Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

It's been a while since I was a CS student.

[aussersterne]

In fact, it's been decades.

But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?

Re:It's been a while since I was a CS student.

[Hunter-Killer]

Depends on the problem you intend to address.
Malware clean up, vuln scanning, thumb drive police--IT.
Sanitizing inputs, not storing sensitive data in plaintext--dev.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

Those should be in IT departments, no?

The IT department can handle deployed applications. Programmers still need to write application code to prevent security issues in the first place.

Re:It's been a while since I was a CS student.

[rakslice]

Although there are a lot of CS-level concepts you can teach someone that relate to security, when it comes to "IT security jobs" and the practical security issues that you're going to deal with in them, there is very little connection.

The analogy that I often use is: Would you expect a physicist to be able to fix your car? I like to think not. Or would a news outlet fall into a similar trap of publishing claims from some company looking for free a marketing opportunity that universities have a responsibility to teach their graduates auto repair?

At the very least I would expect a news outlet to catch on that "cybersecurity" is not a term that is actually used by many people that deal with the security of software and computer networks.

Re:It's been a while since I was a CS student.

[fuzzyfuzzyfungus]

Unfortunately, aside from the intervening decades having led to surprisingly little progress in deciding what 'CS' should actually include(in the sense of a degree, I assume that academic computer scientists have successfully held the line on the 'no, running windows update is not computer science' issue); people don't even have the decency to provide a cogent definition of what they are fretting about the presence or absence of in a CS curriculum.

'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?

As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

It's not like the IT departments are self educated.

Successful IT technicians are the ones who never stop learning. They put in their eight-hour day and go home to work on their technology projects, learn a certification or take night classes to advance themselves. The fastest way to commit professional suicide is to stop learning.

It would basically come down to "always run updated software, because that is what the teacher told us and apart from that, do as we like".

Written by someone who has never worked in a Fortune 500 IT department.

Proper security requires people, who actually understands the problem, which points towards the universities.

Here's the problem with the university education: most, if not all, people stop learning after they graduate from school because they're no longer in school.

I had two friends who graduated from CS programs at the state university, got jobs at major companies, worked seven years in the same position, and got laid off during the dot com bust. The took a six-month vacation while collecting unemployment benefits, figuring that they deserved it after working so many years in the industry. And then they couldn't find a job because their job skills were obsolete. Instead of going back to school, enrolling in a boot camp, or buying a book to teach themselves, they ran out of money and became drug store clerks. Fifteen years later they're still drug store clerks.

Another example. An IT manager at my work was responsible for imaging laptops. Been doing the job for 15 years since graduating from the university. Until he got a brand new Dell laptop that needed a replacement hard drive. He couldn't find the hard drive since it didn't have 2.5" hard drive bay. We told him that the hard drive was a solid state drive on a card, which he claimed was the wireless card and threw a fit when we pointed out the wireless card. That laptop sat in his office for six months before another manager pulled it out and sent it back to Dell under warranty.

Re:It's been a while since I was a CS student.

No. Sanitizing inputs and encrypting sensitive data are still practical concerns, while a university program should be focused on theory. Trade schools or *gasp* on-the-job-training (i.e., apprenticeships) would be better places for it.

We won't let the med school graduate operate autonomously without going through a residency program, because during the course of their career, they could impact thousands of lives. The recent CS grad, on the other hand, is expected to hit the ground running in writing the medical software that will impact potentially millions of lives.

Re:It's been a while since I was a CS student.

[aussersterne]

So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

Re:It's been a while since I was a CS student.

[__aaclcg7560]

So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

Because when I think of the term "computer science," or more precisely the initials "CS," I believe it covers every aspect of computers from the pie in the sky theories to the power button. Apparently, this is a common misconception that many people outside the university system have.

To paraphrase Robert Kiyosaki of "Rich Dad, Poor Dad" fame: the higher you go for education degrees, the less you learn.

Translations: universities are pushing out specialists when this country need generalists.

Re: It's been a while since I was a CS student.

I humbly disagree. Programming is applied computer science, in the same way engineering is an apppied science. We're expecting these CS graduates to go fourth and do something, and a good portion of that is in implementation.
Good engineers need to understand the limitations of their theoretical knowledge, and how to apply sound principals in a real world, practical manner. For instance, I've seen blueprints which required a weld at the bottom of a 6 tall square tube, which was 4 inches in diameter. When called on his design, the engineer did not understand this was impossible to do without basically inventing a machine and process to do it. This individual had Zero real world experience, or common sense. Seems this is not uncommon amongst other professions? Maybe apprenticeships need to be revisited?

Re: It's been a while since I was a CS student.

[110010001000]

That isn't CS, that is programming.

Re:It's been a while since I was a CS student.

[aussersterne]

I have no problem with the idea that there ought to be courses on security, just not in CS where (at least when I was a student) that's not really what they do. They're in the business of figuring out/proving/disproving whether things *can be computed in theory* and how, in theory.

Security just isn't a question that has anything to do with that, and these are people that write comparatively little code. It's not what the discipline is about.

There *are* people that spend their time learning how to code, and how to code properly for real-world situations and deployment (which is precisely where security becomes an issue). That's my point. Security ought to be taught where people are actually learning to code, deploy, and operate. It's a serious, rigorous field of its own. It just doesn't happen to be computer science (which, if it helps you, could just as easily be called "computation theory").

Re:It's been a while since I was a CS student.

[HornWumpus]

So basically you're saying 99% of people studying CS should be studying something else?

CS has expanded beyond it's math roots. Not all CS even comes out of math departments. Some CS is taught out of the business school (spit). Never hire those people.

If you want to complain about CS majors who program, you should contrast them with CS majors who don't...that is one useless bunch of air thieves.

IMHO you should get a pretty good handle on programming with self study in high school or before, if you want to study CS, CompE, EE or any science that will require you to use a computer.

Re: It's been a while since I was a CS student.

[WarJolt]

The problem is Cybersecurity is it's a mindset. You can't just give one class on the subject. Database classes are not required in undergraduate programs and SQL injections aren't mentioned when your class is more focused on relational algebra.

About 1/5 of that class needs no explanation and 4/5 would claim to understand it if explained to them, but never think about it once they graduate.

Either you get it immediately or it needs to be pound into you at the work place. Many work places have mechanisms in place to verify these vulnerabilities are not introduced. Others do not. I think that's a critical flaw.

Re: It's been a while since I was a CS student.

[johnsmithperson123]

It's the difference between securing a bank from robbers and manufacturing the vault.

Re: It's been a while since I was a CS student.

[Cassini2]

We're expecting these CS graduates to go fourth and do something, ...

Historically, universities were about perpetuating knowledge and the advancement of knowledge. Apprenticeships and professional programs are where people learn do to something practical. Universities were the hallowed halls of pure learning.

In the beginning, no one foresaw that a pure math specialization would have huge practical use. Some of the greats in computer science never thought their work would ever see use outside of the math department. If memory serves, Bool was extremely pleased that Boolean Algebra existed as a theoretical exercise that would never have a practical application.

Re: It's been a while since I was a CS student.

[SecurityGuy]

Historically, universities were about perpetuating knowledge and the advancement of knowledge.

I've heard this often, but people need to accept that this is no longer the case. We're not talking about the sons of the aristocracy anymore. John and Jane Q. Public don't go to university to advance knowledge, they go to get a job. At it's most ridiculous, some people go to University to play sports without any actual use for the degree they'll get (and sometimes earn) at all.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

In most situations, certificates are almost worthless, and most classes teach you information without context and that will be old in a few years.

If you're doing IT contract work, certificates are a checklist requirement for HR recruiters. As for my programming classes, I never learned a particular programming language but I do remember all the programming structures. I can write a program in pseudo code and then figure out the syntax of a programming language that I never worked with to implement the program.

I have noticed there are many problems that are hard enough that if someone has to ask how to do something, they shouldn't ever do it.

I had that problem with programming. I didn't understand it until I've taken all of my mathematic classes in college, worked in the industry for a decade, and then went back to college to learn programming.

Top 10 programs are for prepping for research

Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.

Re:Top 10 programs are for prepping for research

[retchdog]

Maybe that's because there are hardly any engineers, "ordinary" or not, in the software industry.

"Cybersecurity?"

Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".

System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.

..Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."

Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?

Re:"Cybersecurity?"

[__aaclcg7560]

You might be astonished how many "serious computer science programs" no longer teach the basics.

When I worked the Google help desk in 2008, I had to walk a newly hired CS graduate through the process of turning on his own PC. He was astonished that no one was standing around to turn on his computer like they do at the university computer lab. I'm always surprised by how little computer scientists know about hardware.

Re:"Cybersecurity?"

[Lumpy]

Most CS grads are utterly useless at troubleshooting or critical thinking as well. They don't teach that anymore. They make great code monkeys that just do what they are told though.

The Good ones learn in about 2 years of real world that the ones that think outside the box and try to figure things out for themselves end up at the top of the pile.

Re:"Cybersecurity?"

