Slashdot Mirror
Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes (darkreading.com)
Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.
In fact, it's been decades.
But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?
STOP . AMERICA . NOW
I do computer security in government IT. This job is fixing the 2,000+ Windows computers that don't patch correctly each month, upgrading/downgrading all the other applications to baseline, and trying to convince users that the computer assigned to them is not "their" computer so I can reboot it. Consoling hurt computers is the easy part, fixing broken users is the hard part. I have associate degrees in General Education and Computer Programming, a handful of certifications, and 20+ years of technical experience (i.e., software testing, help desk/desktop support, PC refresh and data center). This is definitely where the money is at.
Why would it make sense for them to require a cybersecurity course? That's an implementation detail.
These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.
since the computer security industry is full of charlatans already. Now the same chalatans ("dark reading" pfft.) complain said charlatans don't come with ivy league seals of approval? No really, that's a strong play right there.
Anyhow, Computer Science isn't, either, so there's that. (Not just me that says so: First thing Abelson and Sussman say in their introduction to lisp lecture videos.) Maybe the top sk00lz ought to do something about that, and fold the security aspect into it wholesale while at it. Because we could use some real security in this space, but we could use lots better programs too. To the point that it's quite astonishing what crap we put up with from our computers. (And who said that, famously? E.W. Dijkstra. We really aren't listening to those who know better, are we?)
It hasn't been that long since that was a thing you could teach to someone.
Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".
System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.
Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."
Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?
Interesting. I could see an argument for making one mandatory course in security part of the ABET computing curricula. Two is pushing it. Three? That's like a minor/concentration and shouldn't be mandatory for everybody. I think offering one or, ideally, at least two courses in security is a good starting point.
The reality is that there are a lot of computer application areas and not a lot of space in a four-year BS curriculum after the core courses and humanities stuff. What about graphics? Scientific computing? High performance computing? Artificial intelligence? Human-computer interaction? Etc.
What would really get the winds of change blowing is industry starting to look for that in all the developers it hides. That won't happen because employers don't get hurt by data breaches: customers do, and customers are too stupid and complacent to actually boycott anything.
As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.
Looking at the article, the final paragraph explains some things:
So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.
I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.
I live in one of the areas where 'Cybersecurity' jobs are flooding the market. Some are legit - penetration testers, system administrators, and other positions are needed to be filled where Security+ is your best friend. A lot of the other jobs are a complete joke though, and any joker that can pass a security clearance is put in a 'cybersecurity' position - copying and pasting minority reports that are generated by running scripts that abuse known exploits. Blackhatting for the guv is the opposite of 'cybersecurity'. No need for a fancy education to do that job, ladies and gentleman. We just need a shill that values their paycheck over the American people's privacy and security.
I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.
Cybersecurity experts are NOT professors with multiple PHD's. It's a waste of time to learn anything but the basics from those guys at unholy high dollars per hour colleges charge.
Do not look at laser with remaining good eye.
"The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."
This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.
Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.
I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.
Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.
I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.
Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.
Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.
I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.
I am armed because I am free. I am free because I am armed.
There's no need to teach CS grads about security. Here's why:
If a cyber security breach happens, then the company that produced and sold the vulnerable software is never responsible. All end user rights have been signed away in a EULA or some other crooked scheme, so the end user gets to shoulder all the risk.
Since the company sees no impact of a cybersecurity incident, the company execs take no hit. Since they take no hit, the programmers and CS grads who wrote the crap software that caused the problem in the first place also see no impact.
Did people stop shopping at Target? Nope. Are any of the companies that have recently been breached seen senior executives going to jail? Nope. Maybe a few people got fired and stock prices temporarily dipped, but there's so many of these breaches lately that they are all getting lost in the noise.
So there's no point in teaching the CS grads anything about cybersecurity, since it doesn't mean anything to them. It doesn't make them any money and the companies that will be hiring them don't give a damn either.
Sometimes the "writing on the wall" is blood spatter...
I've never met a project manager or engineer who spent any time designing in proper security. That would delay the deliverable. Security is an afterthought, and left for the deployment phase, usually after the first failed PCI scan. Then the sysadmins and network teams get to scramble to plug the holes.
The only thing worse than a Democrat is a Republican.
At the university I was e-mailed a flyer on how the US Navy is recruiting students in computer science and related fields into an officer program in their cyber warfare division. This indicates to me that they will offer training in cyber security to those that qualify.
This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill. I recall talking to recruiters for big businesses on what they look for in software developers, and they want engineers. A computer science major might know a lot of programming languages and so on but learning another programming language is something that can be done easily on the job. What is difficult for recruiters is finding people with a good grasp of proper engineering and enough math to understand how to make a computer do what needs to be done efficiently.
