Traditionally, computer science programs have done an excellent job with theory. Students are taught to be great computer scientists—not great developers.
IEEE member Roy Wattanasin addresses one the main problems with cyber security education, saying that there is no template or guide for instructors to follow. They have to create their own course curricula and with the list of zero-days and online exploit kits popping up daily, it’s almost impossible to even know where to begin. Wattanasin surveyed computer science programs in the Boston area, and he that found that no two computer science courses were alike and no school offered a course specifically on cyber security. This is a huge issue for employers, and with such fragmented education, there is no telling how well equipped, if at all, these graduates are to tackle security issues.
Security knowledge, unlike high-level theory, requires developers to get their hands dirty. This isn’t to say traditional methods aren’t useful to a fledgling developer; they just don’t compare to actually building something with security baked in from the get-go.
Understanding security issues requires developers to:
- Care about the thing they’re protecting—whether it be user data, ability to control an app, etc.
- Think like an attacker and understand how they would gain access
- Have a clear understanding of what the security issue looks like in the code base, how it’s manifested and how it’s exploited
And for many developers, it’s just not practical to go through the entire process—especially when security issues can be someone else’s problem.