Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes (darkreading.com) 173
Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.
It's been a while since I was a CS student. (Score:5, Insightful)
In fact, it's been decades.
But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?
Re:It's been a while since I was a CS student. (Score:5, Insightful)
Depends on the problem you intend to address.
Malware clean up, vuln scanning, thumb drive police--IT.
Sanitizing inputs, not storing sensitive data in plaintext--dev.
Re: (Score:2, Insightful)
Sanitizing inputs and such, that's programming, not computer science. Also if you want to be good at cyber security you need math. The subject is more of a graduate level one in many ways, though I agree familiarity with it is important. For the average student cyber security will be more of a rote memorization class rather than one that teaches real understanding of the topics.
Re: It's been a while since I was a CS student. (Score:2, Interesting)
I humbly disagree. Programming is applied computer science, in the same way engineering is an apppied science. We're expecting these CS graduates to go fourth and do something, and a good portion of that is in implementation.
Good engineers need to understand the limitations of their theoretical knowledge, and how to apply sound principals in a real world, practical manner. For instance, I've seen blueprints which required a weld at the bottom of a 6 tall square tube, which was 4 inches in diameter. When cal
Re: (Score:3)
Re: (Score:2)
Who will go first, second, and third?
Re: (Score:3)
We're expecting these CS graduates to go fourth and do something, ...
Historically, universities were about perpetuating knowledge and the advancement of knowledge. Apprenticeships and professional programs are where people learn do to something practical. Universities were the hallowed halls of pure learning.
In the beginning, no one foresaw that a pure math specialization would have huge practical use. Some of the greats in computer science never thought their work would ever see use outside of the math department. If memory serves, Bool was extremely pleased that Boole
Re: (Score:3)
I've heard this often, but people need to accept that this is no longer the case. We're not talking about the sons of the aristocracy anymore. John and Jane Q. Public don't go to university to advance knowledge, they go to get a job. At it's most ridiculous, some people go to University to play sports without any actual use for the degree they'll get (and sometimes earn) at all.
Re: It's been a while since I was a CS student. (Score:2)
Re: (Score:2, Insightful)
No. Sanitizing inputs and encrypting sensitive data are still practical concerns, while a university program should be focused on theory. Trade schools or *gasp* on-the-job-training (i.e., apprenticeships) would be better places for it.
We won't let the med school graduate operate autonomously without going through a residency program, because during the course of their career, they could impact thousands of lives. The recent CS grad, on the other hand, is expected to hit the ground running in writing the
Re: It's been a while since I was a CS student. (Score:3)
The problem is Cybersecurity is it's a mindset. You can't just give one class on the subject. Database classes are not required in undergraduate programs and SQL injections aren't mentioned when your class is more focused on relational algebra.
About 1/5 of that class needs no explanation and 4/5 would claim to understand it if explained to them, but never think about it once they graduate.
Either you get it immediately or it needs to be pound into you at the work place. Many work places have mechanisms in pl
Re: (Score:2)
Re: (Score:2)
Turning theory into practice is what lab classes and assignments are supposed to be all about, ...
There is no "lab" classes for junior and senior core courses in CS afaik. You have to find your own time working on assignment/project. Computer security is more on practical aspect, not theory. Of course, there are many courses in CS that can be used as building blocks in security, but that does not mean CS should be teaching a direct course for computer security. Furthermore, computer security is a very deep subject to be taught and would require a lot more knowledge before one can take the course. The on
Re:It's been a while since I was a CS student. (Score:5, Insightful)
Those should be in IT departments, no?
The IT department can handle deployed applications. Programmers still need to write application code to prevent security issues in the first place.
Re: (Score:3)
So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?
Re:It's been a while since I was a CS student. (Score:4, Insightful)
So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?
Because when I think of the term "computer science," or more precisely the initials "CS," I believe it covers every aspect of computers from the pie in the sky theories to the power button. Apparently, this is a common misconception that many people outside the university system have.
To paraphrase Robert Kiyosaki of "Rich Dad, Poor Dad" fame: the higher you go for education degrees, the less you learn.
Translations: universities are pushing out specialists when this country need generalists.
Re: (Score:3)
I have no problem with the idea that there ought to be courses on security, just not in CS where (at least when I was a student) that's not really what they do. They're in the business of figuring out/proving/disproving whether things *can be computed in theory* and how, in theory.
Security just isn't a question that has anything to do with that, and these are people that write comparatively little code. It's not what the discipline is about.
There *are* people that spend their time learning how to code, and
Re: (Score:3)
So basically you're saying 99% of people studying CS should be studying something else?
CS has expanded beyond it's math roots. Not all CS even comes out of math departments. Some CS is taught out of the business school (spit). Never hire those people.
If you want to complain about CS majors who program, you should contrast them with CS majors who don't...that is one useless bunch of air thieves.
IMHO you should get a pretty good handle on programming with self study in high school or before, if you wan
Not wrong, but grads hired as programmers (Score:4, Interesting)
Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.
Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.
Re: (Score:2)
Might I suggest security courses taught as a branch of software engineering? One would learn to integrate security fundamentals within the basic design of an application. Much better then bolting it on after the fact. And those security fundamentals, and the way they are used, will not change. Implementations will - but a degree should be about the fundamentals and not said implementations.
Software engineering is typically taught as a subset of computer science so I do not see a problem with such cred
Re: (Score:2)
Um, yes, pen and paper and chalk and chakboard. And math and proofs. Are you lowing mathematics to the lower of "fucking philosophy or gender studies?"
Re:It's been a while since I was a CS student. (Score:4, Informative)
Although there are a lot of CS-level concepts you can teach someone that relate to security, when it comes to "IT security jobs" and the practical security issues that you're going to deal with in them, there is very little connection.
The analogy that I often use is: Would you expect a physicist to be able to fix your car? I like to think not. Or would a news outlet fall into a similar trap of publishing claims from some company looking for free a marketing opportunity that universities have a responsibility to teach their graduates auto repair?
At the very least I would expect a news outlet to catch on that "cybersecurity" is not a term that is actually used by many people that deal with the security of software and computer networks.
Yeah, this. (Score:4, Informative)
At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"
Two very separate fields.
Re:It's been a while since I was a CS student. (Score:5, Interesting)
'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?
As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.
Re: (Score:2)
I don't know. When I took computer science, it was algorithm design and numerical analysis. Security wasn't even mentioned. But that was before public access to the Internet, so perhaps things are different now.
However, my expectation would be that security wouldn't be handled under Computer Science. And since Computer Engineering was a major under Electrical Engineering, and included things like designing half-adders, that doesn't sound like the right place either.
Perhaps there needs to be an Informati
Re: (Score:2)
In my CS program, it was the same—huge on math and theory and the mathematical representation of concepts, problems, and sequences/patterns. Very little coding. Just enough code in year one to get you able to actually touch keyboards and do the math, but otherwise, very little "applied" technology of any kind.
That, we were told, belonged to the engineering wing over in computer engineering, who was to worry about implementation of CS concepts and theory, and to the applied/operations wing over in info
Typo: "implementations CE had designed" (Score:2)
should have been.
CS = math + theory
CE = programming + hardware
IT = deployment + operations
That's the way it was at my university back in the '90s. This was at a large school that is in what is now the PAC-12 conference. Each one was a separate, rigorous four-year degree.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I swear, I forgot to check the stupid little boxes on installers enough to set my search engine to Yahoo five times and install at least 3 dumb toolbars.
Uninstalling those toolbars was the bane of my existence as a help desk technician during the 2000's.
Re: (Score:2)
As many of these people will do system architectures and design and some of them will do implementation, I must strongly disagree. Trying to retrofit security somehow to things that were designed without is the core reason for today's mess.
Re: (Score:3)
It's not like the IT departments are self educated.
Successful IT technicians are the ones who never stop learning. They put in their eight-hour day and go home to work on their technology projects, learn a certification or take night classes to advance themselves. The fastest way to commit professional suicide is to stop learning.
It would basically come down to "always run updated software, because that is what the teacher told us and apart from that, do as we like".
Written by someone who has never worked in a Fortune 500 IT department.
Proper security requires people, who actually understands the problem, which points towards the universities.
Here's the problem with the university education: most, if not all, people stop learning after they graduate from school because they're no longer in school.
I h
Re: (Score:2)
Successful companies allow for on the job training.
Most Fortune 500 companies do not provide training. Most of my on the job training has been, "Here's your situation, deal with it and good luck!"
Unless they are switching careers or making up for lost time, nobody should ever be expected to bring work home just to succeed.
The training at home is not for the current job, it's for the next job that I'm planning to get. My current job doesn't require Python, Linux or project management. Those are things I wish to know for the next job in three to five years from now.
We need to move past the elitist "I had to learn it and it sucked, so screw you" mentality in IT.
