Blogs

‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge

Published

on

Addressing a decades-old deficiency in coding curriculums could have a profound effect on the security of the software supply chain, a leading expert on the subject tells The Daily Swig.

In particular, David A Wheeler, director of open source supply chain security at the Linux Foundation, draws a link between a failure to incorporate security into entry-level developer courses and the vast majority of vulnerabilities belonging to a small number of common bug classes.

The IT PhD and Certified Information Systems Security Professional (CISSP) also moonlights as adjunct professor of computer science at Virginia’s George Mason University, and in 2020 concluded a 33-year spell at the US Institute for Defense Analyses.

Daily Swig: David, can you summarize your background and what your current roles involve?

David A Wheeler: I’ve loved computers since junior high school and paid my way through school doing computer consulting. I also briefly maintained the world’s first commercial, entirely text-based multiplayer roleplaying game, Scepter of Goth.

Now I teach at George Mason University on how to develop secure software – which I’ve studied over many decades.

Most of my work is with the Open Source Security Foundation, OpenSSF [whose members include AWS, Google, and Microsoft]. I view my role as being a kind of catalyst or accelerant. I can run around as a subject matter expert to help organizations improve the security of their software.

David A Wheeler has studied the secure development of software for decades

DS: And what are the biggest barriers to improving application security?

DAW: The fundamental problem is that we do not teach software developers how to write secure software.

I don’t care if it’s a separate course or embedded [in other coding courses] – that’s not the question. The question is: when software developers are learning the basics of their craft, do they learn the basics of developing secure software? And the answer is mostly “no”.

A 2019 Forrester study found that none of the top US coding schools and none of the top five non-US computer science schools were teaching this. Another study found that only one school did – at UC, San Diego. So good for them, shame on the rest.

DS: Let’s imagine all coding schools immediately revamped their courses to incorporate security fundamentals. Would we see a steady fall in vulnerabilities as a new wave of security-savvy developers emerge?

DAW: It’s generally estimated that somewhere between 90% to 95% of all vulnerabilities are in a relatively small set of common ones [classes].

So, if you educate developers to prevent them systemically, and then use tools to find the stragglers, we can dramatically reduce by at least one order of magnitude – and maybe two – the number of vulnerabilities that actually slip out.

They can also find and fix the problems created in the past.

Right now, detection, response, and recovery is overwhelmed by the sheer number of vulnerabilities going into deployed systems, so it will be much easier to counter the attackers when vulnerabilities are much rarer. And that’s really the argument of ‘shift left’ in general: the sooner you can get rid of the problems, the better.

DS: Why is security neglected in the coding curriculum given the potentially severe consequences of software vulnerabilities?

DAW: Our educational system does not always respond to societal needs. There was an open letter written by Oracle and some other folks 10, 15 years ago or so, where they basically begged universities [to educate them properly].

But sometimes they [universities] want to teach what they want to teach, and it doesn’t matter what society’s needs are.

DS: Could this partially reflect the fact that many educators learned their craft when cyber threats were less numerous and severe?

DAW: On the [early] internet people were mostly connected to folks they felt they could trust. But once you saw this growth of the internet and the worldwide web running on top of it in the 90s, then very quickly [they realized] no, you can’t just trust arbitrary computers you connect to.

But educational conservatism isn’t all bad. It’s actually sensible to teach things that have stood the test of time, which security has. The fundamental [computing] design principles have been known [about] since the 1970s.

DS: Might there be a commercial incentive at work that favours coding quickly over coding securely?

DAW: Maybe to some extent for the for-profits, but I think the bigger for-profit issue is that if you know how to do [secure development], you can probably earn double or triple in industry [compared to teaching]. You’re not gonna teach.

I teach, but that’s my side hustle. I enjoy teaching. George Mason University is 20 minutes from me and more connected to industry than some other universities.

DS: How do we persuade or incentivize education providers to embed security into coding courses?

DAW: I think this is a solvable problem – basically, society needs to scream more loudly.

The US spends a tremendous amount of money financing degrees, including computer science. If we’re gonna pay, maybe we could have some criteria?

DS: Could the impetus behind ‘shifting left’ or DevSecOps help persuade education providers to change emphasis?

DAW: I would like to think so, but I think it’s much more societal and industry pressure continuing over a period of time [that will make the difference].

Right now DevSecOps [is practised properly by] a minority, and we need to make sure that [secure development is practised] not just the majority, but is [a baseline] expectation [of all developers].

Developers are not being taught general security principles – let alone how to apply them, says Wheeler

Years ago, I pushed really hard to get security added to a course on software engineering and after a lot of pressure and debate [the provider] finally added the word ‘security’ – no content, just that security might be important!

The ACM software engineering curriculum guidance at least does talk about knowing how to develop secure software, but lacks key specifics.

But I’m willing to believe that with continued emphasis we can get academia and many other organizations on board with making sure that software developers know the fundamentals.

DS: What fundamentals should newbie developers be taught?

DAW: What are the common problems? How do we prevent them in general? How do you design software so it’s less likely to be attacked? And what kind of tools can help developers to deal with that?

These general principles and the ability to apply them are important [skills] but lacking today.

The first thing I did when I joined the Linux Foundation in 2020 as an employee was develop a course on developing secure software fundamentals. Thousands of people have now signed up.

George Mason University initially agreed to do my course every other semester, and very quickly, it’s in every semester – it’s in demand.

But it’s an optional graduate course. We do need, in society, people who drill in deeper and [become experts], but we also need every developer to know the basics.

DS: How important is it that developers understand how to use security tools?

DAW: If you’re doing DevOps, you pretty much need a CI pipeline, and this is an obvious place to insert security tools. But if the developer doesn’t know what they’re doing, they won’t know what the tool is telling them and what to do about it.

A fool with a tool is still a fool. They’re not stupid – it’s just that no one has told them. Education and tooling go hand in hand.

The tools are going to miss things or report things that are not actually problems in context. Computer programs don’t – can’t – know the full context.

But as long as developers know which tools to use and how, then they can do [some] amazing things.

DS: Finally, anything to say on OpenSSF’s various initiatives aimed at bolstering software supply chain security?

DAW: Whether it’s industry, academia or governments, we’re all using open source software, so my first pitch would be: get involved with the OpenSSF. We would love to see more people involved.

I was deeply involved in the concise guides for developing secure software and evaluating open source software. And earlier, the OpenSSF published guides for open source projects and security researchers on [handling] coordinated [vulnerability] disclosure.

The Alpha-Omega Project has funded the Python Software Foundation and is funding Eclipse, Node… They’re announced a new partnership with Rust. They’ve released some tools for finding vulnerabilities – again, trying to shift left.

There’s also some funding for SBOM work, a tool for a Python library for SPDX [Software Package Data Exchange], and an [enterprise] end users working group kicking off.

Source: https://portswigger.net/daily-swig/we-dont-teach-developers-how-to-write-secure-software-linux-foundations-david-a-wheeler-on-reversing-the-cve-surge

Click to comment
Exit mobile version