University course to tackle hacking

Microsoft and the University of Leeds are to develop what they say will be the UK's first undergraduate computer security module.

The course aims to provide developers with the knowledge they need to identify potential weaknesses that could be exploited by hackers or virus writers.

The final course, provisionally entitled Secure Computing, is about one year from completion.

John Harrison, an executive committee member of the Security Alliance for the Internet and New Technologies, part of industry trade body Intellect, explained that security should no longer be seen as a specialist domain, but core to software development.

"It is a serious omission that we have been training the next generation of software developers without this emphasis on security design principles, and I hope other universities will follow this lead," he said.

As well as addressing generic security principles, the course will highlight the lessons learned from Microsoft's Trustworthy Computing imitative.

Under that initiative last year, Microsoft's code was reviewed for potential security failings following a company-wide memo from chairman and chief software architect Bill Gates.

The new course was originally touted last September, after Microsoft said that it would lobby colleges to include security training as part of their degrees.

Stuart Okin (pictured), Microsoft's chief security officer, said: "We've realised over the last two or three years that writing secure code is something we need to bring to undergraduates to raise the bar.

"Why didn't we do this two or three years ago? Because the world wasn't ready for it. People can be very good programmers but don't necessarily think in the same way as people that break into systems."

Despite a predicted five per cent decrease in overall corporate IT spend over 2003, Meta Group said that corporate investment in IT security will buck the trend and increase substantially.

But Okin, along with other experts, was keen to stress that a multi-faceted approach is key.

"If you speak to security people, they say that levels of awareness are nowhere near where they need to be. Most firms don't have a unified approach to strategy," he said.