I also read Dave Ladd's excellent piece, "Oil Change or Culture Change". Dave says:
Furthermore, many of the processes used by SDL (and other methodologies) are generally acknowledged as effective in identifying and mitigating security threats. Pondering this notion is what lead me to my realization about culture change, and prompted a question: If this stuff has been around for awhile in some shape or form, why aren’t more people doing it?
Dave's point is that we're not dealing with new knowledge here for the most part. We're dealing with a failure in education. In my previous posting about security training and what training is important I mentioned I'd had a conversation with Gary McGraw. Reading the pieces on Dawkin's site and Dave's piece made me remember something else Gary said that I think is very appropriate. I'm paraphrasing here so I hope I'll be forgiven but when I asked about the source of the problem Gary responded with an answer about your first engineering vs. first CS class.
Engineering Class: Professor opens class showing video of horrible engineering accident. Maybe something like the Tacoma Narrows bridge or the Challenger accident. In ominous voiceover - "If you don't study hard and do a good job, you could build something like this. People could die!!!!! Don't mess up, this is serious stuff."
Computer Science Class: Hello, look at this cool stuff you can do. Let's write a program that prints "Hello, World".
I think Gary is right. The culture we're trying to change is corporate culture, but it is equally computer science and programming culture. In a sense we have a chicken and egg problem. Until we have more companies demanding to treat software development as an engineering discipline, our universities won't be motivated to turn out students that treat it as such. And until schools start turning out software engineers rather than software developers we aren't going to have the talent necessary to get corporate culture change.
I don't know that we're at some sort of crisis point for software development education, I'd hate to be that melodramatic. At the same time I think what we're seeing is a disconnect between the realities of what it means for software engineering to exist as a true discipline, and our capability of achieving it. If we started with the mindset that it is engineering we're doing rather than "development" then we might stand a chance at making some progress.
I'll be interested in knowing the differences that exist at different university programs in CS and or CSE to see whether I'm wrong. Maybe there is broad support for a CS curriculum based in engineering rather than development.
Time for a bit of research on different CS programs and their focus.
1 comment:
The Challenger disaster is a great metaphor: engineers design a solution with stated constraints on operating conditions, management overrides engineers and launches despite ambient conditions outside permissable range, results validate engineering judgment.
Engineering, software or other, isn't what most of the world wants, it takes too long and imposes constraints that can't be arbitrarily ignored. Programming is much more palatable, "Hello world" is friendly and welcoming and who cares it might be inviting evil-doers and those harboring malice? The idea that a welcome banner excuses cracking systems conflicts with the Hello world mindset, no wonder programmers don't think securely!
Management just wants to get things done, it's unpleasant and hard to think about security. That's the crux of the problem, another way to say it is that engineering is harder than programming, so of course managers would prefer the easier, cheaper, faster alternative. Unfortunately that's not the technically rigorous choice.
It's human nature, not technology.
Post a Comment