[HiThere]

Which is why I often think that the first class in university computing should be assembler. Possibly MIX or some other really simple virtual machine. (What I'd really like is a virtual IBM 7090, or possibly a bit earlier in that series, but I've never seen one. I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.)

Re:"Cybersecurity?"

[__aaclcg7560]

I virtual Apple ][ would also be good, the i6502 was a nice simple machine. But Apple would probably complain, while the IBM 7090 is out of trademark and patent protection.

The 8-bit computers are still popular with electronic and programming hobbyists. Here are links for the Apple ][ emulator and Apple DOS source code.

http://www.lampefamily.us/jonathan/applepc_emulator/
http://www.computerhistory.org/atchm/apple-ii-dos-source-code/

Re:"Cybersecurity?"

[__aaclcg7560]

However, it is the concern of Information Technology which is a distinct discipline to CS and should not be conflated.

The Fortune 500 companies I worked for has policies that prohibits help desk and desktop techs from remotely turning on a workstation for a user. Most of the time these policies apply to users who are working from home and have a secondary workstation that's turned off. It's not IT's job to turn on their computers. If a newly hired CS graduate doesn't know how to turn on a workstation (most have a power button in front), he can sit around and do nothing. It's HR problem, not an IT problem.

What was the purpose of the study?

[kuperman]

As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.

Looking at the article, the final paragraph explains some things:

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

Re:What was the purpose of the study?

[geek]

You aren't being cynical. This is dead on. I work as a threat intelligence analyst and engineer for a fortune 500 IT department. We have a revolving door of products sold to us in just this way that our exec team falls for. The cyber security biz is rife with snake oil salesmen selling the latest and greatest. I showed my CSO just how bad it was by bringing him into 5 different vendor meetings where we were sold the same exact buzz word salad "They're already in you're network! The average detection takes 18 months!" etc etc.

Most of it is bullshit. Luckily I have a new CTO that gets it. Now maybe we can spend less money on vendors and contractors and more our existing personel.

There's little point to such a course.

[shess]

I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.

Because "professors" dont have a clue about it.

[Lumpy]

Cybersecurity experts are NOT professors with multiple PHD's. It's a waste of time to learn anything but the basics from those guys at unholy high dollars per hour colleges charge.

Alarming? Perhaps not.

[mlookaba]

"The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."

This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.

Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.

Computer Science vs. Software Engineering

[blindseer]

I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.

Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.

I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.

Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.

Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.

I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.

Re:defense !== offense

[__aaclcg7560]

[...] any joker that can pass a security clearance [...]

I'm going to guess that you never had a government security clearance. When I got my government IT job, my two-hour investigative background interview lasted four hours because of two potential red flags. The first red flag was that I lived in the same apartment for 10+ years. Most people on average moved every few years. The second red flag was working multiple jobs for seven days a week for two years after being unemployed for two years (2009-2010), underemployed for six months (working 20 hours per month), and filing for chapter seven bankruptcy in 2011. If you have more than one job at a time, you must have money problems. So the 20+ contact jobs that lasted one day to nine months during that time had to be checked out by the government.

As for the jokers who got through the process, started work and thought they could slack off because it was a "gubermint" job, they were quickly fired and shocked to find themselves unemployed. Most of my coworkers are ex-military with zero tolerance for slackers.

US Navy Seeks Cyber Warfare Engineers

[blindseer]

At the university I was e-mailed a flyer on how the US Navy is recruiting students in computer science and related fields into an officer program in their cyber warfare division. This indicates to me that they will offer training in cyber security to those that qualify.

This also indicates to me that many other employers understand that cyber security is not part of a typical undergraduate CS program, and will teach those people on the job if that is a required skill. I recall talking to recruiters for big businesses on what they look for in software developers, and they want engineers. A computer science major might know a lot of programming languages and so on but learning another programming language is something that can be done easily on the job. What is difficult for recruiters is finding people with a good grasp of proper engineering and enough math to understand how to make a computer do what needs to be done efficiently.

Seems to me that cyber security should lie in the realm of on the job training and/or graduate school. Also, students that learn good programming technique should be writing inherently secure software. Things like good memory management, properly protecting variables, and well documented code should make a program secure.

Another thing is that there is a lot of code written to perform relatively trivial tasks where security is simply not a concern. Code on embedded systems just don't have any attack vectors, or if they do it's a matter of things like you have to "reboot" a child's toy because it got stuck in an infinite loop. Code written for industry will be used by people which one would hope are trained in its use. This code may have to allow for things that might be "insecure" for work to get done. If the person using "insecure" code ends up making a welding robot weld it's own arm to the floor then it's the operator to blame.

Most CS programs skip SQL

[EmperorOfCanada]

Keep in mind that most CS programs tend to be run with a bit of a revulsion to practical things. They argue that practical is the realm of CE not CS. Thus there will be classes in database design, as in how the guts of a data store will work, but nothing much on practical database usage. The theory (and not terribly wrong) is that by learning the guts it should be easy to learn the practical, if needed.

For me I would rather learn both as then the guts of the matter have some practical knowledge that might help it stick.

So it is no surprise that few teach practical cybersecurity, they probably do cover crypto courses where Diffie Hellman is examined in great detail.

My simple complaint is that few recent CS grads that I have met really can deliver useful code in quantity. When managing them I often find them reinventing the wheel. I will point to a python library that I want them to use in what should be a 40 line bit of code to do some very straightforward thing and a week later I find them beavering away in Haskell building a "state-machine". They will then argue that Python is too slow where I point out that my estimate is that the code will run every Friday at 3 am, will probably take 20 seconds and yet only needs to be done by opening on Monday. So even if I were to be wrong by a factor of 100 all is still good.

The code then runs in 8 seconds.

So while I am not at all shocked by no cybersecurity training, I do wish that minimally the schools would be a bit more practical so as to allow some of the abstract material have something to latch on to.

Re:Most CS programs skip SQL

[EmperorOfCanada]

As your second comment points out this mostly applies to elite students at elite institutions. Yet I see the same problem at both the elite and third rate CS universities.

My long standing experience is that most of the students who are fantastic programmers were fantastic programmers before they went to school while everyone else is learning about a linked list they are working on their own OS. Or have just submitted their umpteenth contribution to the Linux Kernel. Then they leave the university(potentially before graduating) and end up doing something really strange. Creating some crazy massively parallel processor design for a company that makes fibre optic comm gear. Or you read about them as one of the first employees at some company just bought out by Google for 8 zillion dollars.

Where I used to live had a 2nd rate university that had a PhD CS program. I knew one of the professors and he would often introduce me to graduate students. I would ask them what they were working on and after they would tell me I would either think (I always kept my mouth closed) "that sounds completely useless", or even more often, "I think I have downloaded that module to play with once."

It was things like getting a neural net to examine sonar data and find the optimal routing for underwater cables. Or it was totally abstract and was pretty much just really really hard discrete math that would poke some theoretical hole in bitcoin, a hole that I think was already known such as the 50% problem.

Yeah, this.

[aussersterne]

At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"

Two very separate fields.

Re:I am an unemployed security specialist.

[__aaclcg7560]

No one is spending any money on security, they just chuck it in as a line item on a job requirements sheet.

The federal government is spending money on computer security. That's how I got my current job in government IT. So many computers, so many problems. I thank Microsoft everyday for my job security.

im-practical

[h8sg8s]

Back in the day, I was taking an undergrad DB design course and asked the professor, "can you give an example of how tableau method is generalized in any commercial or open source DB program?" His response was, "why do you care, we study theory here.." CS academia is so stuck in the clouds of theory that the mere mention of a practical application for was reviled. Fast forward [mumble] years and it seems to be that way still.

Um, no shit

[rsilvergun]

Real computer science is just math with computers. This sounds like businesses are tired of having to pay for some extra specialized training they want which has little to no value outside of their exact use case. I'm seeing this a lot with colleges where more and more they exist to get you ready for one very specific job. That'd be peachy if that job lasted 50 years and then you retire but a lot of times it's so highly specialized you might have trouble finding work in a decade. Meanwhile you're still paying off the $100k of student loans it took to get that training.

When did the general population stop noticing crap like this?

Not wrong, but grads hired as programmers

[raymorris]

Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.

Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.

Provable sandbox, or any provable security (librar

[raymorris]

Here's a hard problem that's very much in demand right now, that's 100% comp sci. Given that day-to-day programmers are in fact not perfect, it would be awesome for them to have provably secure libraries. Library functions that CAN'T result in a buffer overflow or underflow, for example.

You want a grander problem? How about a provably secure sandbox? We've seen how "engineered" sandboxes such as Flash, Java, and Android have worked out. Designing a sandbox that provides /emulates a basic CPU while PROVABLY not allowing access to any resource outside of the sandbox would be a comp sci project that could advance security in a huge way.

Maybe infosec should not be it's own discipline?

[walterbyrd]

What I mean is, maybe infosec should be part of everything, instead of it's own specialization.

For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?

Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.

The Emperor has no clothes

[Cyberpunk+Reality]

Why would the Establishment want to teach students that the status quo approach to computer security is nothing but lies and failure?