Software development is ever-evolving, and with that demand for innovation and scale comes the need to ensure software is secure. Many enterprise organizations have invested in AppSec to help them identify security flaws throughout the development process. However, within higher education, secure coding skills are often not part of computer science or software engineering curriculums.
At Tufts University outside of Boston, Ming Chow, Associate Teaching Professor in the Department of Computer Science, recognizes this need and has incorporated secure coding into his courses. I recently connected with Professor Chow to chat about the role application security plays in his classroom, expanding his students’ horizons with secure software development, and how his courses have opened students’ eyes to new opportunities within the field.
Chris Eng: Good to talk with you, Ming. These are very surreal times. Tell me how things have been with you and how your teaching responsibilities have changed.
Ming Chow: Very little. Here's why. I've been teaching online courses during the summers since 2016. On March 3rd 2020, a full week before Tufts made the announcement it would move to online learning, I sent an announcement to my Introduction to Security class "Should Tufts decide to end the semester early, I got a plan in place..." Some people thought I was crazy. Because I have taught Introduction to Security online since summer of 2017, it was a seamless to transition from in-class to online learning after spring break. The first activity we did after spring break was Capture the Flags (CTF).
Overall, I've been a lot busier since we moved to online learning. I’m checking in on students and alumni to see if they are okay, I rolled out our new co-op program, I’m preparing for our first inaugural Online Master's class, and assisting in a program for Tufts Computer Science students who lost internships and opportunities because of the pandemic.
CE: One of the things we hear about often is the cyber skills gap, or more broadly, having enough IT or IT security personnel both in the U.S. and abroad. What is your sense of the interest in technology degrees at Tufts – do you think there are more students who want to start a career in tech?
MC: Yes, because that's where the money and opportunities are -- full stop. Computer Science is now the largest undergraduate major at many colleges and universities because of that reason. When college is so expensive and you have lots of student loans, what options do students really have? Still, there are lots of students who are really passionate about Computer Science, and I am very grateful to have many of them. Even for those who are "in it for the money," do I blame them?
CE: Another reality is that a lot of higher education institutions may offer programming courses, but they are very far behind in teaching security skills. For example, most students who earn a relevant degree may graduate without taking a single security course. What are your thoughts on the reasons behind this?
MC: This is very true, and there are a few reasons. First, many faculty just don't know. They don't know about the security field. They don't know what the needs are in industry. There's a reason why there is always talk of the gaps between academia and industry, and it's gotten wider thanks to constant changes and growing toolchain. If an instructor is following the textbooks, namely introductory CS textbooks, most textbooks still don't cover security -- so that doesn't help. Second, as I said before, Computer Science is now the largest undergraduate major at many universities. In my opinion, many schools are struggling with over-enrollment, so most days consist of putting out fires (of enrollment issues), and everything else such as curriculum comes secondary.
CE: In your courses, you use Veracode as a teaching tool so that your students can learn about application security testing, and how to find and fix flaws. When did you start using AppSec technology in your classes, and why?
MC: Veracode Static Analysis is used right after the Capture the Flags game in my Introduction to Security class. The topic after the CTF game is Static and Dynamic Analysis. The lab after the CTF game is a Technical Risk Analysis where students have to manually review the source code of the CTF game, and create a technical risk table for a technical manager. Students also learn to use Veracode Static Analysis tool where the process is automated. Results are then compared to manual results, and students have consistently noted in README that Veracode found a lot more issues than they could have ever imagined.
In the spring semester of Senior Capstone, which I also run, teams have to provide a Defects and Vulnerabilities Report, including Static Analysis results. Students who have taken my Security class opt to use Veracode for the deliverable as well. I have used Veracode Static Analysis my Introduction to Security class since fall 2013 to present.
As for why I started using AppSec technology in my classes, the primary reason is exposure to real tools and hands-on skills early on. Look, cybersecurity is a largely hands-on field; it can't be all theory. Don't tell me the toolchain is not important as part of your education. It's disheartening to hear many Computer Science students have never used tools like Git before, let alone a static analysis tool.
CE: What are your students’ reactions when they find flaws in the code they’ve written? Is there anything that has stood out to you as surprising over the years as you’ve taught security skills to students?
MC: A real comment from a former student after running Veracode scan: "[Without Veracode], I did not find the hard-coded password, many instances of the lack of HTML script sanitation, cryptographic issues, information exposure through an error message, and deserialization of untrusted data."
With regard to using Veracode Static Analysis, the biggest surprise and most gratifying comments I have received were on how to incorporate static analysis tools like Veracode in student organizations who are doing software projects. For example, we have JumboCode, an organization dedicated to helping non-profits in the greater Boston area by providing them free, custom technology to aid their services. The lead, who was a former student, asked me how to incorporate such tools into the program (after he did the lab in my class).
Overall, the most surprising thing is the consistent comment of how the course opened up students' eyes. When the course is consistently noted to have opened up students’ eyes on a part of Computer Science they never knew of, or have opened up opportunities other than software development, or even have spurred their interest in Computer Science, you know you did something right.
CE: Do you have any advice for university students taking computer science or programming classes with regard to security?
MC: To quote your very own words: "Understand how things work. Never mind security, some of them have no idea how the web (or the Internet) works. So much is abstracted from developers in a typical CS curriculum that they are often unprepared to understand how things actually work, which is core for security..." It is arguably my biggest dissatisfaction with many new engineering grads: not just the lack of preparation, but the seeming disinterest to chase down that very understanding. Knowing how to code or understanding a few programming languages doesn't make you well rounded as a developer or programmer.
CE: What are some of the things they should know, or seek out to improve their knowledge base with secure coding?
MC: Knowing how to ask for help is important, and there’s absolutely no shame to do so. Build intellectual curiosity by building and breaking things. Understanding how things work and debugging skills go in tandem.
CE: Do you think that having a better sense of secure coding can help individuals stand out from the crowd when looking for a job or entering the workforce?
MC: Anyone can code. Anyone can learn how to code, so much so that there are too many resources and references available now. Hence, it's not that special. There are lots of developers out there, but the issue, and this is the real workforce shortage problem, is the dearth number of good software developers and engineers. I still hear stories of Senior Software Engineers who don't know what Cross Site Scripting and SQL injection are.
CE: For other professors who might be looking to work secure coding into their curriculums, what advice would you offer them?
MC: Make, not just encourage, students think about “what could possibly go wrong.” Institute that adversarial thinking in their programming assignments. That alone will be significantly better than no emphasis on security.