Research Insights

Key Stakeholders

  • Students, college-aged, going into SWE / Data Science / Cybersecurity
  • Professors in computer science / informatics departments
    • INFO 442 Professor
    • INFO Software Architecture Lecturer
    • Cybersecurity Professor
  • Industry professionals in cloud computing and software engineering

Survey - Students

  • 24 responses
  • 12 computer science majors
  • 12 Informatics majors
  • Year of study ranged

Interviewees - Students

  • B - 1st year grad student in cybersecurity at NYU
  • S - 4th year Informatics student in UXR/PM/Data
  • R - 4th year Informatics student in software engineering
  • R - 4th year Informatics, data science minor in data
  • A - 2nd year computer science student in software engineering

Research Notes

Full Survey Notes

  • 70% know about DevSecOps but have never used it
  • 35% have used CI/CD in previous projects, but not proficient
  • 30% have heard of it but never used it
  • 83% have not taken classes on either
    • They don’t know about the classes
    • Classes are not offered on a regular basis
  • Learning through
    • YouTube
    • Previous internships
  • 57% have not used external resources to learn about DevSecOps/CICD
  • No one was very confident in this
  • Overall, 92% think it is important to be taught about in school
  • 52% are not confident at all in applying these concepts in industry
  • Quotes
    • “I feel like these topics are very application based and are best learned through internships/jobs.”
    • “Lack of practice and guidance”
    • “The whole process can be confusing but it is mainly because there aren’t enough resources to teach that stuff”
    • “I feel like my major (Informatics) does a poor job of preparing aspiring professionals to go into the tech world, especially related to development. There are very few classes that I can name that teach these core concepts for DevSecOps, cloud computing/software, and CI/CD. We often have to supplement it with outside resources, which take up a lot of time and aren’t as nearly effective as taking them in a classroom setting.”
    • “We still are in an environment where security is very new and people still don’t want to adopt it, so in terms of classes, classes don’t really put an emphasis on security or just brush over DevSecOps when teaching students how to program or when teaching them a new technical skill”
    • “Well, I feel like there aren’t any classes that are tailored toward using CI/CD, and likewise for DevSecOps exclusively as far as I know.”

Full Interview Notes

  • B - grad student in cybersecurity
    • Mostly 2s on tools, some 4s (code packaging tools) 2 = not confident on tools
    • Never took classes on it bc not interest in devops
    • INFO 310 / 340/330 glossed over
    • TryHackMe
    • Hackthebox
    • Coursera / Udemy – typical, other platforms might be more focused
    • leading to a new wave of programmers / devs going out into industry and creating more vulnerabilities (not tecahing devsecops)
    • Guided practice
    • Linkedin/Reddit are good resources. Google can be too ad-focused
    • sometimes difficult to find connection between reading about it and seeing it implemented
    • Talking to friends in swe - classes require it - used security people to deal with that - but if we teach everyone from the beginning to implement it, makes everything a whole lot safer and more secure, and better! Less work
  • R - senior in informatics, software engineering focus
    • Confidence - i felt like i had to relearn a lot of coding practices when i was in both internships
    • Had to relearn a lot of core concepts in internship
    • Wasn’t really required in core curriculum - personally i just didn’t learn about the fact that those classes existed until i was well into my junior year - then at that point - i don’t really have that much time to take more classes - very done with info, focusing on minor
    • Amazon provided a whole training
    • CI/CD talked about in internship
    • Never taken 310, but 442, 441, 443 classes go over CI/CD
    • Mostly 2s and 3s - some 4s on platforms (not confident)
    • Never heard those terms before - i kinda understand the practices associated with them but never heard those specific terms in particular
    • Would look at YouTube first, Google
    • Personally - i learn best with both video and an example
    • Not confident applying knowledge
    • all code i have is really small scale for school projects - would be hard to apply principles that are meant to be used at scale for something smaller
    • Wish devsecops was taught in classes
    • Yes 100% - would probably have saved me a lot of time in your internships if i had known some more principles going in
  • A - Sophomore in software engineering, CS major
    • All tools - 1-3 - lot of familiarity but not usage
    • Coursera / udemy - very do this, but not do it well
    • No courses teach this explicitly - pick it up along the way
    • Each company has own workflow - wouldn’t I have to relearn it
    • every company has own unique security vulnerability in tech stack
    • No wouldn’t feel confident diving straight in esp w someting as imporant as security
    • would look up api to check documentation for vulnerabilities
    • On Google - get content out of date, bad answers
    • Read a book on it
    • Coursera / udemy - very do this, but not do it well
    • Interactive labs in class setting - as homework sure - of course - all programing homeworks should be written basically - implementation
    • 1-2 confidence level in applying concepts
    • important to integrate into curriculum - but they do CI/CD pretty well already
    • cryptography, more theoretical, not towards industry use
    • dimly aware of classes

Professor Interview Notes - A

  • Class topics covered
    • Start out with words, vocab that’s used in the industry for better communication. Huge piece that was missing for new grads who didn’t understand the vocab used in the industry related to architecture.
    • Second half, design patterns, zooming back in, specific patterns you would see in code to make it more maintainable. “Hard to learn as a student, they are not gonna be good at the start, need to practice a lot, something you develop over time.”
  • In class activities
    • Can’t teach all patterns, practice learning patterns. Some labs - break up into 4 large group, each group will get a design pattern to learn. Each member will teach other groups one pattern that they learned.
    • Lots of reading, writing, and discussing things. Not a lot of coding.
    • Not a lot of software engineers know automated testing coming into the industry.
  • Taught class twice, things that didn’t go well, changed. Adding a new module - openness. Content needs to be ready to go - make as easy as possible. Demonstrate that the module applies to the course being taught. Server side development class would be a great candidate for CI/CD, DevSecOps. “If you convince the teacher that it’s a good idea to teach somethings that’s part of their course, and they’re gonna do it.”
  • Challenges to adding a module
    • Professors often do add buffer space. Two lectures of buffer space. Really show the value of it. Make it a concise way, tangible exercises. They might be able to add a week or two worth of content to their existing lecture.
  • Once you get it in the course, they’re going to find out if it fits really well or not. Maybe provide a minimal version you could teach, some expanded stuff for later iterations of their course. Give them the resources, let them figure out what fits or not.

⭐️ Full Insights

Class Availability

  • 83% of survey respondents have not taken classes on either DevSecOps or security.
  • Lack of classes on DevSecOps/security in general; classes offered are not frequent and are more technical/theoretical (cryptography).

Access to Resources

  • 35% of survey respondents have used CI/CD in previous projects, but are not proficient.
  • External resources were utilized by those interested (YouTube, Reddit, LinkedIn, Google, Tryhackme, hackthebox).

Term Familiarity

  • 70% know about DevSecOps but have never used it.
  • 30% have heard of it but never used it.
  • 52% are not confident at all in applying these concepts in industry.

Importance

  • 92% of survey respondents agree that DevSecOps and CI/CD should be integrated into classes.
  • Almost all respondents believe DevSecOps should be taught in classes or at least integrated into coursework.
  • Many express a low confidence level in applying these concepts, highlighting a clear need for education in this area.

Quotes on Importance

  • “Yes, 100% - it would probably have saved me a lot of time in my internships if I had known some more principles going in.”
  • “It’s important to integrate into the curriculum - they do CI/CD pretty well already.”
  • “[Not teaching them is leading to a new wave of programmers/devs going out] into industry and creating more vulnerabilities (not teaching DevSecOps).”

Tools - Learning / Education

  • Tools ranking and familiarity seem to be higher among those who utilized them in internships, not in classes.
  • Interactive labs and hands-on exercises are highly valued in the learning process, with many students expressing that coding is best learned by doing.
  • Online learning platforms are used but often criticized for not teaching the application of knowledge effectively.

Quotes on Tools and Education

  • “I feel like these topics are very application-based and are best learned through internships/jobs.”
  • “Personally, I learn best with both video and an example.”
  • “All programming homework should be written basically - implementation is key.”

Professor Insights

Professor Interview Notes (cont.)

  • The need for teaching industry vocabulary and concepts is emphasized, with many students lacking understanding when they enter the workforce.
  • Practical application and teaching of design patterns are seen as crucial, yet challenging to implement effectively in the classroom.
  • Automated testing is a skill not commonly possessed by new software engineers, indicating a gap in practical training.

Challenges and Suggestions for Course Integration

  • Professors need to be shown the value of integrating new modules like DevSecOps into their curriculum.
  • Providing concise, tangible exercises and a minimal viable version of the module can encourage adoption.
  • Flexibility in course design is important, allowing educators to see how new content fits and to adjust accordingly.

Git and DevOps in Education

  • Efficient use of Git and understanding of pull requests (PRs) are identified as major areas where new graduates are lacking.
  • DevOps practices, particularly for full-stack engineers, are not well covered, leading to a knowledge gap in the industry.
  • Teaching Git management, including the use of .gitignore files, is suggested as a critical area for improvement in the curriculum.

Industry Feedback

  • Big companies often use their own in-house systems instead of GitHub, which can present a learning curve for new hires.
  • The gap between academic training and actual industry requirements is most evident in areas like DevSecOps, indicating an urgent need for curriculum updates.
  • Teaching practical aspects like managing PRs, rebasing, and merging is crucial for preparing students for real-world software development environments.
  • Emphasis on giving students practical exercises that mimic real-world scenarios can significantly improve their readiness for industry challenges.

Conclusions and Recommendations

Addressing the Skills Gap

  • There is a clear need for more comprehensive coverage of DevSecOps and CI/CD in academic curricula to bridge the skills gap.
  • Integrating practical, hands-on training with theoretical learning can enhance students’ understanding and application of these crucial concepts.

Enhancing Classroom Learning

  • Courses should include more interactive labs and coding exercises that reflect real-world scenarios.
  • Collaboration with industry professionals to design course content can ensure relevance and applicability.

Improving Resource Accessibility

  • More accessible and updated resources on DevSecOps and CI/CD should be made available to students.
  • Online platforms, while useful, need to focus more on practical application rather than just theoretical knowledge.

Encouraging Industry-Academia Collaboration

  • Facilitating stronger connections between academia and industry can help align educational content with current industry practices and needs.
  • Guest lectures and workshops by industry professionals can provide valuable insights and practical knowledge to students.

Future Steps

  • Continuous evaluation and update of the curriculum are necessary to keep pace with the rapidly evolving tech landscape.
  • Gathering feedback from both students and industry professionals post-implementation can guide future improvements in the curriculum.