A large portion of developers in the job market today have completed a Computer Science (CS) degree from a University This is generally the “standard” way of entering the field, if you’re not self-taught. But what exactly is Computer Science?
“Computer science (sometimes called computation science or computing science, but not to be confused with computational science or software engineering) is the study of processes that interact with data and that can be represented as data in the form of programs. It enables the use of algorithms to manipulate, store, and communicate digital information. A computer scientist studies the theory of computation and the practice of designing software systems.”
The main focus of CS is on the manipulation, communication, and storage of data. This is done through the use of algorithms and subsequent the design of software systems. In some places, you will find more specific courses focused on the applied knowledge of how to program computers in the context of software development projects. One thing they all have in common, however, is that the subject of security is not mandatory. It’s often, if even available, an elective course.
Learning is something that is critical to developers. Technology moves quickly, which demands that people are quick learners, so they can hit the ground running when they have to work with a new technology for a project. How does this learning occur? By trial and error. The developer plays with the technology, whether that’s a language, framework, system, or anything else, until it works. This usually repeats a few times until it’s muscle memory for the developer to implement different types of functionality.
You do not inherently learn by reading blog posts or books with example code. That serves only the purpose of pointing you in the right direction. Developers have to learn by doing as do most people.
We know from Dale’s Cone of Experience that most people retain very little of what they learn through reading or a lecture, whereas they retain 75% when they learn through doing and that increases to 90% when they use that newfound knowledge to teach others. This same principle applies to developers having decades of work experience and a University degree behind them just as much as it does for a kindergartner.
During your studies, you are generally not exposed to software that really resembles the type of software you will work on, on the job market. Yet it’s widely considered critical, that learning happens in a relevant, realistic, and applicable context. Because the threats that will have to be in front of mind very much depends on what type of system you’re working on, be it more frontend, backend, devops, or full-stack.
When we put together these two components, the how and what, it leads to the natural outcome we see today. Developers are more or less forced to learn on the job. This leads to the recurring pattern we see, of one security flaw after another, even in cases where people have been “taught” through things such as textbooks, slideshows, and other similar means.
We need only look to other well-established industries that have been around for far longer than software development. Be it the medical field, construction, aviation, or engineering at large, they have all solved this problem through a natural solution:
Learning by doing, in a safe practice environment
The environment is created to give the student the ability to learn in a way that will feel very similar to what they do on the job. Only then when they have shown the ability to do this in practice environments, do they go onto working on real projects. And even then, they generally do it through some type of apprenticeship program where they are supervised in the beginning .
When it comes to security, this has been thoroughly lacking.
Unfortunately this is the current state of computer science education and secure coding training. The best way to deal with this is for companies to take on the responsibility to train their development teams in the most efficient way they can. This could be in the form of only recruiting seasoned security professionals, but given the highly competitive nature of the talent pool this is not really feasible. The best way is for organizations to require their developers and other IT staff members to complete training not only when they begin working, but on a continuous basis. In doing this we are also adding to that talent pool for the future.
As mentioned above, the best kind of training is hands-on and interactive training where developers can practice over and over what they will encounter in “real-life”. Sending your team members to a lecture once a year simply won’t cut it if you want real results and are looking for more than just ticking the “I trained my team” box.
The Adversary online security training platform teaches secure coding in a safe environment and gives everyone from students to veteran software developers the ability to practice until their security skills are honed. This helps to build up an immune system within the development of an organization. If one person doesn’t detect the infection, someone else will, therefore strengthening their security and reducing the chance of experiencing a cyberattack.