Microsoft wants universities to teach hacking, secure coding

Microsoft Corp. is working with a number of universities in several countries to set up courses to teach students how to write secure code, the company said today. The University of Leeds in England is the first to announce such a course.

As part of an 11-week module that will start next January, third-year undergraduates at the University of Leeds will be asked to hack into software and fix any security bugs they find, according to Nick Efford, senior teaching fellow at the School of Computing at the university.

"We are going to get our students to think about software in a different way and look at software with a different perspective. We will give them examples of software and will ask them to perform a security audit of it and identify things that are insecure and then ask them to fix the problems," Efford said.

Students will be confronted with security vulnerabilities such as buffer overruns and will learn how to prevent those when writing software. That focus on security in software engineering and the hands-on experience makes the course different from most security classes, which typically focus on network security and cryptography, according to Efford.

Microsoft is partly funding Efford's fellowship and is helping with the curriculum's content. The software maker is in talks with other universities on similar programs, said Stuart Okin, chief security officer at Microsoft in the U.K.

"We are talking to a number of universities in the U.S.," he said. "I hope ... in a few years' time, every computing course is teaching some part of writing secure code."

Microsoft's university program is closely linked to its Trustworthy Computing initiative, its companywide focus on securing its products, which was launched early last year. As part of that initiative, Microsoft halted the development work of thousands of software engineers for 10 weeks to train them to look at software the way hackers do.

Okin would like to see all software vendors share their knowledge with academic institutions so that future programmers have better security knowledge. "The software industry as a whole will want to take on people who have this skill set," he said.

Microsoft's sponsorship of the University of Leeds course doesn't mean students will work only with Microsoft technology, Efford said. "We are not focusing exclusively on any one vendor's technology. We have to equip our students with broad knowledge," he said.

Okin agreed: "We need to get input from others as well. Clearly, there is no point in these undergraduates learning only about Microsoft technology. We need a broad approach."

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon