UK computing students 'clueless' on security

Many UK computing graduates get no tuition on software security

UK computing students are receiving almost no education on how to incorporate security functionality when designing and developing new software applications, according to a damning new report.

The government-funded Cyber Security Knowledge Transfer Network (CSKTN) scrutinised open source web material from 75 UK universities.

The results suggest that just 20 per cent of UK computing graduates get no more than five hours' tuition on software security, and many get no tuition at all.

"Frankly I was surprised by how low the figures were," said Bill Whyte, an independent security consultant and author of the report.

"Today's computing market is a complex chain of software activities and is as vulnerable as its weakest link. The study is clear: security issues stem from the beginning of the chain.

"We need to get a much greater percentage of security-literate graduates out there or the number of otherwise avoidable financial losses will grow."

However, CSKTN director Nigel Jones believes that there is a much deeper issue in that software development does not feature strongly enough on the UK's list of IT security priorities.

The organisation hopes to drive home the message that better consideration of secure coding and software development could help reduce the number of software flaws which can be exploited by attackers.

Such an initiative could also reduce the number of security vulnerabilities in software caused by poor design, such as weak authentication.

"The cost associated with security breaches and investment in information security could both be mitigated if software was developed with fewer security flaws and vulnerabilities," explained Jones.

"The bottom line is that, if we want to solve the problems, we need to start by fixing the root cause."

Jones added that perhaps the biggest problem is that awareness of security during software design is very limited.

"A recent report on UK information security breaches by the Department of Business, Enterprise and Regulatory Reform and PricewaterhouseCoopers contained not a single reference to secure software development in any of its 32 pages," he said.

John Harrison, chairman of the CSKTN special interest group on secure software development, believes that the government has a pivotal role to play in insisting on high security standards when buying applications from third-party developers.