UK computing graduates lack security skills

The vast majority of UK computing students receive virtually no security training when it comes to designing and developing new software applications, according to government funded research.

Less than 20 per cent of all computing undergraduates in the UK receive more than five hours training in incorporating security functionality over the three to four year duration of their course. This was according to research by the Cyber Security Knowledge Transfer Network(KTN), which was created in 2006 by the government's Technology Strategy Board.

The study took the form of an analytical review of open source web material taken from 75 UK universities which had good reputations for producing future software developers.

"Frankly I was surprised by how low the figures were," said Bill Whyte, an independent IT security consultant who conducted the research.

"Today's computing market is a complex chain of software activities and is vulnerable as its weakest link. The study is clear - security issues stem from the beginning of the chain."

He warned: "We need to get a greater percentage of security-literate graduates out there or the number of otherwise-avoidable financial losses will grow."

The KTN believed that the study showed that software development did not feature strongly enough on the UK's list of IT security priorities.

"The cost associated with security breaches and investment in information security could both be mitigated if software was developed with fewer security flaws and vulnerabilities," said KTN director Nigel Jones.

"The bottom line is that if we want to solve the problems we need to start by fixing the route cause. The greatest problem we have is that awareness of this fix is very limited.

He added: "Just look at the recent BERR and PriceWaterhouseCoopers report on UK information security breaches. There is not a single reference to secure software development in any of its 32 pages."

In an event held in London's Southbank University connected to the release of the survey, experts identified two areas that could be improved by better developer understanding of security.

One was that it could reduce the number of software flaws which could be exploited maliciously, such as buffer overflows.

The other was to reduce the number of vulnerabilities caused by poor security design, such as weak authentication.