Seems to me that cyber security should lie in the realm of on the job training and/or graduate school. Also, students that learn good programming technique should be writing inherently secure software. Things like good memory management, properly protecting variables, and well documented code should make a program secure.
Another thing is that there is a lot of code written to perform relatively trivial tasks where security is simply not a concern. Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop. Code written for industry will be used by people which one would hope are trained in its use. This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.
I am armed because I am free. I am free because I am armed.
Computer vulnerabilities make money for technology companies. Have an Android KitKat 4.4 phone? Sorry, no updates. Buy a new phone.
Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things. They argue that practical is the realm of CE not CS. Thus there will be classes in database design, as in how the guts of a data store will work, but nothing much on practical database usage. The theory (and not terribly wrong) is that by learning the guts it should be easy to learn the practical, if needed.
For me I would rather learn both as then the guts of the matter have some practical knowledge that might help it stick.
So it is no surprise that few teach practical cybersecurity, they probably do cover crypto courses where Diffie Hellman is examined in great detail.
My simple complaint is that few recent CS grads that I have met really can deliver useful code in quantity. When managing them I often find them reinventing the wheel. I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine". They will then argue that Python is too slow where I point out that my estimate is that the code will run every Friday at 3 am, will probably take 20 seconds and yet only needs to be done by opening on Monday. So even if I were to be wrong by a factor of 100 all is still good.
The code then runs in 8 seconds.
So while I am not at all shocked by no cybersecurity training, I do wish that minimally the schools would be a bit more practical so as to allow some of the abstract material have something to latch on to.
should have been.
CS = math + theory
CE = programming + hardware
IT = deployment + operations
That's the way it was at my university back in the '90s. This was at a large school that is in what is now the PAC-12 conference. Each one was a separate, rigorous four-year degree.
STOP . AMERICA . NOW
At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"
Two very separate fields.
STOP . AMERICA . NOW
I have three degrees focusing on different aspects of information security and assurance with progress being made on a fourth (MSIA) right now. I have no idea where he got that 200k jobs figure because no one is hiring security professionals right now.
No one is spending any money on security, they just chuck it in as a line item on a job requirements sheet. No one really wants a person on their staff to tell them that their DMZ isn't, their bastion host is swiss cheese, their firewall engineer incompetently prohibited critical services while allowing threats through, and they don't have a practical disaster recovery plan. They want people that will cost little, tell them everything is fine, and open up insecure shell ports because some outside contractor insisted they need that for HVAC maintenance.
I am bitter, but that is the flavor of being told you are good at something important and in demand when in reality nobody could care less from banks and retailers all the way up to the OPM.
Back in the day, I was taking an undergrad DB design course and asked the professor, "can you give an example of how tableau method is generalized in any commercial or open source DB program?" His response was, "why do you care, we study theory here.." CS academia is so stuck in the clouds of theory that the mere mention of a practical application for was reviled. Fast forward [mumble] years and it seems to be that way still.
Organization? You must be joking..
See subject: This was during my 2nd degree (above MIS minor in B.S. Business) which was pure CS @ the Associates level (which instead of 'bs' electives where possible I took extra languages & courses - which meant getting in SQL too which wasn't ordinarily included) 1st in 1993-1994, when the "dotcom" explosion happened & I was hired by a Fortune 500 with only 1 other guy out of my school (from USSR) & went to work in the field professionally circa 1995-2010 when I finally was out of work again, to finish it off!
(I ended up @ this point now iirc, 90/120 cr. hrs. into a B.S. in CS which I intend, one day in the future, to get @ Oswego State, maybe even meet Doug Lea (JAVA multithread implementer iirc)).
* I told one of my prof.'s, during a presentation project on security, WHY kids weren't being taught it in CS?
APK
P.S.=> See subject - it was implemented almost IMMEDIATELY afterwards, & yes, in a SUNY school AND at the Associates level, YEARS ago (1/2 decade++ now in fact) - so, it DOES get done, but it depends on WHAT schools you attend (best ones? Northeast baby!)... apk
Real computer science is just math with computers. This sounds like businesses are tired of having to pay for some extra specialized training they want which has little to no value outside of their exact use case. I'm seeing this a lot with colleges where more and more they exist to get you ready for one very specific job. That'd be peachy if that job lasted 50 years and then you retire but a lot of times it's so highly specialized you might have trouble finding work in a decade. Meanwhile you're still paying off the $100k of student loans it took to get that training.
When did the general population stop noticing crap like this?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.
Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.
Here's a hard problem that's very much in demand right now, that's 100% comp sci. Given that day-to-day programmers are in fact not perfect, it would be awesome for them to have provably secure libraries. Library functions that CAN'T result in a buffer overflow or underflow, for example.
You want a grander problem? How about a provably secure sandbox? We've seen how "engineered" sandboxes such as Flash, Java, and Android have worked out. Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.
See subject: It matters. I had security on MANY levels 'shoved down my throat' professionally 1994-2010 (when I coded fulltime) & GLAD I did!
(I.E.-> In security of databases, servers, & workstations ALONG with coding (however, most shops I worked @ used formal DBA's + SysAdmins, doing db security & OS desktop to backend server security)... this 'segregation of duties' allowed me to concentrate MORE on the security of code I wrote (especially in SQL which was my primary focus using it with HLL's like Delphi, C++, & VB))
THAT was taught to me by my seniors who reviewed my work in code during weekly code reviews typically in larger shops...
So, where'd this all come in MOST handy? In smaller shops I'd work in (mostly later on contracts) - it paid off & does help to "know it all" (or rather, as much as you can on all of these fronts).
Imo @ least (per the link below in my other post here)?
I feel that knowing security of OS, backend server programs like database engines, & desktops SHOULD be taught @ the Associates degree level (& yes, I helped make that happen @ my 'old alma mater') then, & ONLY then,.coding security practices Bachelors onwards.
APK
P.S.=> I'm only an Associates Degree level coder (However, I'm a GOOD 2/3 of the way credit hours wise that transfer towards a Bachelors in CS & I worked in the field for 2.5++ decades as a coder alone professionally + techie & then network admin before it)!
I was LUCKY imo!
I had the BIG benefit of working with many Bachelors, Masters, & even PhD degreed coders during my career (it was great, because when I went back in 2010 to finish the paper? I was teaching SOME of my profs things they didn't know & yes, in turn, they did the same for me even AFTER I had done the job longer than they had most times professionally, when initially, I was scared shitless I couldn't handle it back circa 1993 when I started it -> https://it.slashdot.org/commen... ) ... apk
You want a grander problem?
Oh, like what they're working on down at the Grander Studies department?
Computer Science is mostly math
For the record I'm CS but CS is mostly math it's the highest paying computer related degree but actually teaches very little that most employers want.
Not sure why it's still so in demand but it might have something to do with the intelligence required to graduate, many more people can go to classes that sit down and teach you all the hottest IT/dev tools one at a time. My CS class barely glossed over how to use the tools required to do the job. Learning C and C++ was literally
"You all probably know java by now but you'll need C to complete this assignment due next week, there are some links on the syllabus that might help you bridge the gap" I don't think they taught UNIX except for kernel programming. I remember they gave me the hardest networking class of my life but the information was so theoretical that I doubt most of the students could have set up a small network any more complicated than workstations plugged into switches without extra help, though they could probably explain all the math and theory.
I implemented common crypto algorithms and learned memory manipulation techniques like buffer overflows and stuff like that.
Most IT departments couldn't care less if you know that stuff they want you to know how to use metasploit, how to configure an IDS, how to use access control, VPNs, and maybe stuff like physical security and structural controls like how to classify documents.
CS departments literally don't have time to teach cybersecurity.
Now that I'm a customer instead of the VAR everytime I challenge a vendor on a security issue, the answer is either FDA device no changes allowed or just make sure it's on your secure network. If I get in early enough, I can bounce a vendor in RFP, but some days, we're stuck with a product that cries to be rooted.
A really neat class at the University of Virginia:
A report describing the class' pedagogy: Defense Against the Dark Arts
and a link to the current class website: Online syllabus
remove nospam. to email!
Cyber Security is an IT (practical) practice, not a "Computer Science" practice.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
What I mean is, maybe infosec should be part of everything, instead of it's own specialization.
For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?
Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.
Such things exist, but no commercial company can afford provable software. And even when you prove the software, that only proves it against the specified requirements. You also need to prove the requirements were correct, didn't leave anything out, and nothing was understood in an unexpected way. Just look at any documented standard if you want to see how difficult that is.
The C string library functions don't result in buffer flows. Because all your strings are null terminated at the proper place or you pass in their correct size. Right? RIGHT? Proving something works perfectly is useless if you use it improperly. Anything and everything can be misused.
If you want to learn more, look up "formal methods". It was a required course (Encryption was optional, Data Verification and Validation was required) in my undergrad Software Engineering degree (yay RIT!, you hideously expensive but educational school). There is nothing special about cyber security version general application security from a programmer's prospective.
The *entire* point of this study is to get press. Zday- and breach- fatigue are well entrenched, and it's unlikely that this smaller company has access to actual breach data. So, the answer? come up with a new angle: blame security on uni.
