Graduate developers lacking security skills

New government-sponsored research finds most IT undergraduates get less than five hours security training

The latest generation of software developers have little to no experience in how to code secure applications, UK government-sponsored research has revealed.

The government-funded advisory body the Cyber Security Knowledge Transfer Network (KTN) analysed statistics from 75 UK universities which run courses to train future software developers.

It found that only 20 per cent of UK computing undergraduates get more than five hours education on software security. The other 80 per cent receive less than five hours.

"We're not expecting to turn out graduates who are experts in secure software development, but 80 per cent are hardly even being told about it," said John Harrison, chair of the Cyber Security KTN Special Interest Group in Secure Software Development. "If we can create awareness in the next generation of software developers, then when they go out into industry they can create awareness in their own organisations."

Harrison added that the issue of training IT undergraduates in security has not been resolved because "there is no clear owner of the problem".

"There is a huge body of knowledge in the security industry on what can go wrong," he argued. "We need to transfer that knowledge into software development."

Hadrian James of IT management software vendor Compuware, argued that engineering security into the development process from the start removes the need for costly redesigns.

"There is a substantial amount of contact time in a three year undergraduate course," he added. "A lot of time is spent on object design, but security should be one of those objects."