‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge

Teach developers security fundamentals to build supply chain resilience, argues Wheeler

Addressing a decades-old flaw in programming curricula could have a profound impact on software supply chain security, says a leading expert in the field The daily sip.

In particular, David A. Wheeler, director of open-source supply chain security at the Linux Foundation, makes a connection between the failure to build security into entry-level developer courses and the vast majority of vulnerabilities that lead to a small number common error classes belong.

The IT expert and Certified Information Systems Security Professional (CISSP), who holds a doctorate, is also an adjunct professor of computer science at George Mason University in Virginia and completed 33 years of work at the US Institute for Defense Analyzes in 2020.

Daily Swig: David, can you summarize your background and what your current roles entail?

David A Wheeler: I’ve loved computers since junior high school and paid my way through school with computer counseling. I also briefly oversaw the world’s first commercial fully text-based multiplayer role-playing game, Scepter of Goth.

Now I teach at George Mason University how to develop secure software – which I have studied for many decades.

Most of my work is with the Open Source Security Foundation, OpenSSF [whose members include AWS, Google, and Microsoft]. I see my role as a kind of catalyst or accelerator. I can walk around as a subject matter expert to help companies improve the security of their software.

David A. Wheeler has been involved in secure software development for decades

DS: And what are the biggest barriers to improving application security?

DAW: The fundamental problem is that we don’t teach software developers how to write secure software.

I don’t care if it’s a standalone course or an embedded course [in other coding courses] – that is not the question. The question is: if software developers learn the basics of their craft, are they also learning the basics of developing secure software? And the answer is mostly “no”.

A 2019 Forrester study found that none of the top US programming schools and none of the top five computer science schools outside the US taught it. Another study found that only one school did this — at UC, San Diego. So good for her, shame on the rest.

DS: Let’s imagine if all programming schools immediately redesigned their courses to include security fundamentals. Would we see a steady decline in vulnerabilities as a new wave of security-conscious developers emerge?

DAW: It is generally estimated that between 90% and 95% of all vulnerabilities fall within a relatively small group of common vulnerabilities [classes].

So if you educate developers to systematically prevent them, and then use tools to find the laggards, we can drastically reduce the number of vulnerabilities that actually emerge by at least an order of magnitude—or maybe two.

You can also find and fix the problems that occurred in the past.

Right now, detection, response, and recovery are overwhelmed by the sheer number of vulnerabilities in deployed systems, so it will be much easier to counteract the attackers when vulnerabilities are much rarer. And that’s actually the point of Shift Left in general: the sooner you get rid of the problems, the better.

DS: Given the potentially serious consequences of software vulnerabilities, why is security neglected in the programming curriculum?

DAW: Our education system does not always correspond to the needs of society. There was an open letter from Oracle and some other people 10, 15 years or so ago basically asking for universities [to educate them properly].

But sometimes her [universities] want to teach what they want to teach, and it doesn’t matter what the needs of society are.

DS: Could this partly reflect the fact that many educators learned their craft when cyber threats were less numerous and severe?

DAW: On the [early] Internet people were mostly connected to people they could trust. But if you’ve seen the growth of the Internet and the World Wide Web in the 1990’s, it was very rapid [they realized] No, you cannot just trust any computer you connect to.

But educational conservatism isn’t all bad. It actually makes sense to teach things that have proven themselves, which has security. The fundamental [computing] Construction principles are known [about] since the 1970s.

RECOMMENDED “Security teams often fight developers who take control of AppSec”: Tanya Janca on the road to adopting DevSecOps

DS: Could there be a commercial incentive at work that favors fast coding over secure coding?

DAW: Maybe to some degree for the for-profits, but I think the bigger for-profit issue is when you know how to do it [secure development]you can probably earn double or triple that in the industry [compared to teaching]. You will not teach.

I teach, but that’s my sideline. I like teaching. George Mason University is 20 minutes from me and has more industry ties than some universities.

DS: How do we convince or motivate education providers to embed security in coding courses?

DAW: I think that’s a solvable problem – basically, society needs to shout louder.

The US spends an enormous amount of money on financing degrees, including computer science. If we pay maybe we could have some criteria?

DS: Could the momentum behind “Shift Left” or DevSecOps help persuade education providers to shift focus?

DAW: I’d like to believe so, but I think it’s a lot more societal and industrial pressure that’s going on over a longer period of time [that will make the difference].

Right now DevSecOps [is practised properly by] a minority and we must ensure that [secure development is practised] not only the majority, but is [a baseline] expectation [of all developers].

Developers aren’t taught general security principles — let alone how to apply them, says Wheeler

Years ago, I pushed hard for adding security to a software development course, and did so after much pressure and discussion [the provider] finally added the word “safety” – no content just that safety might be important!

The ACM Software Development Curriculum Guide at least talks about how to develop secure software, but it’s missing important details.

But I’m willing to believe that with continued vigour, we can bring academia and many other organizations on board to ensure software developers know the basics.

DS: What fundamentals should new developers be taught?

DAW: What are the most common problems? How do we prevent them in general? How do you design software so it’s less likely to be attacked? And what kind of tools can help developers deal with it?

These general principles and the ability to apply them are important [skills] but missing today.

Read more news about secure software development

The first thing I did when I joined the Linux Foundation as a staff member in 2020 was to develop a course on developing secure software fundamentals. Thousands have now signed up.

George Mason University originally agreed to do my course every other semester, and very quickly it’s every semester – it’s in demand.

But it is an optional course. We need people in society who dig deeper and [become experts]but we also need every developer to know the basics.

DS: How important is it for developers to understand how to use security tools?

DAW: If you’re doing DevOps, you pretty much need a CI pipeline, and this is an obvious place to plug in security tools. But if the developer doesn’t know what they’re doing, they don’t know what the tool is telling them and what to do about it.

A fool with a tool is still a fool. They’re not stupid – just nobody told them. Education and tools go hand in hand.

The tools will miss things or report things that aren’t actually problems in the context. Computer programs do not – cannot – know the full context.

But as long as developers know which tools to use and how, they can do it [some] amazing things.

DS: Finally, what about OpenSSF’s various initiatives aimed at strengthening the security of the software supply chain?

DAW: Be it industry, academia or government, we all use open source software, so my first suggestion would be: get involved with OpenSSF. We would be happy if more people would participate.

I was heavily involved in the concise guides on developing secure software and evaluating open source software. And earlier, OpenSSF continued to publish guides for open source projects and security researchers [handling] coordinated [vulnerability] disclosure.

The Alpha-Omega project has funded the Python Software Foundation and funds Eclipse, Node… They announced a new partnership with Rust. They’ve released some vulnerability-finding tools – again, they’re trying to switch to the left.

There is also some money for SBOM work, a Python library tool for SPDX [Software Package Data Exchange]and a [enterprise] End-user workgroup kick-off.

TIED TOGETHER According to a study, developers still face security issues during code reviews