Software firms fault colleges' security education
Results 1 to 9 of 9

Thread: Software firms fault colleges' security education

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    510

    Software firms fault colleges' security education

    http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed

    Software companies are taking colleges to task for not producing computer science graduates who know how to create secure programs.
    Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, likened the situation to sports.

    "Colleges produce athletes capable of going on to the NFL because their football programs know what is needed," he said. "We have to be very clear what types of skills we need from future graduates."
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    It's not that far fetched. Colleges and universities train students in a specific field. The problem that I've heard (not being a programmer) is that quite often poor methodology is imparted on the students. When we developed our applied degree program (we're still waiting for Ministry approval) we had a business workgroup suggest what they were looking for in a graduate. This can help us educate graduates more for what is expected in the workplace and make them more "marketable" right from the get go (something that is hard in the Catch-22 IT problem: want to get experience in security but need experience in security to get hired to get experience but.. ).

    If companires are clear as to what the expect and if they come on board with part of that education (guest lectures and such), they'll get a better benefit and so will students.

    At least from my point of view as an educator..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I hate that they don't teach us security.

    Heck, they have absolutely no security classes at all.

    I've taken a number of courses where security should be a main factor, but there is rarely any mention. If you are taking a course on how to plan and setup a network... shouldn't there be a big emphesis on security?

    I did a case study for one of my cisco classes where you have to design a network. My group was the only group that included plans for access controls. The only reason we had that was because I was in their group.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I've taken a number of courses where security should be a main factor, but there is rarely any mention. If you are taking a course on how to plan and setup a network... shouldn't there be a big emphesis on security?
    Yup. And if you ask the prof to include security in their course they will probably reply "There's already security in there and we're covering a lot as it is". What they don't realize is that while they may see certain things as having security or being part of security, unless they explicitly identify it as this is the accepted methodology or procedure as to how something is done and why it's done, students will miss out on a huge, important part of their education.

    I've given up on trying to convince colleagues to do this and decided to circumvent them completely with a specialized degree. It's too important today to assume that "students will get it". They won't. That's why there is a professor that's supposed to show them how to get it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Wouldn't most code by a new programmer be looked at by a more senior programmer or manager? If that's the case, and the company is promoting these people, aren't they as much at fault as the schools that they are blaming?
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Wouldn't most code by a new programmer be looked at by a more senior programmer or manager?
    Yes but that doesn't absolve the college from educating people the right way. When people go through medical courses, they go through a fairly stingent training to minimize errors. It isn't just dependent on the senior physician to monitor them.

    If that's the case, and the company is promoting these people, aren't they as much at fault as the schools that they are blaming?

    Only if they know what's good coding and what isn't. Some companies do and they run into issues of not being able to find enough good coders/networkers because of a lack of security training. This means that companies that do pay attention to this will have to pay extra for training. There are many companies, however, that don't know good methodology (I've seen it in network setups quite often) and just "want things to work".

    Personally I'd rather have someone trained well from the get-go than have to do it after the fact. (e.g., MS sending 8,000+ coders off for security training)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by whatthe
    Wouldn't most code by a new programmer be looked at by a more senior programmer or manager? If that's the case, and the company is promoting these people, aren't they as much at fault as the schools that they are blaming?
    As I do work for several software development shops, I can tell you that many have little or no code review at all. They insist on the HONOR SYSTEM. No matter what I suggest to them regarding code integrity policy, it goes right over many managers heads. As far as many are concerned. they want code checked into CVS or Source Safe sooner than later so releases can hit the door.
    QA will run their "test scripts" usually defined by developers and want no questions asked.
    Engineers are a sensitive bunch...

    Even at larger tech companies, I have seen only minimal code review processes often only a developers meeting (monthly) where only a section of code is checked at a time.

    These days, activities that don't have direct or immediate impact on the bottom line are risks worth taking to some managers unfortunately.

  8. #8
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    Posts
    744
    Originally posted here by MsMittens
    Yes but that doesn't absolve the college from educating people the right way.

    Personally I'd rather have someone trained well from the get-go than have to do it after the fact. (e.g., MS sending 8,000+ coders off for security training)
    Have you heard of CompTIA's NITAS (National IT Apprenticeship System) program? They are wanting to reverse this very problem. We had a meeting here at work a few months ago with CompTIA and the Dept. of Labor regarding this new certification. The problem they are trying to solve is that of certificate holders and / or graduates who have mainly demonstrated their knowledge through test-taking not really knowing how to do the job. The point being that knowing an answer on a test does not mean you are prepared to walk into an IT job (software, networking, security) and really know what to do.

    This is still a new (and lengthy) process and only a handful of schools meet the requirements to participate in this program. Hopefully, as more and more adapt their curriculum to meet the CompTIA / NITAS requirements, new IT graduates will be more "well-rounded" and able to handle all aspects of their IT job....including security.

    NITAS

    Go Finland!
    Deviant Gallery

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Have you heard of CompTIA's NITAS (National IT Apprenticeship System) program?
    Very cool. I've sent that link off to my boss. We've won an award for the way we teach (Open Source Education) and we emphasize hands-on versus straightout testing. I know that for our last two semesters we've had 100% employment in our Co-op program (and had jobs left over!) so I figure we're doing something right. This might be something we could do with our Applied degree program.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •