Monday, May 18, 2009

Teach the Students!

This is a topic that I feel rather passionate about. I am starting some research into the top universities in the nation to see if any of them require some knowledge of secure programming before allowing their students to graduate. My guess is that none of them do.

Earlier this year, I took an upper-level course whose main subject was ethics and computers in society. Each of us were asked to give a presentation on a specific topic of our choosing that fell into one of the broader topics we were to discuss in class. I quickly chose to talk about something in the scope of computer security, but had a hard time choosing a specific topic. I wanted to talk about something that could influence my peers to become more aware and security conscious.

My original ideas ranged from making my peers generally aware of what an attacker is capable of to some of the consequences of attacking or hacking an application/network. One day, I was perusing one of my school's sites and followed my habit of tossing text into a form that would make it apparent whether or not the inputs were sanitized. Low and behold, I saw an SQL-error message appear where the search results should have been! I explored the site a little more and discovered that the entire site was vulnerable to SQL injection. Later that week, I discovered more of my school's sites that were vulnerable. These revelations were shocking to me, for I knew that student programmers had made those sites. I couldn't believe they weren't aware of something as simple as SQL-injection. I thought to myself that at least some basic knowledge or awareness of some security principles should be required before allowing a student to develop a website. I then realized that the entire undergrad curriculum never includes anything on the topic of secure programming or making us "future-programmers-of-the-world" more security aware. My topic had found me.

I started off my presentation with some basic php code to select data from a database based on a user's search. I asked the rest of the class if they saw anything wrong with the code. A few (meaning two or three) of my peers noticed the code was vulnerable to SQL injection. The rest were clueless and watched in amazement as I demonstrated what was possible if user inputs were not properly sanitized. Realizing that most of my peers were completely unaware of SQL injection was quite a shock to me, for I knew that many of them currently held jobs as web programmers and had hoped that upper-level computer science students would be better than that. I ended my presentation by pointing them to CWE/SANS' top 25 most dangerous programming errors site and practically begged them to become more aware of security concerns and issues.

Since my initial experience with my peers' lack of awareness of basic elements of secure web programming, I have constantly thought that one of the greatest ways to increase computer security in the world is to teach the students about it and to keep them informed. In all of the curriculum that is required for a computer science major at my university, none of the courses talk about security concerns and secure programming. This should be a requirement for all universities and colleges that offer Computer Science, Information Technology, Information Systems, or other related majors. Having a requirement to learn about these subjects would immensely help solve many of the security issues present in our world today. Yes, we should continue to educate and inform current professionals in the industry, but I feel that a bottom-up approach would be the most effective and have the greatest long-term impact. As many others have already said, awareness is one of the keys to combating computer security issues.

No comments:

Post a Comment