I did that for six years as a video game tester. For the first three years I was the liaison between the QA and IT depart
Re:It's been a while since I was a CS student. (Score:4, Interesting)
In most situations, certificates are almost worthless, and most classes teach you information without context and that will be old in a few years.
If you're doing IT contract work, certificates are a checklist requirement for HR recruiters. As for my programming classes, I never learned a particular programming language but I do remember all the programming structures. I can write a program in pseudo code and then figure out the syntax of a programming language that I never worked with to implement the program.
I have noticed there are many problems that are hard enough that if someone has to ask how to do something, they shouldn't ever do it.
I had that problem with programming. I didn't understand it until I've taken all of my mathematic classes in college, worked in the industry for a decade, and then went back to college to learn programming.
Re: (Score:2)
When I was in CS school, it had very little to do with "code" and everything to do with math and theory. CS was the science wing of computation fields. The coding was for the computer engineering and information technology students.
Re: (Score:2)
This is what I think.
It should be required for anyone getting a degree that recommends their ability to write code and create systems.
It should not be required just because someone is getting a *computer science* degree, because (unless the science has completely disappeared) a lot of those guys would have to *first* learn how to code, *then* learn about deployment and networks and users, *then* learn security, and it would take serious time away from the actual thrust of their degree.
People are posting upt
Re: (Score:2)
I went to one of these Top 10 CS program schools (for a graduate degree) and you can tell a lot (probably even the university) by the fact that the CS Department was in the Applied Physics and Math building. It has a lot of math and theory. There are a ton of theory classes. Plus there are SOMEWHAT more practical class in OS's, AI, natural language processing, neural networks, interface design/human factors depending on your interests. All have a huge component of the theory though so that you aren't ju
Top 10 programs are for prepping for research (Score:5, Insightful)
Why would it make sense for them to require a cybersecurity course? That's an implementation detail.
These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.
Re: (Score:2)
Well said. It's as bad as expecting an EE to know how to change a fuse.
Provable sandbox, or any provable security (librar (Score:3)
Here's a hard problem that's very much in demand right now, that's 100% comp sci. Given that day-to-day programmers are in fact not perfect, it would be awesome for them to have provably secure libraries. Library functions that CAN'T result in a buffer overflow or underflow, for example.
You want a grander problem? How about a provably secure sandbox? We've seen how "engineered" sandboxes such as Flash, Java, and Android have worked out. Designing a sandbox that provides /emulates a basic CPU while PROVA
Re: (Score:2)
Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.
It exists. You might want to look up Google Native Client. The verifier for it has been formally verified and guarantees that no memory accesses can be to the outside of the sandbox. Of course, that's not the entire problem. It's trivial to prove that a program that has no side effects is secure, but anything useful in a sandbox has to be able to communicate with the world outside of the sandbox. And as soon as it can communicate with the outside world, it becomes a staging ground for attacking the bit
Interesting, thanks. Can't find a reference (Score:2)
I didn't know that the NaCl verifier had been verified. That's very interesting, thanks. In fact I still can't find a reference for that, probably just because Google searches with the word "verified" turn up so many results talking about code verified BY the verifier.
C strcpy can, Java, Flash strcpy can't. Or can? (Score:2)
We know that C strcpy can result in overflow, as can the Caddition operator with it's own special version of overflow. But copying a string in Java or Flash can't result in overflow, right? Prove it. The specification for each is simple and clear.
You don't need to prove all of the application software, much can be gained by proving that the language or library is safe from user error (where user means application programmer). Where you DO want to prove some part of the application software to some degre
Re: (Score:2)
I strongly disagree. Security is never a "detail". Security must have strong influence on architecture and design, it must take into account and influence algorithms, interfaces, technologies, etc. used, as otherwise it will never work well. Your mind-set is precisely the reason why we have today's mess.
Re: (Score:2)
And this, in a nutshell, is why security is still a mess after all these years. It's always unimportant, an afterthought, or someone else's job.
Most of the security industry exists because software developers did a bad job. In fairness, it's not necessarily their fault. Commercial operating systems are insecure because people want features and a low price, not security, for example.
Re: (Score:3)
Maybe that's because there are hardly any engineers, "ordinary" or not, in the software industry.
Re: (Score:2)
That would likely improve things significantly.
"Cybersecurity?" (Score:3, Insightful)
Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".
System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.
Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."
Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?
Re:"Cybersecurity?" (Score:5, Interesting)
You might be astonished how many "serious computer science programs" no longer teach the basics.
