17 February 2022
by Shamal Faily, Robert Gordon University
On Wednesday, December 8th, we ran a half-day joint RISCS / SICSA sponsored workshop on Secure Development Practices education. Practices for secure software development entail more than writing code. They encompass the broader design and engineering practices that produce usable and secure software. We already know the transfer of know-how from Secure Development Practice research to practice is slow, but we wanted to explore why it is equally slow from research to education too.
The workshop began with an introduction to the workshop topic by Shamal Faily, followed by a talk by Helen L — the head of NCSC’s Technology Assurance Group — on principles based assurance, and what this means for Secure Development Practices.
The next item on the agenda was a panel on challenges and opportunities associated with Secure Development Practices education. The panellists were Ivan Fléchais (University of Oxford), Nancy Mead (Carnegie Mellon University, USA), Martin Jaatun (SINTEF, Norway), and Tim Storer (University of Glasgow). Topics discussed during the panel included addressing the Secure Development Practices skill shortage, occupational hazards faced by practitioners responsible for delivering secure software, and how Secure Development Practices should be promoted.
After a short break, participants joined one of two breakout group discussions on challenges and opportunities related to software security and knowledge transfer. During the breakout groups, several interesting challenges were identified. For example, how should we teach developers to rate the security ‘health’ of their code? How, in a packed undergraduate or post-graduate curriculum, do we teach security to developers without sacrificing other quality concerns like usability, performance, and maintainability? Finally, how should educators assess the ‘readiness level’ of some piece of security development practice research they wish to incorporate into the curriculum – particularly if their background is in software engineering or cybersecurity, but not both?
The workshop was well attended with over 40 participants from not only SICSA institutions, but universities and companies across the UK. We are grateful to both SICSA and RISCS for their sponsorship and support for this event.