Much like many other companies these days, National Instruments hires many of our developers straight out of school. Many times when engaging with these new hire developers, I will ask them what kind of security they learned at their university. In almost all cases I've found that the answer hasn't changed since I graduated back in 2002. Occassionally I'll get a developer who mentions one particular professor or class where they discussed secure coding practices, but most of the time the answer is "I didn't learn security in school". This absolutely kills me. It's like asking an architect to design a building without them knowing anything about support structures and load distribution. The end result may look awesome on the outside, but the slightest breeze will knock it over. With computers being embedded into literally every aspect of our society, do you really want code that crumbles the moment a user does something other than what was explicitly intended?
This leads me to the conclusion that security should be considered a fundamental part of code development and not an afterthought. We should be teaching security to students at a University level so that when they graduate, corporations don't spend valuable time re-training them on proper development techniques. I've heard rumors of large companies like Oracle actually being able to impact college curriculum by telling universities they simply won't hire developers without security training. Unfortunately, most companies aren't in a position to make demands like that, but it certainly wouldn't hurt to develop relationships with faculty at your local university and tell them what you'd like to see out of their students. I did some poking around on the internet and it seems like some professors are already starting to get the memo. For example, I found a great paper written by three professors at the USAF Academy Dept. of Computer Science called Incorporating Security Issues Throughout The Computer Science Curriculum where they say:
While the general public is becoming more aware of security issues, what are our universities doing to produce graduates ready to address our security needs? Computer science as a discipline has matured to the point that students are regularly in tructed in software engineering principles--they learn the importance of life cycle issues in the development and maintenance of software. Where are they receiving similar instruction on security concerns in the software life cycle? The authors propose that security should be taught throughout every computer science curriculum--that security should always be a concern and should be considered in the development of all software just as structured programming and documentation are.
Gentlemen, I couldn't agree more. Security needs to be a foundational piece of every Computer Science program in the country. Not one class. Not one professor. Secure programming techniques need to be a consideration in every CS class in every university. Universities teach students how to write functions, create object-oriented code, and do proper documentation, but when graduates don't know the basic tenets of input validation, then we have a real problem. If you agree with me, then I challenge you to write to the Dean of your local CS program and ask them what they are doing to ensure graduates are familiar with secure coding practices. I'd be very interested in hearing back from you as to what their response was.
I've been sitting in Vignette's Content Management System Administration training class for a day-and-a-half now. The good news is that I'm learning a lot about VCM that I never knew before and even more about content management in general. We'll save that topic for another blog post, but for now I'd like to talk about the the eight simple ways to make a truly awesome training class.
- Make absolutely sure the instructor of the class has never taught the class before. Maybe it's a brand new class or maybe it's a brand new instructor. Either way, if they've never taught the class before they're likely not going to be able to answer the majority of the questions the students ask them.
- Teach the class with PowerPoint slides that contain only a white background with black font and a company logo at the bottom. Every once in a while throw in a confusing diagram, which the instructor struggles to explain since this is their first time teaching the material, to keep things interesting. Under no circumstances should you put any graphics on the slides other than the aforementioned diagrams. Graphics, fonts, and transitions are way too entertaining for a serious company like yours.
- When you teach a System Administration class, assume that your students have already installed the product so there's no need to have them go through the installation steps themselves. Give them a VM image with the software pre-installed and use the powerpoint to show them how good you are at installing the product. It will instill confidence in the students in your knowledge and training abilities.
- Since you are already providing the students with a pre-installed VM machine, there's no point in having several different images for your different product trainings. Merge them all onto the same VM image. Certainly this won't confuse your students at all and it's much easier for you to maintain a single VM image.
- Advertise that the training is for the version of your product that everyone is using, but then provide the training materials and slides for the newer version. You're sure to get more students this way and now you're able to show off the new-and-improved features of the other version. Once they see how great the new version is they'll run off to upgrade as soon as they get back to the office.
- Provide a large fridge in the classroom and fill it with only Coke, Sprite, and Diet Dr. Pepper. Do not provide your students with water. No drinking fountains, no faucets, and certainly no water coolers. We all know that soda is mostly water and they could certainly use the sugar to keep them awake during the training.
- When deciding upon a location for the training, pick a spot with no windows as they provide too much of a distraction. Basements make an excellent location for training classes. If possible, have the classroom located next to some sort of employee common area. The students will hear the laughter of the employees and simultaneously think about what a great place it must be to work at and how much fun they are having in the training.
- Charge extra money for the training and then show the students how gracious you are by providing them with lunch. Don't order in lunch though. Have the students walk across the parking lot and across the street to the local deli. They won't mind eating at the same place every day and they could really use the exercise.
Well, that's it for now. Feel free to comment if you have your own wonderful training experiences to share.