Education in Secure Software Development

The Linux Foundation and OpenSSF released a report on the state of education in secure software development.

…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment ­ system operations, software developers, committers, and maintainers ­ self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

Tags: ,

Posted on August 1, 2024 at 7:03 AM13 Comments

Comments

Jaime August 1, 2024 7:59 AM

In my opinion this is a result of how security specialists are integrated into most organizations. We usually pretend that since we have a security team, they’ll handle security.

It is rare to find an organization where the security team is allowed to act as a both a consultant to a development team, and to create metric and target that the development team are required to meet.

Usually, I see the security team require that development teams use static analysis tools and scan the test environment before deployment. This fixes some of the more common and easy to spot development mistakes, but does nothing for bad architecture and more subtle issues.

Clive Robinson August 1, 2024 9:15 AM

@ Bruce, ALL,

This is not a exactly news, nor are the reasons behind it.

To be brief,

“Managment see no short term profit in security, only delays to product delivery cycles”.

The rest as they say follows on as a consequence.

I’ll let others “fill in” the veritable tsunami of reasons, but note there are now many many books addressing the issue, and they have all failed due to the way management behave.

My suggestion lock a few senior managers up for 20years+ and bankrupt them and their families, and you might see a change in the right direction.

bw August 1, 2024 11:15 AM

This is no surprise to me. In my ~40 years coding I have met a few programmers who cared at all about security and most of those didn’t really know enough to create secure code/processes.

It keeps me busy and employed, so I’m not sure if I want to see any change 😉

Morley August 1, 2024 2:44 PM

Oh ya, Computer Science is not Software Engineering. Or security related DevOps or IT. Nobody really teaches Software Engineering, last I knew. It would be great.

sitaram August 1, 2024 8:53 PM

The “don’t care” attitude from management, that others have alluded to, is not just about profits. There’s also a huge unwillingness to take in knowledge that is not directly related to the job.

This manifests even in other ways — for example, normal people unwilling to pick a better password for their bank account or whatever.

David August 2, 2024 5:37 AM

Once AI has replaced all of the business owners, system architects, designers, coders, testers and end users, then I’m sure secure coding practices will be automatically embedded in the development of every piece of software. After all there were no bugs in SkyNet.

Clive Robinson August 3, 2024 1:24 PM

@ Bruce, ALL,

Re : Why Walled Gardens fail.

As most readers here are aware Apple and Google have “Walled Garden” repositories of Applications. It’s a game Microsoft desperately want to get into but got stymied by both the EU and Google.

Well Apple have been having a “Red Queens Race” with their walled garden for a number of reasons, but one that keeps popping up is “Bad Apps passing scrutiny” that in the blurb of both Apple and Google way back “could not / will not” happen.

Some of us here a little wiser than most gave at best hollow laughs to such blatant nonsense[1] designed to befuddled those with political influence.

The problem for Apple is “user expectations” from Apple talking security up as just one reason to justify their business models.

The problem is those that fall for the “Apple Security” nonsense generally are up in what were once known as ABC1 consumers. Thus Apple was the “honey pot most sweet” for those looking to gain unlawfully or dubious advantage that there was little or nothing Apple could do to stop it.

It’s getting to the point that even “Fan-boi Zines and Sites” are “dishing the dirt” on the nonsense.

For instance this little article from yesterday,

https://9to5mac.com/2024/08/02/developers-trick-app-store-review/

[1] I’ve mentioned it before, but back in the early 1930’s there were a series of mathematics papers that proved that there were limits on what “a computer could do” and what could be done with them before electromechanical or electronic computers had actually been invented and built (commercially that did not happen untill the J.Lyon’s Tea Shop company research gave rise to the “LEO” that was “cranking it out” less than twenty years later,

https://www.theregister.com/2021/11/30/leo_70/

ResearcherZero August 5, 2024 3:03 AM

Reliable cross-cache attack via a timing side channel.

“SLUBStick exploits timing side-channel leakage of the kernel’s allocator to reliably trigger the recycling and reclaiming process for a specific memory target.”

SLUBStick performs a cross-cache attack to recycle a slab page that contains a write capability. SLUBStick then reclaims the slab page as a page table, i.e., Page Upper Directory (PUD), used for userspace address translation. By triggering the write capability, SLUBStick overwrites page table entries, obtaining arbitrary read and write capabilities.

‘https://www.stefangast.eu/papers/slubstick.pdf

Performing reliable timing attacks against the Linux Kernel
https://www.usenix.org/conference/usenixsecurity23/presentation/lee-yoochan

ResearcherZero August 7, 2024 3:45 AM

@Morley

There should be a compulsory software engineering module focused on security principles.

There were some engineers at BAE that taught software engineering, but this was for systems that were designed for weapons systems. However they did apply the same principles to teaching their students. I do imagine that this was a rather rare occurrence.

We also had to attempt to break into and disable each others systems, not just our own, then improve the product to make it more resilient. This is discouraged at most schools.

Not many educational systems employ practical training where you have to test what you have learned, learn from your mistakes and then employ that learning to build a better system.

Clive Robinson August 8, 2024 12:30 AM

@ ResearcherZero, Morley, ALL

Re : As in free speech there are limits.

“We also had to attempt to break into and disable each others systems, not just our own, then improve the product to make it more resilient. This is discouraged at most schools.”

The discouragement in part because is because the schools do not want to end up on the wrong side of legal action, or have their reputations sullied by innuendo and snide comments.

It’s just one expected result of the “lobbying culture” that has become rife.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.