Hence, quite meaningless as research.
But. Very useful to get this company out there without paying for exposure, and cleverly done. Lots of Slashdot community fell for it.
Why would the Establishment want to teach students that the status quo approach to computer security is nothing but lies and failure?
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
We know that C strcpy can result in overflow, as can the Caddition operator with it's own special version of overflow. But copying a string in Java or Flash can't result in overflow, right? Prove it. The specification for each is simple and clear.
You don't need to prove all of the application software, much can be gained by proving that the language or library is safe from user error (where user means application programmer). Where you DO want to prove some part of the application software to some degree, proving the library, compiler, or interpreter is a precondition.
Top astronomy schools don't teach a course on how to make a lens cap.
They don't teach error handling either. How many handouts in CS have said "error handing as an exercise left for the reader?" if it's mentioned at all.
However, it's arguably one of the most difficult designs you can make when you write software.
It seems to be that everyone is missing the key point. Security comes from a holistic understanding of a system. Security comes in different flavors. It exists (hopefully) at many layers of OSI model. Therefore to be a useful security engineer in any regards, you need to understand completely what you are working with. For example, one would not expect someone who specializes in compiler theory and implementation to proficient in web-based security. And vise versa. Once you have a firm grasp of a given system, say compiler theory/design/etc, then you may begin to understand the attack vectors associated with that technology. At my school, university of wisconsin, the security class in designed to be taken at a senior undergrad level, once you have gotten the necessary skills in previous classes. With an advanced class offered at the graduate level. Of course these courses won't make you an expert, but they might get you in the door as an entry level security engineer. Or maybe as a junior cs security researcher.
As someone with several (3) recent degrees:
maybe infosec should be part of software development class
It isn't.
and part of a database class
It is about five to ten percent of the work.
and part of a networking class
It's about a quarter of the class load. Some classes have it, others specialize in it.
Admin-focused programs have a few dedicated classes. Network-focused programs have a huge amount, generally overlapping into the other two categories you have listed. They take it as a burden of network administration to "shore up the walls" against vulnerabilities in software and servers. Software development programs, in my experience, have none or one with a couple more as electives, right in line with this study really. The classes that are mandatory are usually the same as the freshman intro class that the other programs have. Stuff like the difference between a virus and worm or why WEP is bad. Unfortunately those elective classes aren't any good for practical infosec either with titles like cryptography or forensics. It's hard to find classes on secure software development.
If you want to really force an understanding of computers, use a PDP-8.
For something a bit more practical, use a PDP-11. Big enough to run UNIX on. Small enough to understand.
Just stop confusing computer *science* with a software *engineering*
Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.
It exists. You might want to look up Google Native Client. The verifier for it has been formally verified and guarantees that no memory accesses can be to the outside of the sandbox. Of course, that's not the entire problem. It's trivial to prove that a program that has no side effects is secure, but anything useful in a sandbox has to be able to communicate with the world outside of the sandbox. And as soon as it can communicate with the outside world, it becomes a staging ground for attacking the bits that are outside of the sandbox and are not verified.
I am TheRaven on Soylent News
I didn't know that the NaCl verifier had been verified. That's very interesting, thanks. In fact I still can't find a reference for that, probably just because Google searches with the word "verified" turn up so many results talking about code verified BY the verifier.
Seatbelts keep a person in place
Latches keep the door closed
Locks prevent opening the door from the outside.
CS teaches the seatbelt engineering and latch engineering. Seatbelts are a government requirement. Latches are a nice to have (Jeep). Locks are a deterrent.
Better to have a senior thesis be hacked and fail them if it can be than try to teach the hacking mindset.
Security is a nice to have, but then again, at a certain point everything will fail: Land speed record...will a seatbelt keep you safe if you wreck at 790 mph...it will just be like a blender. Think those seatbelts on a plane will keep you safe in a nosedive...nope...airbag on plane...nope. Latch on a car going under water...nope. It's all in the context.
If someone steals your keys to a Honda in a lot full of Hondas...think that alarm was a good idea...now the thief knows exactly where your car is...doh
That's about what I figured.
My point is: security should be more emphasized in all those classes. Security as a separate discipline does not make much sense, since security is different for a Java developer, or a network engineer.
IMO, it is inexcusable that those with CS degrees have not had more exposure to security issues. "The threat" is a fact of life and any leader in any information technology role should have a grounding in the security principles around that role.
FTA: ... The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate.
University of Alabama?
Wow, I did not know they even had a University, it being Alabama and all. Kudos to their CS Department.
But also, to every other CS Department in the US: U. Alabama is trouncing you in this arena. How does that feel?