Opinion

Gene Spafford on IT Security Education

While infosec profession has grown dramatically, the formal curriculum in college education still needs improvement. (Part of the What Happens Next security predictions series.)

By Dr. Gene Spafford

Infosec principles, in general, are not in the regular IT curriculum and a reasonable core curriculum for infosecurity has yet to be determined. Some places, such as Purdue, offer courses in secure programming, but they are electives. A very few places have formally integrated the material into coursework. However, until curricular material is widely available, coverage will be spotty.

Many of the programming flaws that are common are actually taught against in almost every curriculum. For example, every text and course I know about for beginning programming teaches to avoid buffer overflows -- if it is possible in the language being used in the course. Problems arise because students don't pay attention sufficiently, because they are pressed for time and avoid the necessary safeguards, they switch languages to something where they have not been trained, or they end up in environments where productivity is stressed more than quality.

There are security problems that are more subtle than programming flaws. Concentrating on those, rather than on the bigger picture, means that in a few years we are likely to have a different list of common problems.

One criticism I hear from some companies is that students don't come out with enough understanding of problem solving for real world situations. They have really good book knowledge, but not enough understanding of practical application. As a field, we are continuing to evolve. It appears that producing a well-rounded graduate who really knows both the field and practical application would probably take six years. So we are seeing more students go back for masters degrees now to pick up that additional knowledge. ##

- As told to Joan Goodchild