Full Report
We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I decided to carry a message in addition to the regular demo-style talk with which we try to entertain. By co-incidence, Haroon also had his peer-reviewed talk on Apple Exploitation Defences accepted so there were two SensePosters talking to the tweed jackets. I figured the most important bit of the presentation should be mentioned first, so before we carry on I’d like to present our attacker:
Analysis Summary
# Main Topic
The primary focus is advocating for increased and improved security education, specifically regarding secure software design and coding practices, within undergraduate Computer Science and related university curricula, particularly in the local (South African) academic environment, as presented at the ISSA2009 conference.
## Key Points
- The author and a colleague (Haroon) presented at ISSA2009, with one talk focusing on Apple Exploitation Defences and the main message centered on educational shortcomings in software security.
- A brief local survey indicated a lack of explicit security coverage in undergraduate computer science courses compared to topics like compilers or AI.
- Developers entering the industry often lack foundational knowledge on designing, building, or analyzing secure applications, leading to security being treated reactively ("bolted-on knowledge").
- Secure coding fundamentals should be taught as part of formal education, similar to how concepts like parallel programming are taught, enabling developers to rigorously consider security implications.
- A "wishlist" of basic security topics deemed necessary for undergraduates was presented to serve as a starting point for curriculum integration.
## Threat Actors
- Not explicitly applicable in the context of a threat actor narrative. The discussion is focused on the lack of mitigation knowledge among **software developers** who become potential vectors for insecure deployments.
## TTPs
The summary focuses on the *absence* of knowledge regarding defensive TTPs, but outlines what developers who *should* be educated on include:
- Common attack vectors (exposure required).
- Secure coding techniques (e.g., never trusting user input).
- Developing capability in pen-and-paper analysis (Threat modeling, Attack Trees).
- Understanding destructive testing concepts.
- Integrating security into the Software Development Life Cycle (SDLC).
## Affected Systems
- The immediate "affected systems" relate to **general software applications** developed by graduates lacking foundational security awareness.
- Specific technologies highlighted for defensive coding knowledge include applications related to **X.509 certificates** (though the critique was that the local curriculum surprisingly focused *too much* on this without covering broader secure coding principles).
## Mitigations
The core mitigation is the formal integration of security education into university degrees. The proposed academic checklist includes:
1. **Secure coding techniques:** Never trusting user input, exposure to common attack vectors, and assertion/return-code checking.
2. **Pen-and-paper analysis:** Threat modeling and attack trees.
3. **Destructive testing.**
4. **SDLC modifications** for incorporating security.
5. **Security libraries**.
## Conclusion
There is a significant gap between current academic output in local computer science departments and the practical security knowledge required by the software industry. To foster a generation capable of building secure software from the ground up, universities must integrate fundamental security education—covering threat modeling, secure coding patterns, and SDLC modification—into core undergraduate programs rather than relying solely on ad-hoc industry training.
---
*Note: No concrete technical Indicators of Compromise (IoCs) or specific actor attribution/TTPs related to a cyber attack were present in the provided context, as the article focuses on an educational advocacy message presented at a conference.*