When I worked the Google help desk in 2008, I had to walk a newly hired CS graduate through the process of turning on his own PC. He was astonished that no one was standing around to turn on his computer like they do at the university computer lab. I'm always surprised by how little computer scientists know about hardware.
Re: (Score:3)
Most CS grads are utterly useless at troubleshooting or critical thinking as well. They don't teach that anymore. They make great code monkeys that just do what they are told though.
The Good ones learn in about 2 years of real world that the ones that think outside the box and try to figure things out for themselves end up at the top of the pile.
Re: (Score:2)
You bloody moron, that is pretty much verbatim what i saw on another thread.
If you checked the name of the poster, it's my comment.
Either you stole it, or you are spamming your shitty anecdotes all over the web.
This is Slashdot. You must be new around here.
You and ShanghaiBill should get together and play cracker while you decide how best to act like complete belligerent pricks.
I do love trolling the trolls on Slashdot.
Re: (Score:2)
You just stole that quoted phrase from the GP! Give it back now you asshole!
Comments like this is why I think ACs should be abolished from Slashdot. :P
Re: (Score:3)
Which is why I often think that the first class in university computing should be assembler. Possibly MIX or some other really simple virtual machine. (What I'd really like is a virtual IBM 7090, or possibly a bit earlier in that series, but I've never seen one. I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.)
Re: (Score:3)
I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.
The 8-bit computers are still popular with electronic and programming hobbyists. Here are links for the Apple ][ emulator and Apple DOS source code.
http://www.lampefamily.us/jonathan/applepc_emulator/ [lampefamily.us]
http://www.computerhistory.org/atchm/apple-ii-dos-source-code/ [computerhistory.org]
Re: (Score:2)
Re: (Score:2)
A "teaching language" might not be bad either, but it somehow not the greatest motivator to learn a toy language.
I heard Python has become a teaching language at the community college level.
What they really ended up with was a bunch of students hating Java, then learning C, loving it and absolutely refused to go back to Java.
That's what happened to me. My community college couldn't afford to the Microsoft site license to teach C/C++ on Visual Studios (a requirement requested by local employers). I had to learn all flavors of Java in my programming classes. The Linux instructor taught us some command line C/C++ in his classes. When the site license got renewed, none of the lab computers could run MS Visual Studios .NET and it took a while to get new com
Re: (Score:3)
However, it is the concern of Information Technology which is a distinct discipline to CS and should not be conflated.
The Fortune 500 companies I worked for has policies that prohibits help desk and desktop techs from remotely turning on a workstation for a user. Most of the time these policies apply to users who are working from home and have a secondary workstation that's turned off. It's not IT's job to turn on their computers. If a newly hired CS graduate doesn't know how to turn on a workstation (most have a power button in front), he can sit around and do nothing. It's HR problem, not an IT problem.
Re: (Score:2)
In that case, it would certainly be expected that the CS graduate be capable of powering on a workstation.
Uh, no. If a CS graduate can't turn on his own workstation, I'll have to question his qualifications for the job.
I don't expect any computer scientist to have any training in singular or networked systems administration.
Turning on a workstation isn't a system admin task.
What was the purpose of the study? (Score:5, Insightful)
As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.
Looking at the article, the final paragraph explains some things:
So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.
I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.
Re: (Score:2)
And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.
If you want your technology to become the industry standard, you need to capture your users when they're young and don't know better. SUN Microsystems, Apple and Microsoft have done that for years by donating or selling products at low prices.
I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.
A common practice among many businesses to get attention to their products.
Re: (Score:2)
I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company./
And then get it posted as a slashdot article. Even more publicity (free or otherwise).
Re: (Score:2, Informative)
You aren't being cynical. This is dead on. I work as a threat intelligence analyst and engineer for a fortune 500 IT department. We have a revolving door of products sold to us in just this way that our exec team falls for. The cyber security biz is rife with snake oil salesmen selling the latest and greatest. I showed my CSO just how bad it was by bringing him into 5 different vendor meetings where we were sold the same exact buzz word salad "They're already in you're network! The average detection takes 1
There's little point to such a course. (Score:4, Interesting)
I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.
Re: (Score:2)
Security *is* a very hard problem, and if you insist on perfection impossible. This doesn't mean it isn't worth trying for.
OTOH, some "security" practices are just stupid. E.g., change your password every month to a new alphabetic string longer than 8 characters containing at least one punctuation character and at least one digit. And no repetition. That's a guaranteed recipe for work-arounds that break security.
