Secure software engineering skills are difficult to find, says George Stathakopoulos, general manager, Trustworthy...
Computing Security at Microsoft.
"There is a huge shortage of defenders [in the software industry]" he told Computer Weekly in an exclusive interview.
Each generation tends to be more tech-savvy than the one before, but young people still need mentoring to make the right choices about security in computing, he said.
According to Stathakopoulos, training institutions, software development companies and large enterprise all have a role to play in promoting secure computing as an attractive career option.
Enterprise needs to offer the right incentives and opportunities, while training institutions need to recognise the importance of teaching comprehensive defence techniques, he said.
Although some institutions teach students how to write malware to enable them to understand how it works, few go far enough to build a secure coding discipline, added Stathakopoulos.
Microsoft continually trains its own software engineers in secure coding practices as part of its Trustworthy Computing initiative adopted in 2002 to improve the security of its products.
"We have learned a lot about how to teach secure coding and all our SDL (security development lifecycle) knowledge is published for training institutions to use," said Stathakopoulos.
The SDL sets guidelines for including a series of security-focused activities in each phase of the software development process, such as threat modelling, code review and security testing.
Microsoft regularly engages with educational institutions on training defenders for the software industry and the SDL is a ready-made foundation for that training, said Stathakopoulos.