Stanford Center for Professional Development launches certification program in computer security

By Hannah Hickey

Whether it is heiress Paris Hilton having personal details stolen from a wireless phone or data tapes with customer information disappearing from a Bank of America shipping container, digital security lapses can range from embarrassing incidents to expensive meltdowns.

The Stanford Center for Professional Development (SCPD) has launched an online computer security certificate program to teach software professionals the principles of designing more secure systems. For information about registering, go to http://proed.stanford.edu/?security.

"The number of worms, denial-of-service attacks and system compromises of all kinds have escalated," said course instructor Neil Daswani. Recent statistics show the number of computer viruses increasing exponentially, costing the large American companies surveyed an average of $200,000 last year. And actual costs may be higher. The same FBI-sponsored study indicated that businesses were reporting fewer incidents to avoid negative publicity.

"I think it's time that companies start taking some serious steps to start resolving these issues," Daswani said. Computer engineers in today's workforce are not necessarily armed with the latest security fixes. The Stanford program aims to address that shortcoming.

Launched on March 15, the curriculum is Stanford's first certification program in computer security. Two weeks after it opened, the program already had registered about 25 students, said Carissa Little, SCPD program director.

"There is definitely an interest," Little said.

The certificate program is a sequence of three courses, each of which can be taken on its own. Participants can register for a course at any time; they then have 90 days to complete it on their own schedule. There are no prerequisites but students should have computer-programming experience.

Outsmarting hackers

The three classes offer a hands-on "crash course" in computer security. The first course, Secure Programming Techniques, gives an overview of potential threats and strategies for fortifying digital networkshow to prevent nefarious hacks, detect breaches when they occur, contain security leaks and recover from security failures.

The instruction aims to prevent common hacks like worms, which are small programs that can tunnel into a larger computer program through weak points in the security framework. It also provides advice to thwart some types of denial-of-service attacks, where, for instance, a hacker can delete information in an internal database and block access by customers.

Guarding against hackers can take various forms. The recent case at Bank of America, where data tapes storing more than 2 million government workers' financial information went missing, could have been avoided, Daswani said.

"That kind of breach could have been protected against if those back-up data tapes were encrypted," he explained. "Then, even if the data tapes were missing, the information would not be available, so long as the hacker could not get the key."

Two other more technical courses cover data encryption and how to apply it to building safer systems. Daswani argues that security must be included from the beginning, not by simply patching on a security device to a finished program.

"It's like putting a lock on the door, but then hackers can still get in through the windows or the back screen door," Daswani said.

His course teaches programmers to avoid creating weak spots in their code. For example, Daswani said, the popular "string copy" function in the C++ programming language can make the software vulnerable to attack. Recognizing weak spots means programmers can avoid them, and then they can review their old code to protect it against intruders, ranging from bored teenagers to sophisticated professional thieves.

The Stanford certificate program is targeted at software developers, programmers and managers, especially in the finance and healthcare industries. It is designed for businesses that want to avoid the risk of a major security breach and for developers who want a new skill to set them apart in the job market.

Daswani earned his doctorate in 2004 researching security threats in peer-to-peer networks like Napster, Kazaa and Gnutella. He worked with computer science Professor Hector Garcia-Molina. While at Stanford, Daswani also collaborated with Associate Professor Dan Boneh in Computer Science and Electrical Engineering to develop digital wallets and digital-cash technology. The instructor now works on wireless security for the Japanese cell phone giant, DoCoMo.

This story was written by science-writing intern Hannah Hickey.