Teach devs security fundamentals to bolster supply chain resilience, argues Wheeler
Addressing a decades-old deficiency in coding curriculums could have a profound effect on the security of the software supply chain, a leading expert on the subject tells The Daily Swig.
In particular, David A Wheeler, director of open source supply chain security at the Linux Foundation, draws a link between a failure to incorporate security into entry-level developer courses and the vast majority of vulnerabilities belonging to a small number of common bug classes.
The IT PhD and Certified Information Systems Security Professional (CISSP) also moonlights as adjunct professor of computer science at Virginias George Mason University, and in 2020 concluded a 33-year spell at the US Institute for Defense Analyses.
Daily Swig: David, can you summarize your background and what your current roles involve?
David A Wheeler: Ive loved computers since junior high school and paid my way through school doing computer consulting. I also briefly maintained the worlds first commercial, entirely text-based multiplayer roleplaying game, Scepter of Goth.
Now I teach at George Mason University on how to develop secure software which Ive studied over many decades.
Most of my work is with the Open Source Security Foundation, OpenSSF [whose members include AWS, Google, and Microsoft]. I view my role as being a kind of catalyst or accelerant. I can run around as a subject matter expert to help organizations improve the security of their software.
David A Wheeler has studied the secure development of software for decades
DS: And what are the biggest barriers to improving application security?
DAW: The fundamental problem is that we do not teach software developers how to write secure software.
I don't care if its a separate course or embedded [in other coding courses] that's not the question. The question is: when software developers are learning the basics of their craft, do they learn the basics of developing secure software? And the answer is mostly no.
A 2019 Forrester study found that none of the top US coding schools and none of the top five non-US computer science schools were teaching this. Another study found that only one school did at UC, San Diego. So good for them, shame on the rest.
DS: Lets imagine all coding schools immediately revamped their courses to incorporate security fundamentals. Would we see a steady fall in vulnerabilities as a new wave of security-savvy developers emerge?
DAW: Its generally estimated that somewhere between 90% to 95% of all vulnerabilities are in a relatively small set of common ones [classes].
So, if you educate developers to prevent them systemically, and then use tools to find the stragglers, we can dramatically reduce by at least one order of magnitude and maybe two the number of vulnerabilities that actually slip out.
They can also find and fix the problems created in the past.
Right now, detection, response, and recovery is overwhelmed by the sheer number of vulnerabilities going into deployed systems, so it will be much easier to counter the attackers when vulnerabilities are much rarer. And that's really the argument of shift left in general: the sooner you can get rid of the problems, the better.
DS: Why is security neglected in the coding curriculum given the potentially severe consequences of software vulnerabilities?
DAW: Our educational system does not always respond to societal needs. There was an open letter written by Oracle and some other folks 10, 15 years ago or so, where they basically begged universities [to educate them properly].
But sometimes they [universities] want to teach what they want to teach, and it doesnt matter what societys needs are.
DS: Could this partially reflect the fact that many educators learned their craft when cyber threats were less numerous and severe?
DAW: On the [early] internet people were mostly connected to folks they felt they could trust. But once you saw this growth of the internet and the worldwide web running on top of it in the 90s, then very quickly [they realized] no, you cant just trust arbitrary computers you connect to.
But educational conservatism isnt all bad. Its actually sensible to teach things that have stood the test of time, which security has. The fundamental [computing] design principles have been known [about] since the 1970s.
RECOMMENDED Security teams often fight against developers taking control of AppSec: Tanya Janca on the drive to DevSecOps adoption
DS: Might there be a commercial incentive at work that favours coding quickly over coding securely?
DAW: Maybe to some extent for the for-profits, but I think the bigger for-profit issue is that if you know how to do [secure development], you can probably earn double or triple in industry [compared to teaching]. Youre not gonna teach.
I teach, but thats my side hustle. I enjoy teaching. George Mason University is 20 minutes from me and more connected to industry than some other universities.
DS: How do we persuade or incentivize education providers to embed security into coding courses?
DAW: I think this is a solvable problem basically, society needs to scream more loudly.
The US spends a tremendous amount of money financing degrees, including computer science. If were gonna pay, maybe we could have some criteria?
DS: Could the impetus behind shifting left or DevSecOps help persuade education providers to change emphasis?
DAW: I would like to think so, but I think its much more societal and industry pressure continuing over a period of time [that will make the difference].
Right now DevSecOps [is practised properly by] a minority, and we need to make sure that [secure development is practised] not just the majority, but is [a baseline] expectation [of all developers].
Developers are not being taught general security principles let alone how to apply them, says Wheeler
Years ago, I pushed really hard to get security added to a course on software engineering and after a lot of pressure and debate [the provider] finally added the word security no content, just that security might be important!
The ACM software engineering curriculum guidance at least does talk about knowing how to develop secure software, but lacks key specifics.
But I'm willing to believe that with continued emphasis we can get academia and many other organizations on board with making sure that software developers know the fundamentals.
DS: What fundamentals should newbie developers be taught?
DAW: What are the common problems? How do we prevent them in general? How do you design software so its less likely to be attacked? And what kind of tools can help developers to deal with that?
These general principles and the ability to apply them are important [skills] but lacking today.
Read more secure software development news
The first thing I did when I joined the Linux Foundation in 2020 as an employee was develop a course on developing secure software fundamentals. Thousands of people have now signed up.
George Mason University initially agreed to do my course every other semester, and very quickly, it's in every semester its in demand.
But its an optional graduate course. We do need, in society, people who drill in deeper and [become experts], but we also need every developer to know the basics.
DS: How important is it that developers understand how to use security tools?
DAW: If youre doing DevOps, you pretty much need a CI pipeline, and this is an obvious place to insert security tools. But if the developer doesn't know what theyre doing, they wont know what the tool is telling them and what to do about it.
A fool with a tool is still a fool. Theyre not stupid it's just that no one has told them. Education and tooling go hand in hand.
The tools are going to miss things or report things that are not actually problems in context. Computer programs dont cant know the full context.
But as long as developers know which tools to use and how, then they can do [some] amazing things.
DS: Finally, anything to say on OpenSSFs various initiatives aimed at bolstering software supply chain security?
DAW:Whether its industry, academia or governments, were all using open source software, so my first pitch would be: get involved with the OpenSSF. We would love to see more people involved.
I was deeply involved in the concise guides for developing secure software and evaluating open source software. And earlier, the OpenSSF published guides for open source projects and security researchers on [handling] coordinated [vulnerability] disclosure.
The Alpha-Omega Project has funded the Python Software Foundation and is funding Eclipse, Node... Theyre announced a new partnership with Rust. They've released some tools for finding vulnerabilities again, trying to shift left.
Theres also some funding for SBOM work, a tool for a Python library for SPDX [Software Package Data Exchange], and an [enterprise] end users working group kicking off.
RELATED Developers still struggling with security issues during code reviews, study finds
Read the original here:
We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig
- Labour frontbencher advocates for open source software and regulatory innovation - Computing - February 9th, 2024
- Open Source Software: Meaning, Importance, and Examples | Spiceworks - Spiceworks News and Insights - February 9th, 2024
- Office of National Cyber Director Issues 2023 Year-End Report on Open Source Software Security Initiative - Executive Gov - February 1st, 2024
- 40 Must-Have Free Open Source Software for 2023 - Tecmint - October 16th, 2023
- What Is Open Source Software and How Does It Work? | Synopsys - March 5th, 2023
- 15 Best Open Source Software You Must Try in 2023 - Turing - February 25th, 2023
- Cyber Security Today, Feb. 24, 2023 Holes in open source software, ransomware gang tries to evade cyber insurers and more - IT World Canada - February 25th, 2023
- What is Open Source Software? - SourceForge Articles - February 15th, 2023
- About the Open Source Initiative | Open Source Initiative - December 28th, 2022
- Comparison of free and open-source software licenses - December 20th, 2022
- Building an open source software community - SAS Users - December 4th, 2022
- The US Securing Open Source Software Act of 2022 is a step in the right direction - TechCrunch - November 25th, 2022
- Microsoft: Hackers are using open source software and fake jobs in ... - November 17th, 2022
- Open Source Software Directory - OSSD - October 23rd, 2022
- Source Code for Open Source Software Components - Oracle - October 15th, 2022
- Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic - October 15th, 2022
- The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247 - October 15th, 2022
- GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire - October 15th, 2022
- When transparency is also obscurity: The conundrum that is open-source security - Help Net Security - October 7th, 2022
- You thought you bought software all you bought was a lie - The Register - October 7th, 2022
- Linux Foundation Energy Gains More Industry Support to Drive the Energy Transition - PR Newswire - October 7th, 2022
- State of Open Source Survey By OpenLogic To Take Place In 2023 - Open Source For You - September 29th, 2022
- 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects - Spiceworks News and Insights - September 29th, 2022
- How Can Open Source Sustain Itself without Creating Burnout? - thenewstack.io - September 29th, 2022
- OpenAI opens doors to DALL-E after the horse has bolted to Midjourney and others - The Register - September 29th, 2022