Re: (Score:2)
That is precisely the point: Engineers and developers with no understanding of IT security always think it is easy and then mess it up badly. Teaching them something about it will make at least the bright ones realize that it is not easy and that they should get expert help when building something that requires security.
Because "professors" dont have a clue about it. (Score:3)
Cybersecurity experts are NOT professors with multiple PHD's. It's a waste of time to learn anything but the basics from those guys at unholy high dollars per hour colleges charge.
Re: (Score:2)
Re: (Score:2)
And all of them are 100% useless in computer security. They are great at encryption, but they suck as bad as a soccer mom at keeping a hacker out of the network.
Alarming? Perhaps not. (Score:4, Insightful)
"The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."
This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.
Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.
Computer Science vs. Software Engineering (Score:4, Insightful)
I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.
Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.
I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.
Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.
Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.
I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.
Re: (Score:2)
Everyone on Slashdot keeps saying things like this. But in the real world, the degree everyone actually doing software engineering gets is... Computer Science.
That's not going to change until Software Engineering (or similar) is an actual degree offered by a large number of schools, and sought by companies overtly when doing college hiring. (Yes, I know some schools offer a degree with that name, but its not the common mainstream standard degree for software development.)
Re: (Score:2)
Sanitizing unit inputs is a beginning, but it's not the end of secure software design.
Of course. That is why the basics of well written software should be part of the assignment but not overshadow it. In the beginning a student should be, for example, taught things like how to grab input from a keyboard and then the next step should be how to check for invalid input. Then show how to filter out bad characters. Then more, and more, and so on.
Things like validating inputs should be taught from the start and be a part of everything that the student writes. As the student progresses to more
There's no need to teach CS grads about security. (Score:2)
If a cyber security breach happens, then the company that produced and sold the vulnerable software is never responsible. All end user rights have been signed away in a EULA or some other crooked scheme, so the end user gets to shoulder all the risk.
Since the company sees no impact of a cybersecurity incident, the company execs take no hit. Since they take no hit, the programmers and CS grads who wrote the crap software that caused the problem in
Business as Usual (Score:2)
I've never met a project manager or engineer who spent any time designing in proper security. That would delay the deliverable. Security is an afterthought, and left for the deployment phase, usually after the first failed PCI scan. Then the sysadmins and network teams get to scramble to plug the holes.
Re: (Score:2)
While true, more and more often the sysadmin and networking teams can do very little and sometimes nothing at all, because it is a problem typically located in the application-side of things. And there, the complete lack of security-knowledge in those designing and writing the applications is the core problem.
US Navy Seeks Cyber Warfare Engineers (Score:3)
At the university I was e-mailed a flyer on how the US Navy is recruiting students in computer science and related fields into an officer program in their cyber warfare division. This indicates to me that they will offer training in cyber security to those that qualify.
This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill. I recall talking to recruiters for big businesses on what they look for in software developers, and they want engineers. A computer science major might know a lot of programming languages and so on but learning another programming language is something that can be done easily on the job. What is difficult for recruiters is finding people with a good grasp of proper engineering and enough math to understand how to make a computer do what needs to be done efficiently.
Seems to me that cyber security should lie in the realm of on the job training and/or graduate school. Also, students that learn good programming technique should be writing inherently secure software. Things like good memory management, properly protecting variables, and well documented code should make a program secure.
Another thing is that there is a lot of code written to perform relatively trivial tasks where security is simply not a concern. Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop. Code written for industry will be used by people which one would hope are trained in its use. This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.
Re: (Score:2)
Code on embedded systems just don't have any attack vectors
Oh, you naive fucking imbecile.
Re: (Score:2)
You're implying that there are software engineering jobs for which security is somehow not a required skill.
I'm quite certain I did not imply that, I stated it quite clearly and plainly. There are many software development jobs where training in cyber security is not required.
Also, I did not claim to give a complete list of all ways to write secure software. I also did not claim to give all vectors by which a program can be attacked.
one would have to be fairly knowledgeable about information security in order to truthfully make that claim.
I am knowledgeable on computer security. I have several IT security certifications and took training in several more. I have written code for some very secure systems, the kind th
Conflict of interest (Score:2)
Most CS programs skip SQL (Score:3)
For me I would rather learn both as then the guts of the matter have some practical knowledge that might help it stick.
So it is no surprise that few teach practical cybersecurity, they probably do cover crypto courses where Diffie Hellman is examined in great detail.
