Chris Wysopal is Founder and Chief Security Evangelist at Veracode.
As cyber threats grow increasingly sophisticated, secure software is now an existential business priority. Shockingly, over 70% of organizations struggle with mounting security debt, with almost half staring down potentially critical vulnerabilities.
Integrating secure coding practices from the start of the software development process is pivotal to ensuring timely detection and resolution of coding flaws. Recent high-profile incidents—from the vulnerabilities in Ivanti’s Connect Secure to the critical vulnerability in the open-source library XZ Utils—highlight why proactive secure-by-design measures are essential to safeguarding businesses and communities from costly disruptions.
With the Cybersecurity Infrastructure Security Agency (CISA) now pushing companies to pledge adherence to secure-by-design principles, which represents a positive step toward defending against cyberattacks, universities are still behind in preparing students for these practices. Programmers entering the workforce come from schools where secure coding is barely mentioned, let alone taught—exposing a real weakness in computer science education.
Despite requests over the past decade for schools to give security greater priority in the computer science curriculum, it continues to be left on the back burner. CISA recently called out universities for ignoring the importance of secure software, saying academia was “producing a software developer workforce that enables increasingly damaging cyberattacks.” Of the top 24 computer science universities in the country, 23 do not require cybersecurity as part of the curriculum: It’s an elective.
It is past time to sound the alarm on teaching secure-by-design practices. Universities need to address the realities of the cyber world and equip the next generation of software developers with the essential skills to minimize exploitable vulnerabilities.
The Critical Need For Secure Coding
Gaps between what academia teaches and what the industry requires aren’t uncommon, but it’s typically a non-issue because recent graduates learn the skills they’re missing while on the job. In computer science, however, this is not always the case. Students entering the workforce unprepared to write secure code compounds the pressing issue of leaving software open to attacks or failures.
Fueled by machine learning and artificial intelligence, cyber incidents are quickly becoming more advanced. And the problem is exponentially more acute as AI-assisted coding (though not secure coding) becomes increasingly prevalent in computer science curricula. Research suggests that code developed by AI contains the same percentage of flaws as code generated by humans. Other research suggests that programmers fail to identify incorrect AI code more than a third of the time.
According to CISA, attacks often exploit simple weaknesses that any developer with basic security knowledge could prevent with more secure coding. Universities must require courses that stress the importance of tightly integrating software development and security from the start.
Equipping students with application security (AppSec) tools commonly used in companies will help them understand how to code securely—while teaching them that secure coding doesn’t have to be overly difficult or time-consuming.
Putting AppSec Tools Into The Classroom
Several factors play into the absence of secure coding education, but the most glaring is that some faculty members simply don’t know enough about the security field. This leads to the academia-industry security gap, which continues to grow because of constantly evolving toolchains in software development. Academia struggles to keep up, and students get lost in the process, missing out on opportunities to learn a critical and highly demanded skill.
Developers need to understand the basics of how attack vectors put applications at risk, which involves specific concepts that computer science curricula lack. Training modules focusing on secure coding and AppSec principles must become a prerequisite of any course.
One approach to integrating secure coding into computer science courses involves the use of application security technology.
For instance, in an “Introduction to Security” class taught by one of our clients, students manually analyze provided source code for potential security flaws and compile a list of technical risks. Afterward, they use automated tools to perform the same analysis, comparing the results to identify flaws they may have overlooked during manual review.
Students also complete a Defects and Vulnerabilities Report as part of their senior capstone project, further applying these tools and techniques. This method helps students gain practical experience in secure coding practices and introduces them to industry-standard tools used in cybersecurity.
Conclusion
The lack of secure coding education in computer science programs is an ongoing issue. It has now reached a critical stage in the face of increasingly sophisticated attacks enhanced by AI and machine learning technologies. Organizations, meanwhile, are producing more software code than ever, often with the help of AI.
Secure software needs to start at the beginning of the software development lifecycle with developers who have foundational knowledge of secure-by-design practices. That requirement includes recent graduates entering the workforce.
Academia must integrate a strong emphasis on secure coding and application security principles as a core element of computer science curricula. Empowering the next generation of software developers to write secure code will enable organizations to better manage their risk profiles.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
