I found [via SlashDot] an interesting article at ZD/Net News. Howard Schmidt wants developers and their companies to be held liable for security issues in their code. But he doesn't completely blame developers. He also blames the companies they work for and their education.
Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.
"Most university courses traditionally focused on usability, scalability, and manageability, not security. Now a lot of universities are focusing on information assurance and security, but traditionally Web application development has been measured in mouse clicks — how to make users click through," said Schmidt.
I hear all the time from teachers who say they don't have time to include secure programming in their courses. The AP CS exam doesn't test it either. It seems to me that security along with ethics are two issues that must be concidered in all programming courses in today's world. It is just too late when someone starts programming for a living. It's all about priorities. Is there a particular coding concept that is more important than security? That's a loaded question of course. But we do need to start thinking about the value of adding one more data structure or one more type of sort weighed against adding a unit on secure design and programming.
- Alfred Thompson