I posted a comment on Robert Scoble's blog today that I wanted to share. It is about university curricula and the balance between practical training and theoretical knowledge. This is a subject I have thought a lot about recently. Scoble was commenting on the lack of security training in university:
I'm hearing stories from interns coming out of college that they never had a class on how to recognize buffer overruns in their code, or how to write secure code. Is this true? Amazing, given the focus in the industry lately.
Yes Robert, it is true. Even in security courses you will rarely find an in-depth discussion of what a buffer overrun looks like. Or an integer overflow. Or other common vulnerabilities. So are the universities failing to teach the correct material?
Maybe. The issue is that the universities do not teach the practical aspects of writing software. They teach the theoretical aspects of writing software. That is the reason it is called computer science, and not computer programming.
In some senses this is ridiculous: It produces graduates who understand how systems work from a high level, but may not have a good grasp of how it is actually built. However, it also produces graduates who can learn and adapt easily to changes in technology, because they understand the fundamentals. There is a need in this world for both types of people: those who are good with the nuts and bolts, and those who understand the systems as a whole.
That said, I think there is a lot of room in university curricula for more practical components. Basic security exploits and secure code would definitely be one topic. In fact, I'm trying to put together a mini course for my own school in practical aspects that schools often do not teach. So far I do not know where this could fit in, but one of my goals for this summer is to flesh out my plan and see where it might lead.