Discover PerformanceHP Software's community for IT leaders // September 2013
How to close the IT security skills gap
IT security guru Gary McGraw says bosses should insist that new developers know a thing or two about security—and then invest in teaching them even more.
At a time when IT security skills are in short supply, and high-profile security breaches are not, HP’s Discover Performance sat down with enterprise security expert Gary McGraw to discuss what developers should know about software security. (Related article: McGraw discusses application security.)
McGraw, author of Building Secure Software: How to Avoid Security Problems the Right Way, and Software Security: Building Security In, will be the keynote speaker at HP Protect 2013, Sept. 16–19 in Washington, D.C. In discussing the human-resources aspect of enterprise security, he noted that employers need to make basic security awareness a hiring factor, and invest in training their IT departments to deliver more secure applications.
Q: Are new developers entering the workforce underprepared to build secure software?
Gary McGraw: There is a skills problem. Some universities teach courses on software security. Forward-looking universities—such as Stanford, Carnegie-Mellon, Johns Hopkins, Princeton, MIT, Harvard, Tufts, North Carolina State University, and a number of others—have been teaching software security for years and are expanding their approach. But there are plenty of people who learn to code independently of school—maybe an English major or whatever who later becomes a developer.
New developers often come to the workforce with very little knowledge about security, and so it’s up to the firms themselves to train them to practice software security. Fortunately, there’s lots of training available, including both instructor-led and computer-based training. We provide training at Cigital, and there are many other firms that provide training as well.
Q: Training can be expensive. Is there a good return on investment?
GM: I think that whatever you can do to eradicate security problems and defects early in the lifecycle always pays off. Training is part of that. Developers need to know that there are tools that they can use, and also how to use them. And organizations need to understand that just buying a tool does not magically solve the problem: you have to put any tool in place, and do it in a rational way. Finally, and most important of all, you need to figure out how to correct the bugs and flaws that you find.
Q: How can businesses instill an understanding of security’s importance?
GM: A firm should place a fair amount of emphasis on security. And developers must be told that security is part of their job responsibility. Every developer at Microsoft knows that security is part of their job, and it’s part of the way that they’re measured and compensated.
Forward-looking firms are all doing that sort of thing already. As a result, demand for training and security knowledge continues to grow. The books that I’ve written on security continue to sell, even though they’re several years old. In many cases, the books are still incredibly relevant, and a good place for a developer to start thinking about computer security.
Many firms are adopting a large-scale software security initiative to make their internal development culture more security-savvy. Microsoft led in this area with its Trustworthy Computing Initiative. Initiatives at other firms often look similar to that.
Q: What about at the leadership level? Is there an awareness of the security deficit among CISOs or CIOs? Is the knowledge at the top ready to be passed down, or do we also have to penetrate higher?
GM: We also have to penetrate higher. I’ve seen software security initiatives fail for two distinctly different reasons. First, I’ve seen a groundswell of optimistic developers get psyched about security, then hit an inertia wall among middle management, which killed the software security initiative dead. At the opposite end of the spectrum, I’ve seen pointy-haired-boss types lecture ineffectively about software security, and everybody looks up and goes, “That person’s crazy: must be boss flavor of the day.” That’s also a path to failure.
When you’re changing the development culture, you need to think not only about senior executives, but middle management. And not only about guys writing code, but also about requirements managers and business people. Everyone in the firm needs to understand that customers care about security, and thus security is part of their job too.
The good news is that we have been doing software security for years, and we’re getting good at leveraging experience about how to get tools institutionalized, how to train lots of people in an effective and an efficient manner, and so on. Many firms that have been early adopters of software security—especially financial services firms and independent software vendors—have done a lot to cut new ice, making it easier for other verticals to follow in their footsteps.
Q: How will that knowledge spread from the leaders to the followers?
GM: Much of it will come from firms that provide software security training, like Cigital. I’ve trained a lot of senior executives myself, and talked to many boards about the importance of software security. There’s also outreach through important conferences, like the HP Protect conference, which are critical because they get the message out that we know what to do and we all have to do it.
Q: Should basic security knowledge factor into an executive’s hiring strategy?
GM: Absolutely. At Microsoft, when you want to get hired as a developer, they will ask you a couple of security questions in the interview process. And if you look at them like a cow looks at a new gate—like you don’t know what to say—you’re probably not going to get the job. But if you’re a developer who has at least some exposure to security, and you know what a buffer overflow is, you know what cross-site scripting is, then you’re much more likely to get that job.
Watch Gary McGraw's full keynote at HP Protect 2013, "Bug Parades, Zombies, and the BSIMM: A Decade of Software Security," and get more insight and intelligence from the premier security event at Backstage with HP Software.
Join thousands of IT execs, engineers, and solution experts to explore IT trends, strategies, and best practices. (Barcelona,
HP’s CEO and her software management team discuss how enterprise IT can stay on top of the latest technology influencers. (On demand)
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Data Center 20/20
The innovation and revenue engine of the enterprise.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
Preparing today for tomorrow’s threats.
Looking toward the era when everyone — and everything — is connected.