Re: ACM

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

Dave Aitel wrote:
> The ACM Communications, a rather prestigious journal in the academic 
> community, I think, has a  one page article by a George Ledin Jr. 
> (ledin () sonoma edu) entitled "Not Teaching Viruses and Worms is 
> Harmful". It's worth a read, and it's nice to see an academic on that
>  side of the fence officially, considering most of the industry is 
> watching their bottom line and trying to quash any form of 
> information on the subject they can.

At the Laboratory for Dependable Distributed Systems 
(http://www-i4.informatik.rwth-aachen.de/lufg/), the point of view is 
similar. At an upcoming conference, some of the people from our Lab will 
present the curriculum we offer. The following text is a preview of the 
paper:

"At university degree level, it is a rule of good academic practise to
teach long-term methodological knowledge instead of short-term system
knowledge. In the area of data security, this has resulted in university
curricula which either tend towards theoretical topics (like
cryptographic protocols or formal modeling of security) or towards
practical topics highlighting defensive strategies (e.g., access control
techniques, firewalls and VPNs). Data security, however, is a field
which is rapidly changing. The new developments like the security
threats in Web-based systems (e.g. SQL injection and cross-site
scripting) or the dangers of so-called botnets are often neglected.
This leaves university graduates with only faint ideas of the
security threats they will face in their professional career. Moreover,
a typical computer science graduate, even if she has specialized in data
security, usually has very little practical experience with the way
\emph{real} systems react in the presence of malice.

We argue that practical experiences with real security failures should
be a central part of university degree level education. Furthermore, our
main claim is that the quality of data security professionals with
university degree can only be improved if \emph{offensive} aspects like
writing exploits or network sniffing are integrated into the curriculum.
From our experience, this combination of practical experiences and
offensive techniques yields graduates that can both (1) improve the
level of security in non-academic contexts and (2) perform high-quality
academic research in the advancement of security engineering principles.
We believe that offensive techniques are central to better understand
the ways in which security systems fail. And there is an increasing
awareness, that understanding offensive techniques raises the overall
level of security instead of lowering
it~\cite{farmer:1993:improv_secur_your_site_break_into,Arce:2004:GEI}.

In this paper we present the outline of a two-semester university degree
curriculum that to our mind improves the state of the art in security
education. It consists of two semesters:

* The first semester has three elements: (1) a (traditional) lecture on
data security techniques, (2) a lecture on computer forensics, and (3) a
research seminar on current trends in computer security where students
give a presentation.

* The second semester consists of an extensive practical lab session in
which students apply offensive and defensive techniques within an
isolated test network. The final part of the semester is a two or three
week Summerschool in which advanced attacking techniques are trained
and analyzed.

[...]"

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave