree everyone actually doing software engineering gets is... Computer Science.

      That's not going to change until Software Engineering (or similar) is an actual degree offered by a large number of schools, and sought by companies overtly when doing college hiring. (Yes, I know some schools offer a degree with that name, but its not the common mainstream standard degree for software development.)

  • There's no need to teach CS grads about security. Here's why:

    If a cyber security breach happens, then the company that produced and sold the vulnerable software is never responsible. All end user rights have been signed away in a EULA or some other crooked scheme, so the end user gets to shoulder all the risk.

    Since the company sees no impact of a cybersecurity incident, the company execs take no hit. Since they take no hit, the programmers and CS grads who wrote the crap software that caused the problem in
  • I've never met a project manager or engineer who spent any time designing in proper security. That would delay the deliverable. Security is an afterthought, and left for the deployment phase, usually after the first failed PCI scan. Then the sysadmins and network teams get to scramble to plug the holes.

    • by gweihir ( 88907 )

      While true, more and more often the sysadmin and networking teams can do very little and sometimes nothing at all, because it is a problem typically located in the application-side of things. And there, the complete lack of security-knowledge in those designing and writing the applications is the core problem.

  • At the university I was e-mailed a flyer on how the US Navy is recruiting students in computer science and related fields into an officer program in their cyber warfare division. This indicates to me that they will offer training in cyber security to those that qualify.

    This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill. I recall talking to recruiters for big businesses on what they look for in software developers, and they want engineers. A computer science major might know a lot of programming languages and so on but learning another programming language is something that can be done easily on the job. What is difficult for recruiters is finding people with a good grasp of proper engineering and enough math to understand how to make a computer do what needs to be done efficiently.

    Seems to me that cyber security should lie in the realm of on the job training and/or graduate school. Also, students that learn good programming technique should be writing inherently secure software. Things like good memory management, properly protecting variables, and well documented code should make a program secure.

    Another thing is that there is a lot of code written to perform relatively trivial tasks where security is simply not a concern. Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop. Code written for industry will be used by people which one would hope are trained in its use. This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.

    • by Cederic ( 9623 )

      Code on embedded systems just don't have any attack vectors

      Oh, you naive fucking imbecile.

  • Computer vulnerabilities make money for technology companies. Have an Android KitKat 4.4 phone? [androidpolice.com] Sorry, no updates. Buy a new phone.
  • by EmperorOfCanada ( 1332175 ) on Sunday April 10, 2016 @03:05PM (#51880407)
    Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things. They argue that practical is the realm of CE not CS. Thus there will be classes in database design, as in how the guts of a data store will work, but nothing much on practical database usage. The theory (and not terribly wrong) is that by learning the guts it should be easy to learn the practical, if needed.

    For me I would rather learn both as then the guts of the matter have some practical knowledge that might help it stick.

    So it is no surprise that few teach practical cybersecurity, they probably do cover crypto courses where Diffie Hellman is examined in great detail.

    My simple complaint is that few recent CS grads that I have met really can deliver useful code in quantity. When managing them I often find them reinventing the wheel. I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine". They will then argue that Python is too slow where I point out that my estimate is that the code will run every Friday at 3 am, will probably take 20 seconds and yet only needs to be done by opening on Monday. So even if I were to be wrong by a factor of 100 all is still good.

    The code then runs in 8 seconds.

    So while I am not at all shocked by no cybersecurity training, I do wish that minimally the schools would be a bit more practical so as to allow some of the abstract material have something to latch on to.
    • I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine".

      A 40-line Python program shouldn't take a week to write. I can understand why CS graduates would wander off into a rabbit hole to write a Haskell state machine. What I don't understand why you didn't keep a closer eye on them to make sure they didn't dive into a rabbit hole in the first place.

      • I was deliberately handing out rope at a lynching party. This sort of crap had been an ongoing problem. It allowed me to boot him off the team and get an excellent replacement.
        • I was deliberately handing out rope at a lynching party. This sort of crap had been an ongoing problem. It allowed me to boot him off the team and get an excellent replacement.

          I had a boss who tried to do that to me, but I kept a log book and documented everything. HR decided in my favor. His replacement told me stop documenting management actions and told him to bugger off. Many companies later, I still keep a log book and document everything.

          • If this guy had logged his work it would have read.

            Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

            Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

            Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.

            Took 2 weeks to not even do 1 day's work. Ignored tech
          • One other thing. This guy has made me a whole hell of a lot of money. Every publicly traded company that he ever worked for since his departure I have made unholy large bets against. If their share price was $100 I would buy way out of the money options a year or so in the future betting that it would crack $50. I am not joking when I say that he has never let me down. Blackberry hired him early 2007, I bet a huge chunk of my portfolio on that with about a year until expiry. There isn't a whole lot of volum
    • by Tablizer ( 95088 )

      Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things.

      They get "credit" for students who go on to academic research or cutting-edge projects. Being good at rank-and-file IT doesn't help the school reputation as much and thus they mostly ignore it.

      It's a silly reputation game and too few call them on it. And it jacks up tuition to boot.

      • As your second comment points out this mostly applies to elite students at elite institutions. Yet I see the same problem at both the elite and third rate CS universities.

        My long standing experience is that most of the students who are fantastic programmers were fantastic programmers before they went to school while everyone else is learning about a linked list they are working on their own OS. Or have just submitted their umpteenth contribution to the Linux Kernel. Then they leave the university(potenti
  • Back in the day, I was taking an undergrad DB design course and asked the professor, "can you give an example of how tableau method is generalized in any commercial or open source DB program?" His response was, "why do you care, we study theory here.." CS academia is so stuck in the clouds of theory that the mere mention of a practical application for was reviled. Fast forward [mumble] years and it seems to be that way still.

  • by rsilvergun ( 571051 ) on Sunday April 10, 2016 @04:21PM (#51880805)
    Real computer science is just math with computers. This sounds like businesses are tired of having to pay for some extra specialized training they want which has little to no value outside of their exact use case. I'm seeing this a lot with colleges where more and more they exist to get you ready for one very specific job. That'd be peachy if that job lasted 50 years and then you retire but a lot of times it's so highly specialized you might have trouble finding work in a decade. Meanwhile you're still paying off the $100k of student loans it took to get that training.

    When did the general population stop noticing crap like this?
  • Now that I'm a customer instead of the VAR everytime I challenge a vendor on a security issue, the answer is either FDA device no changes allowed or just make sure it's on your secure network. If I get in early enough, I can bounce a vendor in RFP, but some days, we're stuck with a product that cries to be rooted.

  • Cyber Security is an IT (practical) practice, not a "Computer Science" practice.
  • by walterbyrd ( 182728 ) on Sunday April 10, 2016 @07:13PM (#51881497)

    What I mean is, maybe infosec should be part of everything, instead of it's own specialization.

    For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?

    Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.

  • Why would the Establishment want to teach students that the status quo approach to computer security is nothing but lies and failure?

  • They don't teach error handling either. How many handouts in CS have said "error handing as an exercise left for the reader?" if it's mentioned at all.

    However, it's arguably one of the most difficult designs you can make when you write software.

  • We employ a handful of developers, some in-house some contractors. All but one has had be taught the importance of some of the fundamentals of secure programming. To see their code, you'd have to assume that they'd never been exposed to the idea of input validation, for example. I don't know if I'd lay the blame wholly on academia, though. Some of our crew are largely self-taught, but still, whatever learning resources they've relied on clearly did not address security.

    IMO, it is inexcusable that those wi

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...