My simple complaint is that few recent CS grads that I have met really can deliver useful code in quantity. When managing them I often find them reinventing the wheel. I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine". They will then argue that Python is too slow where I point out that my estimate is that the code will run every Friday at 3 am, will probably take 20 seconds and yet only needs to be done by opening on Monday. So even if I were to be wrong by a factor of 100 all is still good.
The code then runs in 8 seconds.
So while I am not at all shocked by no cybersecurity training, I do wish that minimally the schools would be a bit more practical so as to allow some of the abstract material have something to latch on to.
Re: (Score:2)
I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine".
A 40-line Python program shouldn't take a week to write. I can understand why CS graduates would wander off into a rabbit hole to write a Haskell state machine. What I don't understand why you didn't keep a closer eye on them to make sure they didn't dive into a rabbit hole in the first place.
Re: (Score:2)
Re: (Score:2)
I was deliberately handing out rope at a lynching party. This sort of crap had been an ongoing problem. It allowed me to boot him off the team and get an excellent replacement.
I had a boss who tried to do that to me, but I kept a log book and documented everything. HR decided in my favor. His replacement told me stop documenting management actions and told him to bugger off. Many companies later, I still keep a log book and document everything.
Re: (Score:2)
Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.
Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.
Took 2 weeks to not even do 1 day's work. Ignored technical guidance from manager. Work given to co-worker who completed it in 1 day.
Took 2 weeks to not even do 1 day's work. Ignored tech
Re: (Score:2)
Re: (Score:2)
They get "credit" for students who go on to academic research or cutting-edge projects. Being good at rank-and-file IT doesn't help the school reputation as much and thus they mostly ignore it.
It's a silly reputation game and too few call them on it. And it jacks up tuition to boot.
Re: (Score:3)
My long standing experience is that most of the students who are fantastic programmers were fantastic programmers before they went to school while everyone else is learning about a linked list they are working on their own OS. Or have just submitted their umpteenth contribution to the Linux Kernel. Then they leave the university(potenti
im-practical (Score:2)
Back in the day, I was taking an undergrad DB design course and asked the professor, "can you give an example of how tableau method is generalized in any commercial or open source DB program?" His response was, "why do you care, we study theory here.." CS academia is so stuck in the clouds of theory that the mere mention of a practical application for was reviled. Fast forward [mumble] years and it seems to be that way still.
Um, no shit (Score:3)
When did the general population stop noticing crap like this?
Use your Secure Network (Score:2)
Now that I'm a customer instead of the VAR everytime I challenge a vendor on a security issue, the answer is either FDA device no changes allowed or just make sure it's on your secure network. If I get in early enough, I can bounce a vendor in RFP, but some days, we're stuck with a product that cries to be rooted.
So? (Score:2)
Re: (Score:2)
Completely wrong. IT Security even has questions that fall under "theoretical CS".
Maybe infosec should not be it's own discipline? (Score:4, Interesting)
What I mean is, maybe infosec should be part of everything, instead of it's own specialization.
For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?
Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.
Re: (Score:2)
That's about what I figured.
My point is: security should be more emphasized in all those classes. Security as a separate discipline does not make much sense, since security is different for a Java developer, or a network engineer.
The Emperor has no clothes (Score:2)
Why would the Establishment want to teach students that the status quo approach to computer security is nothing but lies and failure?
They don't teach error handling either (Score:2)
They don't teach error handling either. How many handouts in CS have said "error handing as an exercise left for the reader?" if it's mentioned at all.
However, it's arguably one of the most difficult designs you can make when you write software.
The article nailed it. (Score:2)
IMO, it is inexcusable that those wi
Re: (Score:3)
[...] any joker that can pass a security clearance [...]
I'm going to guess that you never had a government security clearance. When I got my government IT job, my two-hour investigative background interview lasted four hours because of two potential red flags. The first red flag was that I lived in the same apartment for 10+ years. Most people on average moved every few years. The second red flag was working multiple jobs for seven days a week for two years after being unemployed for two years (2009-2010), underemployed for six months (working 20 hours per month
Re: (Score:3)
No one is spending any money on security, they just chuck it in as a line item on a job requirements sheet.
The federal government is spending money on computer security. That's how I got my current job in government IT. So many computers, so many problems. I thank Microsoft everyday for my job security.
Re: (Score:2)
CS done wrong is mostly math. Done right, nothing but "Theoretical CS" has any business being mostly math.