As part of the partnership, RIT will use the Mykonos Security Appliance to protect its own web applications from hackers and will use the data obtained from the appliance to train students on web application security.
David Koretz, president and chief executive officer of Mykonos Software, told Infosecurity: “There is not a single required course on web application security for any computer engineering or software program. That’s pretty amazing. Seventy percent of the graduates out there are writing web applications, and yet not one of them has any training even at the basic level on how to protect those applications.”
Koretz explained that the history of security is a "fortress model. The idea was that the networking people own security and their job was to establish a really deep moat….That is the traditional view of security. So all of the security training went to those guys, the people in the IT and networking programs. All these guys on the networking and IT side were trained on IT security; they were not trained on application security.”
Over the last 10 years, the security environment has shifted but the training programs have not kept up, Koretz said. Web applications have developed, and those applications are connected to an organization’s most sensitive information, he noted.
To address this gap in security education, Mykonos is working with RIT on web application security training. Mykonos donated its Security Appliance to RIT. The appliance traps web application attackers, tags their computer, profiles them to understand their threat level, and then deploys counter-measures to protect the website.
RIT is using the Mykonos Security Appliance in the classroom. “RIT is taking the leadership in becoming the first computing school in the nation in which application security is a core part of what they teach”, Koretz explained.
Bo Yuan, director of the RIT’s Center for the Advancement of Research and Education in Information Assurance (CARE-IA), told Infosecurity that the Mykonos Security Appliance "has allowed us to update our computer classes and motivate us to do more cross-departmental cooperation in research and education for application security”.
The CARE-IA director explained that security training at RIT is primarily focused on infrastructure security. “Application security is a weakness in our overall curriculum”, he admitted.
Yuan said he would like to work with Mykonos to expand the application security courses to other technical universities. “I hope that the partnership with Mykonos will set an example for other universities. First of all, based on this partnership, we need to enhance our curriculum. Then, if we can set an example, other universities will be able to follow it”, he said.