Dailydave mailing list archives
Re: ACM
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Mon, 10 Jan 2005 11:43:14 +0100
Dave Aitel wrote:
The ACM Communications, a rather prestigious journal in the academic community, I think, has a one page article by a George Ledin Jr. (ledin () sonoma edu) entitled "Not Teaching Viruses and Worms is Harmful". It's worth a read, and it's nice to see an academic on that side of the fence officially, considering most of the industry is watching their bottom line and trying to quash any form of information on the subject they can.
At the Laboratory for Dependable Distributed Systems (http://www-i4.informatik.rwth-aachen.de/lufg/), the point of view is similar. At an upcoming conference, some of the people from our Lab will present the curriculum we offer. The following text is a preview of the paper:
"At university degree level, it is a rule of good academic practise to teach long-term methodological knowledge instead of short-term system knowledge. In the area of data security, this has resulted in university curricula which either tend towards theoretical topics (like cryptographic protocols or formal modeling of security) or towards practical topics highlighting defensive strategies (e.g., access control techniques, firewalls and VPNs). Data security, however, is a field which is rapidly changing. The new developments like the security threats in Web-based systems (e.g. SQL injection and cross-site scripting) or the dangers of so-called botnets are often neglected. This leaves university graduates with only faint ideas of the security threats they will face in their professional career. Moreover, a typical computer science graduate, even if she has specialized in data security, usually has very little practical experience with the way \emph{real} systems react in the presence of malice. We argue that practical experiences with real security failures should be a central part of university degree level education. Furthermore, our main claim is that the quality of data security professionals with university degree can only be improved if \emph{offensive} aspects like writing exploits or network sniffing are integrated into the curriculum. From our experience, this combination of practical experiences and offensive techniques yields graduates that can both (1) improve the level of security in non-academic contexts and (2) perform high-quality academic research in the advancement of security engineering principles. We believe that offensive techniques are central to better understand the ways in which security systems fail. And there is an increasing awareness, that understanding offensive techniques raises the overall level of security instead of lowering it~\cite{farmer:1993:improv_secur_your_site_break_into,Arce:2004:GEI}. In this paper we present the outline of a two-semester university degree curriculum that to our mind improves the state of the art in security education. It consists of two semesters: * The first semester has three elements: (1) a (traditional) lecture on data security techniques, (2) a lecture on computer forensics, and (3) a research seminar on current trends in computer security where students give a presentation. * The second semester consists of an extensive practical lab session in which students apply offensive and defensive techniques within an isolated test network. The final part of the semester is a two or three week Summerschool in which advanced attacking techniques are trained and analyzed. [...]" _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave