David A. Wheeler's Blog

Thu, 17 May 2012

Award, and learn how to develop secure software!

I just received an award from George Mason University (GMU) — thank you! I’m grateful, but I think this award means something bigger, too: Anyone developing software should learn how to develop secure software (you might even get a raise!). Here’s how I connect those seemingly unconnected points.

First, the award. I received the “outstanding adjunct faculty” award from GMU’s Department of Computer Science on May 16, 2012. This award is based on comments from both students and faculty. Thank you! Although it’s not the only class I’ve taught at GMU, I’m mainly known for teaching Secure Software Design and Programming (SWE-781/ISA-681). It was this work, teaching SWE-781/ISA-681, that was specifically cited in the award ceremony by Sanjeev Setia (chairman of the Computer Science department).

I have a passion about developing secure software. I believe that today’s software developers need to know how to develop secure software, because most of today’s programs routinely connect to a network or take data from one. If you’re a software developer, please consider taking a course that teaches you how to develop secure software (or take courses that embed that information in them). If your college/university doesn’t offer it, tell them that they need such material. And if you influence the selection of courses available at a college/university, please convince them to add it! I am delighted that George Mason University offers this course; I believe it is important.

Perhaps my favorite story from my class is that one of my students got a raise at work by applying the material he learned in class. Another student reported that he was asked at his work to present his school project and to help organize an effort to raise software security awareness. Here are some quotes from former students (using their name when they said it was okay):

  1. “… GMU should… make the course (or something like it) mandatory for all CS graduates. Cyber threats are everywhere and becoming more numerous by the day. Exploits of insecure code are causing millions of dollars in damage (especially to companies’ reputations). Developers — even those who work for companies where security is supposed to be a top priority (like where I work) — are still not security-minded enough to avoid common pitfalls in either design or implementation. At my job, I have been to a 2 or 3-day training that covered similar topics as this course. All of the developers were supposed to go to this training. However, due to the short time schedule, the training was far more limited than the class. We were not able to go into too much depth on any of the topics… I continue to run into insecure coding practices in the real world… For example, numerous web sites will store passwords unencrypted and conveniently send it to you unencrypted over e-mail (not secure) when you register. There are built-in libraries to make the passwords many times more secure in most web programming languages. Developers are just not using them. What we need is more security-focused developers. The only way to get them is to train them. One of the best ways to train them is when they are just starting out (i.e., in college). Nearly all CS courses should emphasize the security aspects and implications of the algorithms and principles being taught. All CS professors should be trained on a regular basis in secure coding principles so that they can adequately pass that knowledge on to their students. If GMU doesn’t do its part to help CS students learn how to be secure, we’re going to continue to have too many security vulnerabilities that could have been avoided.” - Carl Bohman
  2. “I would like to thank you for giving me the opportunity to be one of your students. By the end of your class, I was confident enough to go ahead with my idea. I developed an Android application for file sharing over wireless local area networks. Before taking the class, I had no idea what an SQL injection was, but now all my database transactions are protected against SQL injections. Also, I utilized what I have learned about SSL/TLS. I have created my application with security in mind… Around two weeks ago, I published my application and so far, I have more than 600 users on Google Play and SlideME… have a look at WiFizer at http://wifizer.net…”
  3. “Your class got me a raise at work… I feel that your class has directly [led] to higher levels of reliability and security in some of our nation’s voting systems all while assisting me in developing cost reduction methods… Understanding any complex software-driven system is obviously a tricky task. It is often difficult to understand what types of issues I should be looking for when performing source code review and reviewing test methods… Your practical input and answering questions (even staying late) helped many of my classmates… your class has a direct impact of many of my job functions. Not only that, the books and papers your assigned was not filler - all your books and papers are either well-known for their value in the Information Security/Assure community and/or highly praised on amazon by other leaders in the field like yourself… Your class is tied for first place with me (along with Angelos Stavarou’s [OS Security Class])… [you] made it exciting, useful, and approachable.”
  4. “I took up ISA681 in Fall 2011. And the effects are rewarding. I have been working as a Research Assistant since and your stress on sanitizing inputs has helped me not only on a security front but also to solve on problems with data normalization which often happens with data collected in the real world. Thank you for the amazing learning experience.”
  5. “In general, your course has created an awareness about security in any piece of written code or while using third party libraries… [At work] we fixed a couple of persistent and non-persistent java_script injection attacks last year and your course work was fresh in my mind at that time… Some of the other things that we use are PreparedStatements for SQL. Since we code review all our commits, static analysis and some principles of software testing flow graphs have been pretty useful in finding defects while refactoring code… This course is definitely worth taking and the project was very interesting and fun. It helps us put into practice what we’ve learned and we generally tend to remember projects more compared to lectures.”
  6. “This course helped me understand that security must be built in from the start not added on later. By understanding what kinds of programming errors can expose security vulnerabilities, I am better able to write code that is more secure. I also learned a lot about testing and how “bad people” find vulnerabilities and use them to steal. I actually think this class should be included as a core course for SWE, CS and INFS. And a version of it should be required for undergrads as well. By having this class as an elective, I’m not sure how many students take it…” - Leslie Jeffries
  7. “I really enjoyed your class and it has helped me on my current job quite a bit. I work in a classified environment and although we run our production system isolated from [the] internet the security of our system is still highly valued. Since your class I have been able to decrease the vulnerability of the code I write as well as make more valuable contributions to code reviews. My level of knowledge in secure coding is much deeper than it was prior to your class. I also feel I am more security conscious than many of my peers. Outside of my day job, I’ve also spent the last couple of years working on a prototype that I plan to build a company around. The nature of this product is deeply rooted in many of the topics we discussed in your class and I still review your course materials frequently. [The class] was among the top few classes in all of my MS studies.”
  8. “[I’m] looking for work [and] in my interviews I often get a chance to talk about the group project which I participated in for your class and how we included features in our design which made it more secure. I must have learned something relevant because some of the interviewers seemed to know what I was talking about… I think that the size of our class should convince you and others that the course is worth teaching…” - Daniel Ryan
  9. “I work for a government agency as a security analyst and my team and I perform static code analysis to identify vulnerabilities in software developed in house before they are sent into production. The most challenging part of our job is educating developers about vulnerabilities and the potential damage they could do in case they were exploited by an attacker.”
  10. “This was indeed a very good learning experience for me. And I promise I will apply security features in all my work as a software professional!”

I hope these reports will convince you that anyone developing software should learn how to developing secure software — such as by taking a course like this. People are reporting that this course was really valuable, and in some sense, I am receiving an award because this material is directly useful and important. If you’re at GMU, or considering it, by all means take my class! And again, if you influence the courses taught at a college or university, please make sure that they teach how to develop secure software in some way. The knowledge of how to make more secure programs exists; now we need to share it with the people who need it.

Oh, and here is the certificate — my thanks to everyone who recommended me.

path: /security | Current Weblog | permanent link to this entry