In the February 2011 CACM, George Ledin, Jr. argues in his article The Growing Harm of Not Teaching Malware that we need to be teaching all CS undergraduates about malware. He bemoans that, because of the lack of such classes, "This means that we are matriculating computer scientists whose knowledge of malware is roughly on par with that of the general population of amateur computer users." He describes what should be going on in these classes:
On the technical side, teaching malware requires knowing viruses, worms, Trojans, and rootkits, which obligates teachers to have read their source code, which in turn requires them to have the ability to reverse the binaries, and the facility to launch, run, and infect machines on an isolated subnet. Having read a sufficiently large, representative sampling of historic malware source code then leads to formulating various generalizations to build a theory of malware that can be tested by writing derivative malware, new in a shallow sense but not necessarily innovative.
Why do we need such expertise in malware? Why can't we just fix the problem? Professor Ledin explains:
The reason we cannot solve the malware problem is simple: We don't have a theory of malware.
I don't have a problem with teaching malware in undergraduate computer science. I do argue strongly that it should be an elective, not a requirement. In the end, I disagree with Professor Ledin over a view of what an undergraduate degree in Computer Science is for.
First, an undergraduate degree is about learning how to think, not inventing new knowledge. Malware experts don't have a theory of malware. Professor Ledin would like undergraduates to invent a theory of malware. Perhaps the undergraduate students at Sonoma State University are much better than the ones I meet, but I don't think most undergraduates can invent a theory better than the existing experts.
Second, and more important to me, the purpose of an undergraduate degree in Computer Science is to teach students about Computer Science, not prepare them to be software professionals. I agree with Jeannette Wing when she wrote: "One can major in computer science and go on to a career in medicine, law, business, politics, any type of science or engineering, and even the arts." It's not at all obvious to me that knowing malware is a critical requirement for any of those careers. I am happy with my doctor, lawyer, businessman, or politician to have only a cursory understanding of malware. Sure, professional software developers should know about malware. It's a fallacy that an undergraduate Computer Science degree is about becoming a professional software developer.