- Red Hat And NdcTech Collaborate To Deliver Solutions Based On Open Source - Open Source For You - September 21st, 2022
- Paladin Cloud Joins the Cloud Native Computing Foundation - GlobeNewswire - September 21st, 2022
- Open Source Software - W3 - September 13th, 2022
- Understanding the hows and whys of open source audits - Security Boulevard - September 13th, 2022
- New Metaverse Track at O3DCon to Tackle Big Questions and Practical Applications of Emerging Graphical Technology - PR Web - September 13th, 2022
- TechOps is a mess: Open source is the solution - BetaNews - September 13th, 2022
- Rezilion Recognized as SBOM Tool Provider in Gartner Emerging Technologies Trend Report on Software Bills of Materials (SBOM) USA - English - USA -... - September 13th, 2022
- Open Security: The next step in the evolution of cybersecurity - SC Media - September 13th, 2022
- 11 Interesting Firefox Add-ons to Improve Your Browsing Experience - It's FOSS - September 13th, 2022
- why the giants fight over open source - Gearrice - September 5th, 2022
- Compare Files in Linux With These Tools - It's FOSS - September 5th, 2022
- Microsoft and ByteDance are collaborating on a big AI project, even as US-China rivalry heats up - CNBC - August 28th, 2022
- OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading - August 20th, 2022
- How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch - August 20th, 2022
- Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times - August 20th, 2022
- Free Dev Tools! But Whats the Catch? - DevOps.com - August 20th, 2022
- This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire - August 20th, 2022
- What Is Open-Source Software? (Definition and Examples) - August 12th, 2022
- What is open source software? | IBM - August 12th, 2022
- 55+ Best Open Source PC Software for almost Everything - August 12th, 2022
- 80 percent of enterprises use open source software and nearly all worry about security - BetaNews - August 12th, 2022
- The US Military Should Red-Team Open Source Code - Defense One - August 12th, 2022
- Boeing joins the ELISA Project as a Premier Member to Strengthen its Commitment to Safety-Critical Applications - PR Newswire - August 12th, 2022
- Looking for simplicity in the cloud? The future is going to be open and hybrid - The Register - August 12th, 2022
- AAIS & The Linux Foundation Welcome Jefferson Braswell as openIDL Project Executive Director - The Bakersfield Californian - August 4th, 2022
- Wicked Good Development Episode 13: Hacks and Ax, July Edition - Security Boulevard - August 4th, 2022
- Microsoft changes its policy against the sale of open source software in the Microsoft Store - BetaNews - July 26th, 2022
- BMW Group Joins the Linux Foundation's Yocto Project - PR Newswire - July 18th, 2022
- Free and Open Source Software (FOSS) - UNESCO - July 9th, 2022
- Know Your Enemy and Yourself: A Deep Dive on CISA KEV - Security Boulevard - June 29th, 2022
- CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New... - DevOps.com - June 10th, 2022
- Samsung teams up with Red Hat for memory software development - The Korea Herald - May 25th, 2022
- OpenSSF Helping to Secure Open Source Software - ITPro Today - May 25th, 2022
- Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register - May 11th, 2022
- Protestware: what organisations should be aware of when using open source software - Lexology - May 11th, 2022
- This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech... - May 11th, 2022
- Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud - Business Wire - April 28th, 2022
- Industry 4.0 why smart manufacturing is moving closer to the edge - The Register - April 28th, 2022
- Open source software and DevOps: What are they, and how can your business benefit? - SmartCompany - April 13th, 2022
- Truist Joins the Open Invention Network - GlobeNewswire - April 13th, 2022
- OpenMetal Joins the Open Infrastructure Foundation - PR Newswire - April 13th, 2022
- An Early Test of The Adams Administration's Values and Tech Prowess - Gotham Gazette - April 13th, 2022
- Open Source Software Faces Threats of Protestware and Sabotage - WIRED - April 1st, 2022
- The Promise of Open Source Code and the Paradox of ProtestWare - Security Boulevard - April 1st, 2022
- Software Composition Analysis Market to Witness Massive Growth by 2029 | Open Source Software, Oracle, Smartbear Software - Digital Journal - April 1st, 2022
- Why now is the time to host your code in the cloud - TechRadar - April 1st, 2022
- Those looking for clues to Googles search demise are asking the wrong question - TechRepublic - April 1st, 2022
- Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet - eSecurity Planet - January 15th, 2022
- Open-source software and threats to critical infrastructure. - The CyberWire - January 15th, 2022
- Google wants secure open-source software to be the future - TechRadar - January 15th, 2022
- Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions - Yahoo... - January 15th, 2022
- How Open Source Is Shaping The World Around Us - Outlook India - December 19th, 2021
- The Projects and People That Shaped Security in 2021 The New Stack - thenewstack.io - December 19th, 2021
- Log4j: Where's Fancy Bear been? Right there, choppin' lumber... - The CyberWire - December 19th, 2021
- Aqua Security acquires Argon to protect the software supply chain - VentureBeat - December 6th, 2021