Secure software engineering skills are difficult to find, says
George Stathakopoulos, general manager,
Trustworthy Computing Security at Microsoft.
"There is a huge shortage of defenders [in the software
industry]" he told Computer Weekly in an exclusive interview.
Each generation tends to be more tech-savvy than the one before,
but young people still need mentoring to make the right choices
about security in computing, he said.
According to Stathakopoulos, training institutions, software
development companies and large enterprise all have a role to play
in promoting secure computing as an attractive career option.
Enterprise needs to offer the right incentives and
opportunities, while training institutions need to recognise the
importance of teaching comprehensive defence techniques, he
said.
Although some institutions teach students how to write malware
to enable them to understand how it works, few go far enough to
build a secure coding discipline, added Stathakopoulos.
Microsoft continually trains its own software engineers in
secure coding practices as part of its Trustworthy Computing
initiative adopted in 2002 to improve the security of its
products.
"We have learned a lot about how to teach secure coding and all
our
SDL (security development lifecycle) knowledge is published for
training institutions to use," said Stathakopoulos.
The SDL sets guidelines for including a series of
security-focused activities in each phase of the software
development process, such as threat modelling, code review and
security testing.
Microsoft regularly engages with educational institutions on
training defenders for the software industry and the SDL is a
ready-made foundation for that training, said Stathakopoulos.