Sunday, April 10, 2016

Cybersecurity education isn't good, nobody is shocked

There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won't be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security.

Every now and then I run across someone claiming that our training and education is going great. Sometimes I believe them for a few seconds, then I remember the state of things. Here's the thing. While there is a lot of good training and education opportunities. The ratio between competent security people and developers is without doubt going down. Software engineering positions are growing at more than double the rate of other positions. By definition it's significantly harder to educate a security person, the math says there's a problem here (this disregards the fact that as an industry we do a horrible job of passing on knowledge).

While it's clear students don't care about security, the question is should they?

It's always easy to pull out an analogy here, comparing this to car safety, or maybe architects vs civil engineers. Those analogies never really work though, the rules are just too different. The fundamental problem really boils down to the fact that a 12 year old kid in his basement has access to the exact same tools and technology the guy working on his PhD at MIT does. I'm not sure there has ever been an industry with a similar situation. Generally those in large organizations had access to significant resources that a normal person doesn't. Like building a giant rocket, or a bridge.

Here is what we need to think about.

Would we expect a kid learning how to build a game on his Dad's computer to also learn security? If I was that kid, I would say no. I want to build a game, security sounds dumb.

What if we're a college kid interested in computer algorithms. Security sounds uninteresting and is probably a waste of time. Remember when they made you take that PhyEd class and all the jocks laughed at you while you whispered to yourself about how they'll all be working at a gas station someday? Yeah, that's us now.

Let's assume that normal people don't care about security and don't want to care about security, what does that mean?

The simple answer would be to "fix the tools", but that's sort of chicken and egg. Developers build their own tools at a rather impressive speed these days, you can't really secure that stuff.

What if we sandbox everything? That really only protects the underlying system, most everything interesting these days is in the database, you can still steal all of that from a sandbox.

Maybe we could ... NO, just stop.
So how can we fix this?
We can't.

It's not that the problems are unfixable, it's that we don't understand them well enough. My best comparison here is when futurists wondered how New York could possible deal with all the horse manure if the city kept growing. Clearly they were thinking only in the context of what was available to them at the time. We think in this way too. It's not that we're dumb, I'm certain we don't really understand the problems. The problems aren't insecure code or bad tools. It's something more fundamental than that. Did we expect the people cleaning up after the horses to solve the manure problem?

If we start to think about the fundamentals, what's the level below our current development models? With the above example it was really about transportation, not horses, but horses are what everyone obsessed over. Our problems aren't really developers, code, and education. It's something more fundamental. What is it though? I don't know.

Do you think you know? Tell me: @joshbressers