Security lessons still lacking for computer science grads

Computer science majors have good job prospects, but the vast majority lack an understanding of security and the fundamentals of secure programming

This year's crop of college graduates are preparing to leave school and join the workforce, and the computer science majors among them appear to have good prospects. Development and software engineering jobs have grown significantly over the last five years, according to job site, with software engineers for social media, mobile applications, and cloud infrastructure currently in the highest demand. In fact, the U.S. Bureau of Labor Statistics expects jobs for software engineers -- who design applications -- to grow by a third in the next seven years.

Yet in one key way today's graduates are unprepared to enter the workforce: The vast majority will lack a solid understanding of computer security and how to make their applications secure, experts say. Most top computer science programs don't require students to learn the fundamentals of secure programming -- an oversight that will continue to hurt application security in the future, said David Koretz, CEO of security firm Mykonos Software.

"If you look at computer science and software engineering programs today ... the crazy thing that blew me away is there is not a single required class on security for any of our computing science or software engineering grads," Koretz said. "You can go through five years of training and yet you will not know anything about security."

This week Mykonos became the latest company to start working with undergraduate programs -- in this case the Rochester Institute of Technology in New York -- to improve the security preparedness of computer science graduates. Microsoft also has made calls for better training of graduates and worked with undergraduate programs to add security education to their curriculum. And last year Solera Networks offered universities a free security appliance if they used it in their training.

In 2009, the Center for Strategic and International Studies, the SANS Institute, and the U.S. Department of Defense (DoD) launched a series of contests aimed at training students and workers in computer security. Known as the U.S. Cyber Challenge, the program hopes to make up an estimated shortfall of 10,000 security professionals.

Getting security into computer science curricula is a necessary step in helping software developers prevent the thousands of vulnerabilities discovered every year in applications. High-profile breaches of major online service providers -- such as Google, Twitter, and marketer Epsilon -- have highlighted the need for more secure programming.

"To me, not only is it not surprising [that we are seeing these incidents], it seems exactly what we set ourselves up for," Koretz said.

This article, "Security lessons still lacking for computer science grads," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform