The Wrong Conversation
This week, GitHub rolled out expanded AI-powered code review features and automated security scanning specifically for educational repositories. The timing is telling: just as Congress holds hearings on AI training data and student privacy, GitHub is quietly addressing a much more immediate threat that nobody's talking about.
While we debate whether ChatGPT should have access to student essays, the learning management systems holding millions of student records are running on codebases that would make a junior developer cringe. We're having the wrong conversation entirely.
The Hidden Crisis
I've audited dozens of ed-tech platforms over the past five years. The pattern is consistent: companies rush to market with MVP learning platforms, then spend years patching security holes and performance issues while promising investors they'll "clean up the code later."
Later never comes.
Consider PowerSchool, which manages data for 45 million students. In 2022, they disclosed a breach affecting 60 school districts. The root cause? A SQL injection vulnerability that should have been caught by basic code review practices. This isn't sophisticated nation-state hacking; it's freshman computer science mistakes in production systems.
Or look at Infinite Campus, used by 8 million students. Their 2021 incident exposed student social security numbers through improperly configured API endpoints. Again, not advanced persistent threats, but fundamental code quality failures.
Why Technical Debt Matters More Than AI Ethics
Here's what keeps me up at night: while administrators debate whether AI tutors are "cheating," their existing platforms are:
- Running on outdated dependencies with known security vulnerabilities
- Using deprecated authentication methods that can be bypassed
- Storing sensitive data in plaintext or with weak encryption
- Lacking proper input validation on user-facing forms
- Missing basic audit trails for data access
These aren't theoretical concerns. Every week, we see new reports of student data breaches that could have been prevented with basic code hygiene.
The irony is sharp: we're worried about AI companies training on public educational content while ignoring that our actual student data repositories are sitting ducks for anyone with basic penetration testing skills.
The Economics of Neglect
Why does this happen? Follow the money.
Ed-tech companies face massive pressure to ship features that impress procurement committees. A smooth demo with flashy AI-powered "personalization" wins contracts. Clean, secure backend code doesn't.
VCs funding these companies optimize for growth metrics, not code quality metrics. Monthly active users matter; cyclomatic complexity doesn't. Revenue run rate matters; technical debt doesn't show up on the P&L until it's too late.
Meanwhile, school districts lack the technical expertise to evaluate code quality during procurement. They can see if the gradebook loads quickly, but they can't assess whether student passwords are properly hashed or if the database queries are vulnerable to injection attacks.
GitHub's Real Message
GitHub's announcement this week isn't just about new features; it's an acknowledgment that educational codebases need special attention. Their security scanning specifically flags common vulnerabilities in learning management systems and student information platforms.
But here's the catch: automated scanning only catches the obvious problems. It won't find the subtle logic errors that expose student data through seemingly innocent API endpoints. It won't identify the performance bottlenecks that make platforms unusable during peak testing periods.
The real work requires human expertise and a commitment to treating code quality as a first-class concern, not an afterthought.
What Actually Needs to Happen
First, procurement committees need to start asking harder questions. Not "Does your platform use AI?" but "What's your code review process?" Not "How many features do you ship per quarter?" but "What's your policy on dependency updates?"
Second, ed-tech companies need to accept that security and performance aren't features you bolt on later. They're foundational requirements that must be baked into every development decision from day one.
Third, we need industry-wide standards for code quality in educational software. FERPA compliance shouldn't just mean checking boxes about data handling policies; it should require demonstrable code security practices.
Beyond the AI Hype Cycle
The attention on AI in education isn't wrong, but it's incomplete. As we've seen with previous posts like Next.js 14: A Wake-Up Call for Homeschool Developers, new technologies often distract us from fundamental engineering principles.
The platforms we build today will be running student data for the next decade. If we don't get the infrastructure right now, we'll be dealing with security incidents and performance failures long after the current AI hype cycle fades.
The Path Forward
This isn't about being anti-innovation or anti-AI. It's about building educational technology on solid foundations. GitHub's new scanning tools are a good start, but they're just tools. The real solution requires a cultural shift in how we prioritize and fund code quality in educational technology.
At Omega Foundation, we've seen firsthand how focusing on robust, secure infrastructure creates better outcomes for students and reduces long-term costs for institutions. When you're not constantly firefighting security incidents and performance issues, you can actually focus on the educational mission.
The choice is simple: we can continue chasing the latest trends while our foundational systems crumble, or we can do the hard work of building educational technology that actually protects the students it serves.