Cybersecurity cracks the undergraduate curriculum

Security company CloudPassage conducted a 2016 analysis of the top 121 U.S. computer science programs, and found that only three programs require at least one cybersecurity course for a degree. It found many programs offer no cybersecurity curriculum at all. Given the high-stakes nature of cyber-threats, why would universities not already be arming students with a curriculum to help thwart malicious activity?

“Attack surfaces” are everywhere
The answer is based on the rapid-fire evolution of computing in everyday life along with the ubiquitous rise of the Internet, says SWAMP Chief Scientist Barton Miller, a University of Wisconsin-Madison professor of computer science.

“Two decades ago, big software systems for things like payroll and inventory ran on a mainframe that was not connected to anything else,” says Miller. “There was no, what we call in security, ‘attack surface,’ or that part of your software that can be touched by an outsider.”

Today, all things digital have some kind of attack surface, from phones to cars to homes, to all transaction tools involving customers. This shift has given rise to an underground industry that generates 4,000 cyber-attacks daily and produced $18 billion in credit card fraud in 2015 alone, according to estimates by IBM.

Bugs in software used to be primarily a reliability concern, causing the nuisance of systems crashing and time and data being lost, Miller says. Now that they are matters of great economic and national security risk, universities face an urgent challenge to address cybersecurity not just in separate courses or specialties, but within the code development culture itself.

Miller uses the SWAMP in a number of UW-Madison computer science courses and is working with colleagues to add more in the coming year. He also has partnered with computer programming students at Madison West High School.

“Plug and play” in the classroom
Computer science programs nationwide are under tremendous pressure to increase enrollments and graduate more talent to meet shortages, Miller says. As enrollments and class sizes increase, programs also need to scale these labor-intensive cybersecurity practices into larger classes without taking valuable learning time away from students.

Miller says that is a big advantage of the SWAMP. The resource is designed to eliminate overhead and time-consuming downloads and continual updates, making it easy to plug-and-play in the classroom environment and scale to a growing community of users.

“As part of normal code hygiene in computer science classes, I’d like to see faculty say, ‘Your assignment can be turned in after it’s run through the SWAMP and gets a clean bill of health,’” Miller adds. “This would be fast and efficient, with little time sink for the student.”

Jackson says these skills not only will improve future code, they must be applied to the current infrastructure of installed software. “When many of our students return from summer internships, they say their main job was to convert already existing code into secure code. That was our first wake-up call.”

Bowie State’s computer science department is documenting this daily activity of code review and error detection, and compiling it into a comprehensive secure coding book that defines common errors and possible fixes. Jackson says the goal is to share this book with other universities, beginning with Bowie State’s own network of twelve historically black colleges in the United States.

Security cultures lacking
Miller says cybersecurity has been a game of catch-up in industry as well as academia, and remains a hard sell in some environments. But students trained in security will bring that mindset and expectation set to employers, he says.

Major companies like Microsoft and Google already have strong security cultures, but companies where software is just a portion of their business may not respond “until they actually get hit by something really bad.”

“We see a lot of closing of the barn doors after the horses get out,” he says.

SWAMP Director Miron Livny, a UW-Madison computer science professor and Chief Technology Officer of the Morgridge Institute, says supporting educational customers is a cornerstone of the project. “We hope the success seen by Bowie State of translating SWAMP capabilities into a powerful classroom tool will soon be followed by others,” he says.

About the SWAMP
The Software Assurance Marketplace is a joint effort of four research institutions – the Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open continuous assurance facility. The five-year, $23.6 million project is funded by the Department of Homeland Security Science and Technology Directorate and went live in February 2014.