Some people like to point at a system that is broken and say, "Yup, its broken alright". Others, such as Mary Ann Davidson, CSO of Oracle, like try to do something about it. In her blog posting titled The Supply chain problem, she outlines several problems with the teaching and learning process amongst colleges and universities with respects to software security. Orcale, and several other companies, are frustrated that they have to spend time and money teaching new programmers how to code securely. Why aren't programmers coming out of college with the knowledge they need to write secure code? The answer is largely due to the current academic culture, and clearly teaching one computer science course in security across an entire program is not the answer. Influencing the entire curriculum to teach people how to create programs that do not have security problems, now we're on to something! She makes some excellent parallels, such as the only way to learn a language is to immerse yourself in it. I strongly encourage you to take some time to read this article as it provides insight into some of the most fundamental problems we face in securing our infrastructure, and offers some ways to fix them. Finally, I wanted to point out efforts made by the SANS institute in this arena. They have developed the Software Security Institute, which aims to provide tools to measure a programmer's ability to code securely, identify gaps in their secure coding knowledge, and allow employers to evaluate skillsets in the area of secure coding. Most relevant to the article above is theie goal of "Provid[ing] incentive for universities to include secure coding in required computer science, engineering, and programming courses." They offer free practice tests among other resources, so check it out!