How come AppSec is still not in the curriculum? presented at DevSecConBoston 2018

by Gábor Pék,

Summary : Education plays a key role to train our developers who deliver software the business rely on. As security courses are missing from the mandatory curriculum of top universities, generation of software engineers are taught without developing the security mindset. At the other end of the scale, however, businesses face tons of security issues on a daily basis, and the security teams do not have the capacity to prevent and alleviate them quickly. The knowledge is in the hand of a few CISOs and security champions (if there are any) who are overwhelmed to interweave security into development processes. Simply, there is no real synergy between the motivation and role of higher education and the industry.In this talk, I am going to explore this problem from both perspectives. Based on our experience as teachers at the Budapest University of Technology and Economics, I highlight how we built up an IT security curriculum involving business representatives. I will also show another example: how to run talent programs to nurture players for CTF games and discuss its benefits and shortcomings.In reality, there seems to be gap between higher education and the software industry in terms of security. I believe that companies should pay special attention to giving guidance and help to students, raising their security awareness. By bridging the approach of universities who give long-term knowledge with hands-on industry experience, we can give developers security-consciousness. Business leaders and teams should use their skills to pay it forward to new generations of software engineers at universities and enjoy the collective benefits when they grow up.