"The missing ingredient in software security: grassroots education"

David A. Wheeler

All, FYI, I just posted an opinion piece (by me) in TEISS titled
"The missing ingredient in software security: grassroots education"

Among other things the article says:
* "I was recently asked, “what’s the role of grassroots education in developing secure software and securing software supply chains?” My answer is “none, because we lack grass.”
* “Grassroots education” implies ordinary practitioners teaching their peers, like grass spreading from its roots across an area once it has grown in one part of the area. Grassroots education can be effective when information is widely but not universally known.
* There’s just one problem: we lack grass. Relatively few software developers know how to develop secure software, or how to secure their software supply chains. That’s because we don’t teach developers what they need to know.

It then argues for the need for education in many different circumstances, as well as giving a list of the kinds of things that need to be taught. It in particular points to the OpenSSF & the mobilization plan (and thus, by implication, this WG and the Education SIG).

This is all part of our efforts to "get the word out" in different fora... and hopefully gain new participants in the long term. I thought everyone here should know!

Access to this TEISS article is free, but registration required.

--- David A. Wheeler