HOPE X (2014): "How to Prevent Security Afterthought Syndrome" (Download)
Friday, July 18, 2014: 10:00 pm (Serpico): Outside of the hacker community, security as an afterthought has always been the norm. Too often we see the following: systems designed without thought for security, then later that system is compromised, and finally a hastily created patch is released (if we're lucky). But did you know that this "security as an afterthought" approach is what we currently teach in schools? Yes, even many of the best schools teach and treat security as a separate topic, leaving it for an advanced class that interested seniors or graduate students might choose to take as an elective. It is all too easy for an undergraduate student to gain a computer science degree without ever learning about the security concepts relevant to their specialty. Security is an integral facet of just about every topic in computer science. Rather than treating security as an afterthought, something that we address after all the foundations are fully in place, it should be treated as an integral part of networking, programming languages, operating systems, and just about every other computer science discipline. Especially offensive aspects! Fixing the way we teach security is a tall order, but it's a more lasting solution. Most short term solutions are Band-Aids on the root problem. Perhaps most encouragingly, we have an existence proof of security being successfully integrated in other fields. This talk will cover computer science curricula, how security is taught and integrated throughout course work in academia, and evaluate an exemplar in a different science where security is being integrated in early curriculum.