Security vendors and training organisations have welcomed plans by the UK government to open a £20m competition along with a new “Institute of Coding”.
The proposals were floated during a speech by UK Chancellor George Osborne on cyber-security and the fight against terrorism at GCHQ on Tuesday, during which also he announced £1.9bn funding for cyber security and a new National Cyber Centre.
Paul Farrington, senior solutions architect at application security firm Veracode, commented: “Our world is run on software – medical devices, finance, IoT, access to knowledge via Internet, etc – so any foundational security training must include the ability to code securely.”
He continued: “The opportunity for young people to gain affirmative training in coding goes beyond just providing them with the ability to design and build, but will give them a greater understanding about the issues and responsibilities that developers face in ensuring that their code remains secure.”
Shortcomings in applications security – often caused by coders making well understood mistakes – are putting consumer and enterprise data at risk. Improving application security training for developers in crucial in closing these gaps.
“Coding vulnerabilities in web applications remain one of the most frequent patterns in confirmed breaches and account for up to 35 per cent of breaches in some industries,” Farrington explained. “Understanding these threats and the security measure that developers must take to ensure they aren’t using exploitable or malicious code is essential to our global cyber hygiene. This was demonstrated earlier this Autumn when the XcodeGhost malware infiltrated the Chinese Apple App Store after developers used a local, bootlegged version of Xcode, rather than the original Apple version, which contained the malicious code.”
The £20m competition is being financed through new funding rather than a consolidation of existing programmes."The funding details will be set out in the spending review next Wednesday," a HM Treasury spokesman told El Reg. "The Institute will be run by the Department for Business Innovation & Skills."
The UK government already has a variety of programmes in promoting skills and careers in cyber security, not least the Cyber Security Challenge scheme.
Dr Robert L Nowill, chairman of the Cyber Security Challenge UK, welcomed the initiative as complementary to its own goals and helpful in schooling the next generation of developers in secure coding best practices. The details on how the new Institute of Coding will work and how it will dovetail with academies of excellence in UK Universities are yet to be worked out. Nonetheless, Nowill is upbeat.
“The Institute will help in educating the next generation of coders by having security principles built into their training,” Nowill told El Reg, adding that an understanding of secure coding practices will tend to make the products they develop much more secure, benefiting consumers and enterprises alike.
The previous Lib-Con coalition government came up with the idea of coding academies but this competition is being set up with fresh funding, according to Nowill.
Dr Adrian Davis, managing director for EMEA of (ISC)2, the security training and certification body, also welcomed the Chancellor’s speech as a strong sign that cyber security was being treated as a UK economic as well as national security priority. Davis praised the emphasis on skills.
“The UK government has been a leader and it's good to see that the UK government continues to recognise that expert capabilities are needed to match the developing threat through the National Cyber Security Strategy and that they are prioritising embedding knowledge at every level of education,” Davis said. “There is a lot of work to do here and we remain committed to being a strong partner in this area of development. I would like to emphasise that this is a need that goes far beyond our own profession and that we need to work to embed cybersecurity across many disciplines, not just develop the experts.”
(ISC)2’s Global Information Security Workforce estimated that would be a 1.5m shortfall in information security workers worldwide by 2020.
Davis raised concerns that the government’s agenda was too reliant on advice from GCHQ. Broader input from business and professional communities is needed, he argued.
“This is a plan that is all about catalysing action from stakeholders, partners and the broader business community,” Davis said. “While more details are to come, it appears they [the government] continue to defer direct development toward specialist expert capability and technical innovation driven by the very focussed perspective that comes out of GCHQ.
“I am wary of having the management of the entire plan – from law enforcement to business support – centralised within a centre of excellence that reports to GCHQ. GCHQ is a valued and an incredible resource and there is no doubt that the new initiatives will have their value but to really catalyse action and investment, these plans must ensure broader input from the private, business and professional communities.” ®